endery/voxblog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
222ad13724
voxblog/INFISICAL_SETUP.md
adminuser 222ad13724
Some checks failed
Deploy to Production / deploy (push) Failing after 2m55s
Details
auto deployment fix
2025-10-28 12:33:31 +00:00

3.2 KiB
Raw Blame History

Infisical Secret Management

This guide shows how to run (and maintain) the self-hosted Infisical instance for VoxBlog. A production instance is already running on this VPS at https://secrets.pusula.blog with files under /home/adminuser/infisical.

1. Start Infisical

  1. Copy the sample environment: 
    cp infisical/.env.example infisical/.env
  2. Edit infisical/.env and set:
    • INFISICAL_SITE_URL=https://secrets.pusula.blog.
    • INFISICAL_POSTGRES_PASSWORD — database password (strong, unique).
    • INFISICAL_AUTH_SECRET — 32-byte base64 secret (openssl rand -base64 32).
    • Leave INFISICAL_ENCRYPTION_KEY blank and set INFISICAL_ROOT_ENCRYPTION_KEY to a 32-byte base64 secret (openssl rand -base64 32).
    • Set INFISICAL_DATABASE_URL=postgresql://infisical:${INFISICAL_POSTGRES_PASSWORD}@postgres:5432/infisical.
  3. Boot the stack: 
    docker compose \
  --env-file infisical/.env \
  -f infisical/docker-compose.yml \
  up -d
  4. Point your reverse proxy (Caddy is already configured) at http://127.0.0.1:8080 so the public URL works over HTTPS.

2. Bootstrap Infisical

  1. Visit INFISICAL_SITE_URL and create the initial admin account.
  2. Create a Workspace (e.g. voxblog).
  3. Add environments you need (at least production, maybe staging/development).
  4. Inside each environment, create a secret path (e.g. /) and add the VoxBlog variables:
    • MYSQL_ROOT_PASSWORD
    • MYSQL_PASSWORD
    • ADMIN_PASSWORD
    • OPENAI_API_KEY
    • GHOST_ADMIN_API_KEY
    • GHOST_ADMIN_API_URL
    • S3_BUCKET
    • S3_REGION
    • S3_ACCESS_KEY
    • S3_SECRET_KEY
    • S3_ENDPOINT
    • VITE_API_URL

3. Service Token for Automation

  1. In the workspace, open Integration → Service Tokens → Create Token.
  2. Scope the token to the production environment and the secret path containing the keys (usually /).
  3. Copy the token value and store it somewhere safe—you will not see it again.

4. Wire Deployments

Gitea Actions

  1. In your VoxBlog repository, go to Settings → Secrets and add:
    • INFISICAL_TOKEN — the service token from the previous step.
    • INFISICAL_SITE_URLhttps://secrets.pusula.blog.
  2. No other secret variables are needed; the workflow now loads them dynamically before running Docker Compose.

Manual / Webhook Deployments

  1. On the VPS, export the token before running deploy.sh: 
    export INFISICAL_TOKEN=st.your_token_value
export INFISICAL_SITE_URL=https://secrets.pusula.blog
./deploy.sh
  2. The script prefers Infisical; it only falls back to .env when no token is set, so consider removing any old .env file from the server.

5. Rotating Secrets

  1. Update the value inside Infisical.
  2. Re-run the deployment pipeline (or deploy.sh) so new containers launch with the rotated configuration.
  3. Old values never touch disk—no extra clean-up is required.

6. Backups & Maintenance

  • Backup the Postgres volume (infisical-postgres-data) using your usual VPS backup process.
  • Protect the Infisical site with HTTPS and, ideally, IP allow-lists or SSO.
  • Rotate the service token periodically; update the Gitea secret and any server-side exports at the same time.