deadstyle/infisical
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
13 commits 1 branch 0 tags 47 KiB
Find a file
Exact
Bob Parsons 440d2d47f9
All checks were successful
Deploy Infisical / deploy (push) Successful in 12s
Details
update the resources for the db
2025-12-31 20:42:08 -06:00
.gitea/workflows add smtp variables 2025-12-25 20:57:32 -06:00
.env.example setup deploy 2025-12-25 18:44:05 -06:00
.gitignore setup deploy 2025-12-25 18:44:05 -06:00
CLAUDE.md add smtp variables 2025-12-25 20:57:32 -06:00
docker-compose.yml update the resources for the db 2025-12-31 20:42:08 -06:00
README.md setup deploy 2025-12-25 18:44:05 -06:00

README.md

Infisical Deployment

Self-hosted Infisical secrets management platform deployed with Forgejo Actions and Traefik reverse proxy.

Architecture

  • Infisical Backend: Official Docker image
  • Redis: Cache and session management
  • PostgreSQL: External database at 192.168.86.203:5432
  • Traefik: Reverse proxy with Let's Encrypt SSL
  • Deployment: Forgejo Actions CI/CD

Prerequisites

  • Docker and Docker Compose installed on deployment server
  • Forgejo runner configured and running
  • Access to PostgreSQL server at 192.168.86.203:5432
  • Traefik reverse proxy running with Let's Encrypt configured

Initial Setup

1. Database Setup

Create the Infisical database and user on the PostgreSQL server (192.168.86.203):

CREATE DATABASE infisical;
CREATE USER infisical_user WITH ENCRYPTED PASSWORD 'your-secure-password';
GRANT ALL PRIVILEGES ON DATABASE infisical TO infisical_user;

-- Connect to the infisical database
\c infisical

GRANT ALL ON SCHEMA public TO infisical_user;

2. Generate Secrets

Generate cryptographically secure secrets for Infisical:

# Encryption key
openssl rand -base64 32

# Auth secret
openssl rand -base64 32

# JWT secret
openssl rand -base64 32

3. Configure Environment Variables

Copy .env.example to .env and update with your values:

cp .env.example .env
# Edit .env with your actual credentials and generated secrets

Important: Never commit the .env file to git.

4. Configure Forgejo Variables and Secrets

Variables (Repository Settings → Variables):

  • DB_HOST - PostgreSQL host (192.168.86.203)
  • DB_PORT - PostgreSQL port (5432)
  • DB_NAME - Database name (infisical)
  • DB_USER - Database user (infisical_user)
  • SITE_URL - Site URL (https://infisical.bobparsons.dev)

Secrets (Repository Settings → Secrets):

  • DB_PASSWORD - Database password
  • ENCRYPTION_KEY - Generated encryption key
  • AUTH_SECRET - Generated auth secret
  • JWT_SECRET - Generated JWT secret

5. Deploy

Push to the main branch to trigger deployment:

git add .
git commit -m "Initial Infisical deployment setup"
git push origin main

The Forgejo Actions workflow will:

  1. Create required Docker networks
  2. Pull the latest Infisical image
  3. Start Redis service
  4. Start Infisical backend
  5. Perform health checks
  6. Report deployment status

Admin User Creation

After successful deployment:

  1. Navigate to https://infisical.bobparsons.dev
  2. The first user to register will become the admin
  3. Complete the signup form
  4. Secure this account immediately with a strong password and 2FA

Accessing Infisical

Once deployed, access Infisical at:

Management Commands

View Logs

# Backend logs
docker logs infisical-backend -f

# Redis logs
docker logs infisical-redis -f

Restart Services

# Restart all services
docker compose -p infisical restart

# Restart specific service
docker compose -p infisical restart backend
docker compose -p infisical restart redis

Check Service Status

docker compose -p infisical ps

Update Infisical

To update to a new version:

  1. Update the image tag in docker-compose.yml: 
    image: infisical/infisical:v0.x.x
  2. Commit and push changes
  3. Forgejo Actions will deploy the new version

Troubleshooting

Services Not Starting

Check container logs:

docker logs infisical-backend --tail 100
docker logs infisical-redis --tail 100

Database Connection Issues

Verify database connectivity:

# From the deployment server
docker run --rm -it --network postgres-network postgres:14-alpine \
  psql -h 192.168.86.203 -p 5432 -U infisical_user -d infisical

Traefik Routing Issues

Check Traefik logs and verify the container labels:

docker inspect infisical-backend | grep -A 10 Labels

Reset Redis

If Redis data needs to be cleared:

docker compose -p infisical stop redis
docker volume rm infisical_infisical_redis_data
docker compose -p infisical up -d redis

Backup and Restore

Database Backup

Regular PostgreSQL backups of the infisical database should be performed:

pg_dump -h 192.168.86.203 -p 5432 -U infisical_user -d infisical > infisical_backup_$(date +%Y%m%d).sql

Redis Backup

Redis data is persisted in the infisical_redis_data volume:

docker run --rm -v infisical_infisical_redis_data:/data -v $(pwd):/backup \
  alpine tar czf /backup/redis_backup_$(date +%Y%m%d).tar.gz -C /data .

Restore Database

psql -h 192.168.86.203 -p 5432 -U infisical_user -d infisical < infisical_backup_20250101.sql

Security Considerations

  1. Secrets Management: All secrets use cryptographically secure random strings (32+ characters)
  2. HTTPS Only: All traffic encrypted via Traefik with Let's Encrypt certificates
  3. Database Security: PostgreSQL credentials stored in Forgejo secrets, never in code
  4. Admin Account: First user becomes admin - secure immediately
  5. Regular Updates: Keep Infisical image updated for security patches

Architecture Details

Networks

  • traefik: External network for Traefik reverse proxy
  • postgres-network: External network for PostgreSQL database access
  • infisical-network: Internal network for Infisical backend and Redis communication

Volumes

  • infisical_redis_data: Persistent Redis data storage

Resource Limits

  • Backend: 512M memory limit, 256M reservation
  • Redis: 256M memory limit, 128M reservation

Support

For Infisical-specific issues, refer to:

References