dohertj2/network
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Infisical doc + link from CLAUDE.md

Browse Source
This commit is contained in:
dohertj2
2026-04-29 09:22:11 -04:00
parent 982ddc0e8f
commit 203647dc4a
2 changed files with 97 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CLAUDE.md
+1
View File
@@ -17,6 +17,7 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
- [TrueNAS Server](truenas.md) — NAS at 10.100.0.25 (management) / 10.50.0.x (storage), serves SMB and NFS
- [ESXi Host](esxi.md) — HP server at 10.2.0.12, ESXi 8.0.3, 8 VMs (7 powered on), access via `govc` only (not SSH). **Read esxi.md for credentials and connection details.**
- [Docker Server](docker.md) — Debian 13 at 10.100.0.35, Docker host for 21 containers (arr stack, Traefik, Semaphore/Ansible). **This is the local machine.**
- [Infisical](infisical.md) — Secrets management at https://infisical.dohertylan.com, runs as a Docker stack on the docker host
- [Plex Server](plex.md) — Debian 11 at 10.100.0.24, Plex Media Server 1.43, NFS media from TrueNAS
- [Home Assistant](ha.md) — HAOS at 10.100.0.40, HA 2026.2.2, 2,411 entities, smart home automation. API access only (no SSH).
- [Ignition Gateway](ignition.md) — Debian 11 at 10.100.0.90, Ignition 8.3.3 (Maker), SCADA/IIoT platform with PostgreSQL 13
infisical.md
+96
View File
@@ -0,0 +1,96 @@
# Infisical (Secrets Management)
Self-hosted Infisical instance running as a Docker stack on [DOCKER](docker.md) (10.100.0.35). Deployed via Ansible (role `infisical` in the [ansiblearr](https://github.com/dohejw01/ansiblearr) playbook); deployed 2026-04-29.
## Access
- **URL**: https://infisical.dohertylan.com (via Traefik + Cloudflare cert)
- **Auth**: native Infisical accounts (no Authelia middleware — Infisical has its own login)
- **First-time setup**: first sign-up becomes the admin. After bootstrapping, set `INVITE_ONLY_SIGNUP=true` in `roles/infisical/defaults/main.yml` and re-deploy to lock further signups.
## Stack layout (on docker host)
`/opt/infisical/` (compose project name `infisical`; service labels carry standard `com.docker.compose.*` only — no custom `project=lmxopcua`-style label):
| Container | Image | Internal port | Host port | Volume |
|---|---|---|---|---|
| `infisical` | `infisical/infisical:latest-postgres` | 8080 (HTTP) | none — Traefik handles 443→8080 | — |
| `infisical-db` | `postgres:16-alpine` | 5432 | none | `/opt/infisical/postgres_data` |
| `infisical-redis` | `redis:7-alpine` | 6379 | none | `/opt/infisical/redis_data` |
Networks: `traefik` (external, shared with the rest of the stack) and `infisical` (internal-only bridge for db + redis).
## Configuration
Source of truth: `roles/infisical/defaults/main.yml` in the ansible repo. Re-deploys overwrite `/opt/infisical/docker-compose.yml`, so don't edit it on the host.
| Variable | Value (default) | Notes |
|---|---|---|
| `infisical_image` | `infisical/infisical:latest-postgres` | Standalone all-in-one image (API + frontend) |
| `infisical_subdomain` | `infisical` | Becomes `infisical.dohertylan.com` |
| `infisical_db_user` / `_db_name` | `infisical` / `infisical` | Internal-only — not exposed past the compose network |
| `infisical_db_password` | `Sonamu89_infisical_db` | dev convention; rotate via group_vars/vault if repo ever leaves the LAN |
| `infisical_encryption_key` | 32 hex chars | **Do not change after data exists** — used to envelope-encrypt secrets at rest. Changing it makes existing secrets unrecoverable; use Infisical's key-rotation flow if you need to rotate |
| `infisical_auth_secret` | random base64 | JWT signing key |
| `infisical_telemetry_enabled` | `false` | Anonymous telemetry opted out |
## Deploy / update
Three equivalent paths:
```bash
# Via Semaphore UI (or API): http://10.100.0.35:3000 → template "Deploy Full Stack"
curl -s -c - http://localhost:3000/api/auth/login -X POST -H 'Content-Type: application/json' \
-d '{"auth":"dohertj2","password":"Sonamu89"}' | grep semaphore | awk '{print $NF}' \
| xargs -I{} curl -s -b "semaphore={}" -X POST http://localhost:3000/api/project/1/tasks \
-H 'Content-Type: application/json' -d '{"template_id":8,"project_id":1}'
# Or directly on the docker host (skips going through Semaphore/git):
ssh dohertj2@10.100.0.35 'cd /opt/infisical && docker compose up -d'
# Or pull image only (without restart):
ssh dohertj2@10.100.0.35 'cd /opt/infisical && docker compose pull'
```
To make a change, edit `roles/infisical/defaults/main.yml` (or the template), commit + push to GitHub, then re-run the Semaphore template.
## Operations
```bash
# Status
ssh dohertj2@10.100.0.35 'docker ps --filter name=infisical'
# Logs
ssh dohertj2@10.100.0.35 'cd /opt/infisical && docker compose logs --tail=200 infisical'
# Restart just the app (keep db/redis up)
ssh dohertj2@10.100.0.35 'cd /opt/infisical && docker compose restart infisical'
# Full stack restart
ssh dohertj2@10.100.0.35 'cd /opt/infisical && docker compose up -d --force-recreate'
# psql shell into the db
ssh dohertj2@10.100.0.35 'docker exec -it infisical-db psql -U infisical -d infisical'
```
## Backups
Only state worth preserving: `/opt/infisical/postgres_data`. Redis is just a cache.
```bash
# Hot logical dump (run on docker host)
docker exec infisical-db pg_dump -U infisical -d infisical | gzip > /mnt/share/backups/infisical-$(date +%F).sql.gz
```
Restore: stop the stack, drop and recreate the DB, `gunzip < dump.sql.gz | docker exec -i infisical-db psql -U infisical -d infisical`, start the stack. Whatever encryption key was in `defaults/main.yml` at backup time must still be in place — the restored ciphertext is only readable with the same `ENCRYPTION_KEY`.
## Homepage entry
Listed under the **Infrastructure** group on https://home.dohertylan.com — icon `infisical.png` (from dashboard-icons), URL `https://infisical.dohertylan.com`, description "Secrets Management". Added in `roles/homepage/defaults/main.yml`.
## Risks / gotchas
- **`ENCRYPTION_KEY` is the master**. Treat changes to that var as a destructive operation. The default is checked into git in the private ansiblearr repo — fine while the repo stays internal; rotate immediately if it ever goes public.
- **First sign-up gets admin** with no out-of-band gating. Sign up immediately after the initial deploy so a passing scanner doesn't beat you to it.
- **No Authelia middleware**. Infisical's own auth is the only thing in front of the API — exposed via Cloudflare to the internet at `infisical.dohertylan.com`. Enable Infisical SSO + MFA before storing anything sensitive.
- **Single-instance**. Postgres + Redis run alongside the app on one box. Acceptable for a homelab; not HA. If the docker host goes down, secrets API is unavailable — plan integrations accordingly (don't make Infisical a hard dependency for things that need to recover during a docker host outage).