deadstyle/infisical
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
14 commits 1 branch 0 tags 56 KiB
Find a file
Exact
Bob Parsons aec0630a5a
All checks were successful
Deploy Infisical / deploy (push) Successful in 1m23s
Details
updated to use shared DB and valkey
2026-03-28 10:55:24 -05:00
.gitea/workflows updated to use shared DB and valkey 2026-03-28 10:55:24 -05:00
.env.example updated to use shared DB and valkey 2026-03-28 10:55:24 -05:00
.gitignore setup deploy 2025-12-25 18:44:05 -06:00
CLAUDE.md updated to use shared DB and valkey 2026-03-28 10:55:24 -05:00
docker-compose.yml updated to use shared DB and valkey 2026-03-28 10:55:24 -05:00
README.md updated to use shared DB and valkey 2026-03-28 10:55:24 -05:00

README.md

Infisical Deployment

Self-hosted Infisical secrets management platform deployed with Forgejo Actions and Traefik reverse proxy.

Architecture

  • Infisical Backend: Official Docker image
  • Valkey: Shared cache and session management on the external valkey-network
  • PostgreSQL: External database at 192.168.86.203:5432
  • Traefik: Reverse proxy with Let's Encrypt SSL
  • Deployment: Forgejo Actions CI/CD

Prerequisites

  • Docker and Docker Compose installed on deployment server
  • Forgejo runner configured and running
  • Access to PostgreSQL server at 192.168.86.203:5432
  • Shared Valkey instance running on valkey-network
  • Traefik reverse proxy running with Let's Encrypt configured

Initial Setup

1. Database Setup

Create the Infisical database and user on the PostgreSQL server (192.168.86.203):

CREATE DATABASE infisical;
CREATE USER infisical_user WITH ENCRYPTED PASSWORD 'your-secure-password';
GRANT ALL PRIVILEGES ON DATABASE infisical TO infisical_user;

-- Connect to the infisical database
\c infisical

GRANT ALL ON SCHEMA public TO infisical_user;

2. Generate Secrets

Generate cryptographically secure secrets for Infisical:

# Encryption key
openssl rand -base64 32

# Auth secret
openssl rand -base64 32

# JWT secret
openssl rand -base64 32

3. Configure Environment Variables

Copy .env.example to .env and update with your values:

cp .env.example .env
# Edit .env with your actual credentials and generated secrets

Important: Never commit the .env file to git.

4. Configure Forgejo Variables and Secrets

Variables (Repository Settings → Variables):

  • DB_HOST - PostgreSQL host (192.168.86.203)
  • DB_PORT - PostgreSQL port (5432)
  • DB_NAME - Database name (infisical)
  • DB_USER - Database user (infisical_user)
  • VALKEY_HOST - Shared Valkey host (valkey)
  • VALKEY_PORT - Shared Valkey port (6379)
  • VALKEY_DB - Reserved Valkey DB index for Infisical (3)
  • REDIS_URL - Optional full Redis URL override
  • SITE_URL - Site URL (https://infisical.bobparsons.dev)

Secrets (Repository Settings → Secrets):

  • DB_PASSWORD - Database password
  • ENCRYPTION_KEY - Generated encryption key
  • AUTH_SECRET - Generated auth secret
  • JWT_SECRET - Generated JWT secret

5. Deploy

Push to the main branch to trigger deployment:

git add .
git commit -m "Initial Infisical deployment setup"
git push origin main

The Forgejo Actions workflow will:

  1. Create required Docker networks
  2. Pull the latest Infisical image
  3. Start the Infisical backend connected to the shared Valkey instance
  4. Perform health checks
  5. Report deployment status

Admin User Creation

After successful deployment, bootstrap the instance with an initial admin user and organization. Current Infisical supports an explicit bootstrap flow for headless/self-hosted setup.

Example with the CLI:

infisical bootstrap \
  --domain=https://infisical.bobparsons.dev \
  --email=admin@bobparsons.dev \
  --password='<strong-admin-password>' \
  --organization='Bob Parsons'

This creates:

  • the initial admin user
  • the initial organization
  • an instance admin machine identity for follow-up automation

Treat the returned credentials and token as highly sensitive root-level material.

References:

Accessing Infisical

Once deployed, access Infisical at:

Management Commands

View Logs

# Backend logs
docker logs infisical-backend -f

# Shared Valkey logs
docker logs valkey -f

Restart Services

# Restart all services
docker compose -p infisical restart

# Restart specific service
docker compose -p infisical restart backend

Check Service Status

docker compose -p infisical ps

Valkey DB Assignment

This deployment follows the shared Valkey standard in /home/bobparsons/Development/valkey/README.md. The next available DB index in the current registry is 3, so this repo now defaults to VALKEY_DB=3.

Infisical connects through REDIS_URL. By default the compose file builds that URL as redis://valkey:6379/3, and you can change the DB index by updating VALKEY_DB or override the full URL with REDIS_URL.

Update Infisical

To update to a new version:

  1. Update the image tag in docker-compose.yml: 
    image: infisical/infisical:v0.x.x
  2. Commit and push changes
  3. Forgejo Actions will deploy the new version

Troubleshooting

Services Not Starting

Check container logs:

docker logs infisical-backend --tail 100
docker logs valkey --tail 100

Database Connection Issues

Verify database connectivity:

# From the deployment server
docker run --rm -it --network postgres-network postgres:14-alpine \
  psql -h 192.168.86.203 -p 5432 -U infisical_user -d infisical

Traefik Routing Issues

Check Traefik logs and verify the container labels:

docker inspect infisical-backend | grep -A 10 Labels

Reset Infisical Valkey DB

If Infisical's assigned Valkey DB needs to be cleared, target only that DB index on the shared instance:

docker exec -it valkey valkey-cli -n 3 FLUSHDB

Backup and Restore

Database Backup

Regular PostgreSQL backups of the infisical database should be performed:

pg_dump -h 192.168.86.203 -p 5432 -U infisical_user -d infisical > infisical_backup_$(date +%Y%m%d).sql

Restore Database

psql -h 192.168.86.203 -p 5432 -U infisical_user -d infisical < infisical_backup_20250101.sql

Security Considerations

  1. Secrets Management: All secrets use cryptographically secure random strings (32+ characters)
  2. HTTPS Only: All traffic encrypted via Traefik with Let's Encrypt certificates
  3. Database Security: PostgreSQL credentials stored in Forgejo secrets, never in code
  4. Admin Account: First user becomes admin - secure immediately
  5. Regular Updates: Keep Infisical image updated for security patches

Architecture Details

Networks

  • traefik: External network for Traefik reverse proxy
  • postgres-network: External network for PostgreSQL database access
  • valkey-network: External network for the shared Valkey instance

Resource Limits

  • Backend: 2G memory limit, 1G reservation

Support

For Infisical-specific issues, refer to:

References