endery/voxblog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
222ad13724
voxblog/INFISICAL_SETUP.md
adminuser 222ad13724
Some checks failed
Deploy to Production / deploy (push) Failing after 2m55s
Details
auto deployment fix
2025-10-28 12:33:31 +00:00

81 lines
3.2 KiB
Markdown
Raw Blame History

# Infisical Secret Management
This guide shows how to run (and maintain) the self-hosted Infisical instance for VoxBlog. A production instance is already running on this VPS at `https://secrets.pusula.blog` with files under `/home/adminuser/infisical`.
## 1. Start Infisical
1. Copy the sample environment:
```bash
cp infisical/.env.example infisical/.env
```
2. Edit `infisical/.env` and set:
- `INFISICAL_SITE_URL=https://secrets.pusula.blog`.
- `INFISICAL_POSTGRES_PASSWORD` — database password (strong, unique).
- `INFISICAL_AUTH_SECRET` — 32-byte base64 secret (`openssl rand -base64 32`).
- Leave `INFISICAL_ENCRYPTION_KEY` blank and set `INFISICAL_ROOT_ENCRYPTION_KEY` to a 32-byte base64 secret (`openssl rand -base64 32`).
- Set `INFISICAL_DATABASE_URL=postgresql://infisical:${INFISICAL_POSTGRES_PASSWORD}@postgres:5432/infisical`.
3. Boot the stack:
```bash
docker compose \
--env-file infisical/.env \
-f infisical/docker-compose.yml \
up -d
```
4. Point your reverse proxy (Caddy is already configured) at `http://127.0.0.1:8080` so the public URL works over HTTPS.
## 2. Bootstrap Infisical
1. Visit `INFISICAL_SITE_URL` and create the initial admin account.
2. Create a **Workspace** (e.g. `voxblog`).
3. Add environments you need (at least `production`, maybe `staging`/`development`).
4. Inside each environment, create a **secret path** (e.g. `/`) and add the VoxBlog variables:
- `MYSQL_ROOT_PASSWORD`
- `MYSQL_PASSWORD`
- `ADMIN_PASSWORD`
- `OPENAI_API_KEY`
- `GHOST_ADMIN_API_KEY`
- `GHOST_ADMIN_API_URL`
- `S3_BUCKET`
- `S3_REGION`
- `S3_ACCESS_KEY`
- `S3_SECRET_KEY`
- `S3_ENDPOINT`
- `VITE_API_URL`
## 3. Service Token for Automation
1. In the workspace, open **Integration → Service Tokens → Create Token**.
2. Scope the token to the `production` environment and the secret path containing the keys (usually `/`).
3. Copy the token value and store it somewhere safe—you will not see it again.
## 4. Wire Deployments
### Gitea Actions
1. In your VoxBlog repository, go to **Settings → Secrets** and add:
- `INFISICAL_TOKEN` — the service token from the previous step.
- `INFISICAL_SITE_URL``https://secrets.pusula.blog`.
2. No other secret variables are needed; the workflow now loads them dynamically before running Docker Compose.
### Manual / Webhook Deployments
1. On the VPS, export the token before running `deploy.sh`:
```bash
export INFISICAL_TOKEN=st.your_token_value
export INFISICAL_SITE_URL=https://secrets.pusula.blog
./deploy.sh
```
2. The script prefers Infisical; it only falls back to `.env` when no token is set, so consider removing any old `.env` file from the server.
## 5. Rotating Secrets
1. Update the value inside Infisical.
2. Re-run the deployment pipeline (or `deploy.sh`) so new containers launch with the rotated configuration.
3. Old values never touch disk—no extra clean-up is required.
## 6. Backups & Maintenance
- Backup the Postgres volume (`infisical-postgres-data`) using your usual VPS backup process.
- Protect the Infisical site with HTTPS and, ideally, IP allow-lists or SSO.
- Rotate the service token periodically; update the Gitea secret and any server-side exports at the same time.
Reference in New Issue View Git Blame Copy Permalink