Versioning Production Settings

In deploying my latest side project, I came across a conundrum. How do you manage production specific settings files (complete with passwords, API keys and other secrets), while still publishing the source code?

Until now, I've had unversioned production settings sitting around the file system. While this hasn't failed me yet, its only a matter of time. Sensing an opportunity to derail a perfectly good deployment for another half hour, I've come up with what I think is a seemingly solid way to keep those production settings around: git submodules.

In my project, I've declared a git submodule, which contains a single file, representing the settings I wish to load in. The submodule, managed via gitosis, has special access control such that it can only be checked out by my local server. This is managed via ssh keys checked into an administrative gitosis repository.

With this method, when the project gets redeployed on production, I can pull the submodule and I have a perfectly setup project again. When I'm testing, or someone else clones my repository, they get a base project and a submodule which gives them a read access denied error. Well worth the piece of mind that comes with not having unversioned files with data I don't remember littered around the file system.