# Infisical Secret Management This guide shows how to run (and maintain) the self-hosted Infisical instance for VoxBlog. A production instance is already running on this VPS at `https://secrets.pusula.blog` with files under `/home/adminuser/infisical`. ## 1. Start Infisical 1. Copy the sample environment: ```bash cp infisical/.env.example infisical/.env ``` 2. Edit `infisical/.env` and set: - `INFISICAL_SITE_URL=https://secrets.pusula.blog`. - `INFISICAL_POSTGRES_PASSWORD` — database password (strong, unique). - `INFISICAL_AUTH_SECRET` — 32-byte base64 secret (`openssl rand -base64 32`). - Leave `INFISICAL_ENCRYPTION_KEY` blank and set `INFISICAL_ROOT_ENCRYPTION_KEY` to a 32-byte base64 secret (`openssl rand -base64 32`). - Set `INFISICAL_DATABASE_URL=postgresql://infisical:${INFISICAL_POSTGRES_PASSWORD}@postgres:5432/infisical`. 3. Boot the stack: ```bash docker compose \ --env-file infisical/.env \ -f infisical/docker-compose.yml \ up -d ``` 4. Point your reverse proxy (Caddy is already configured) at `http://127.0.0.1:8080` so the public URL works over HTTPS. ## 2. Bootstrap Infisical 1. Visit `INFISICAL_SITE_URL` and create the initial admin account. 2. Create a **Workspace** (e.g. `voxblog`). 3. Add environments you need (at least `production`, maybe `staging`/`development`). 4. Inside each environment, create a **secret path** (e.g. `/`) and add the VoxBlog variables: - `MYSQL_ROOT_PASSWORD` - `MYSQL_PASSWORD` - `ADMIN_PASSWORD` - `OPENAI_API_KEY` - `GHOST_ADMIN_API_KEY` - `GHOST_ADMIN_API_URL` - `S3_BUCKET` - `S3_REGION` - `S3_ACCESS_KEY` - `S3_SECRET_KEY` - `S3_ENDPOINT` - `VITE_API_URL` ## 3. Service Token for Automation 1. In the workspace, open **Integration → Service Tokens → Create Token**. 2. Scope the token to the `production` environment and the secret path containing the keys (usually `/`). 3. Copy the token value and store it somewhere safe—you will not see it again. ## 4. Wire Deployments ### Gitea Actions 1. In your VoxBlog repository, go to **Settings → Secrets** and add: - `INFISICAL_TOKEN` — the service token from the previous step. - `INFISICAL_SITE_URL` — `https://secrets.pusula.blog`. 2. No other secret variables are needed; the workflow now loads them dynamically before running Docker Compose. ### Manual / Webhook Deployments 1. On the VPS, export the token before running `deploy.sh`: ```bash export INFISICAL_TOKEN=st.your_token_value export INFISICAL_SITE_URL=https://secrets.pusula.blog ./deploy.sh ``` 2. The script prefers Infisical; it only falls back to `.env` when no token is set, so consider removing any old `.env` file from the server. ## 5. Rotating Secrets 1. Update the value inside Infisical. 2. Re-run the deployment pipeline (or `deploy.sh`) so new containers launch with the rotated configuration. 3. Old values never touch disk—no extra clean-up is required. ## 6. Backups & Maintenance - Backup the Postgres volume (`infisical-postgres-data`) using your usual VPS backup process. - Protect the Infisical site with HTTPS and, ideally, IP allow-lists or SSO. - Rotate the service token periodically; update the Gitea secret and any server-side exports at the same time.