dohertj2/network
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
203647dc4a38b7389d14dd11437ce590ea1d1fab
network/infisical.md
T
dohertj2 203647dc4a Add Infisical doc + link from CLAUDE.md
2026-04-29 09:22:11 -04:00

5.4 KiB
Raw Blame History

Infisical (Secrets Management)

Self-hosted Infisical instance running as a Docker stack on DOCKER (10.100.0.35). Deployed via Ansible (role infisical in the ansiblearr playbook); deployed 2026-04-29.

Access

  • URL: https://infisical.dohertylan.com (via Traefik + Cloudflare cert)
  • Auth: native Infisical accounts (no Authelia middleware — Infisical has its own login)
  • First-time setup: first sign-up becomes the admin. After bootstrapping, set INVITE_ONLY_SIGNUP=true in roles/infisical/defaults/main.yml and re-deploy to lock further signups.

Stack layout (on docker host)

/opt/infisical/ (compose project name infisical; service labels carry standard com.docker.compose.* only — no custom project=lmxopcua-style label):

Container Image Internal port Host port Volume
infisical infisical/infisical:latest-postgres 8080 (HTTP) none — Traefik handles 443→8080
infisical-db postgres:16-alpine 5432 none /opt/infisical/postgres_data
infisical-redis redis:7-alpine 6379 none /opt/infisical/redis_data

Networks: traefik (external, shared with the rest of the stack) and infisical (internal-only bridge for db + redis).

Configuration

Source of truth: roles/infisical/defaults/main.yml in the ansible repo. Re-deploys overwrite /opt/infisical/docker-compose.yml, so don't edit it on the host.

Variable Value (default) Notes
infisical_image infisical/infisical:latest-postgres Standalone all-in-one image (API + frontend)
infisical_subdomain infisical Becomes infisical.dohertylan.com
infisical_db_user / _db_name infisical / infisical Internal-only — not exposed past the compose network
infisical_db_password Sonamu89_infisical_db dev convention; rotate via group_vars/vault if repo ever leaves the LAN
infisical_encryption_key 32 hex chars Do not change after data exists — used to envelope-encrypt secrets at rest. Changing it makes existing secrets unrecoverable; use Infisical's key-rotation flow if you need to rotate
infisical_auth_secret random base64 JWT signing key
infisical_telemetry_enabled false Anonymous telemetry opted out

Deploy / update

Three equivalent paths:

# Via Semaphore UI (or API): http://10.100.0.35:3000  →  template "Deploy Full Stack"
curl -s -c - http://localhost:3000/api/auth/login -X POST -H 'Content-Type: application/json' \
  -d '{"auth":"dohertj2","password":"Sonamu89"}' | grep semaphore | awk '{print $NF}' \
  | xargs -I{} curl -s -b "semaphore={}" -X POST http://localhost:3000/api/project/1/tasks \
       -H 'Content-Type: application/json' -d '{"template_id":8,"project_id":1}'

# Or directly on the docker host (skips going through Semaphore/git):
ssh dohertj2@10.100.0.35 'cd /opt/infisical && docker compose up -d'

# Or pull image only (without restart):
ssh dohertj2@10.100.0.35 'cd /opt/infisical && docker compose pull'

To make a change, edit roles/infisical/defaults/main.yml (or the template), commit + push to GitHub, then re-run the Semaphore template.

Operations

# Status
ssh dohertj2@10.100.0.35 'docker ps --filter name=infisical'

# Logs
ssh dohertj2@10.100.0.35 'cd /opt/infisical && docker compose logs --tail=200 infisical'

# Restart just the app (keep db/redis up)
ssh dohertj2@10.100.0.35 'cd /opt/infisical && docker compose restart infisical'

# Full stack restart
ssh dohertj2@10.100.0.35 'cd /opt/infisical && docker compose up -d --force-recreate'

# psql shell into the db
ssh dohertj2@10.100.0.35 'docker exec -it infisical-db psql -U infisical -d infisical'

Backups

Only state worth preserving: /opt/infisical/postgres_data. Redis is just a cache.

# Hot logical dump (run on docker host)
docker exec infisical-db pg_dump -U infisical -d infisical | gzip > /mnt/share/backups/infisical-$(date +%F).sql.gz

Restore: stop the stack, drop and recreate the DB, gunzip < dump.sql.gz | docker exec -i infisical-db psql -U infisical -d infisical, start the stack. Whatever encryption key was in defaults/main.yml at backup time must still be in place — the restored ciphertext is only readable with the same ENCRYPTION_KEY.

Homepage entry

Listed under the Infrastructure group on https://home.dohertylan.com — icon infisical.png (from dashboard-icons), URL https://infisical.dohertylan.com, description "Secrets Management". Added in roles/homepage/defaults/main.yml.

Risks / gotchas

  • ENCRYPTION_KEY is the master. Treat changes to that var as a destructive operation. The default is checked into git in the private ansiblearr repo — fine while the repo stays internal; rotate immediately if it ever goes public.
  • First sign-up gets admin with no out-of-band gating. Sign up immediately after the initial deploy so a passing scanner doesn't beat you to it.
  • No Authelia middleware. Infisical's own auth is the only thing in front of the API — exposed via Cloudflare to the internet at infisical.dohertylan.com. Enable Infisical SSO + MFA before storing anything sensitive.
  • Single-instance. Postgres + Redis run alongside the app on one box. Acceptable for a homelab; not HA. If the docker host goes down, secrets API is unavailable — plan integrations accordingly (don't make Infisical a hard dependency for things that need to recover during a docker host outage).
Reference in New Issue View Git Blame Copy Permalink