Skip to content

Remove settings/prod.py from git — it's Ansible-generated, not a source file #1088

New issue
New issue
Open
Open
Remove settings/prod.py from git — it's Ansible-generated, not a source file#1088
Labels
layer:djangoDjango middleware/application layerstatus:ready-to-implementWaiting on review/mergetype:opsInfrastructure and deployment work
@rdhyee

Description

@rdhyee
rdhyee
opened on Feb 21, 2026

Problem

settings/prod.py is tracked in git, but it's not actually a source file — it's generated by Ansible from roles/regluit_prod/templates/prod.py.j2 (in regluit-provisioning) with real credentials filled in from the vault.

This causes two problems:

  1. Permanently dirty git status on the production server. Ansible overwrites the git version with the live credentials version, so the file always shows as modified. This masks real changes and confuses anyone doing a git status on the server.

  2. The git version is stale and misleading. It references storages.backends.s3boto.S3BotoStorage (old) instead of s3boto3, uses MAIL_USE_TLS instead of EMAIL_USE_TLS, and is missing NOTIFICATION_LOCK_FILE, CELERY_LOG_DIR, GroupWriteRotatingFileHandler, and several Celery beat jobs that are in the current Ansible template. A developer reading the git version would get a false picture of what actually runs in production.

The source of truth for prod config is the Ansible template + vault, not this file.

Solution

In the regluit repo:

git rm --cached settings/prod.py
echo "settings/prod.py" >> .gitignore
git add .gitignore
git commit -m "Stop tracking settings/prod.py — Ansible-generated, not a source file"

This:

  • Removes the file from git tracking (leaves it on disk — Ansible will still generate it)
  • Adds it to .gitignore so it never accidentally gets committed again
  • Makes git status clean on the production server
  • Makes the Ansible template (prod.py.j2) the unambiguous source of truth

No changes needed to regluit-provisioning — Ansible writes the file regardless of whether git tracks it.

Verification

After the PR is merged and deployed:

  • git status on the production server should be clean (only venv/ and deploy/prod.wsgi as untracked, which are also Ansible artifacts and similarly harmless)
  • Ansible re-provisioning should work identically

Related

  • deploy/prod.wsgi is also Ansible-generated and untracked — this is already fine behavior. settings/prod.py should match that pattern.

Metadata

Metadata

Assignees

No one assigned

    Labels

    layer:djangoDjango middleware/application layerstatus:ready-to-implementWaiting on review/mergetype:opsInfrastructure and deployment work

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions