Secrets VM (#21)

Setup Infiscal according to https://infisical.com/docs/self-hosting/deployment-options/docker-compose . Contributes to #16. Reviewed-on: #21
2024-01-04 11:22:21 +00:00
parent 89c5e1ea36
commit 82fee4eb19
9 changed files with 359 additions and 0 deletions
--- a/infra/secrets/infisical/.env
+++ b/infra/secrets/infisical/.env
@@ -0,0 +1,72 @@
+# Keys
+# Required key for platform encryption/decryption ops
+# THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
+ENCRYPTION_KEY=ENCRYPTION_KEY_VALUE
+
+# JWT
+# Required secrets to sign JWT tokens
+# THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
+AUTH_SECRET=AUTH_SECRET_VALUE
+
+# MongoDB
+# Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
+# to the MongoDB container instance or Mongo Cloud
+# Required
+MONGO_URL=mongodb://root:MONGO_PASSWORD_VALUE@mongo:27017/?authSource=admin
+
+# Redis
+REDIS_URL=redis://redis:6379
+
+# Optional credentials for MongoDB container instance and Mongo-Express
+MONGO_USERNAME=root
+MONGO_PASSWORD=MONGO_PASSWORD_VALUE
+
+# Website URL
+# Required
+SITE_URL=https://secrets.koval.net
+
+# Mail/SMTP 
+SMTP_HOST=mx.koval.net
+SMTP_PORT=465
+SMTP_SECURE=true
+SMTP_USERNAME=no-reply@koval.net
+SMTP_PASSWORD=SMTP_PASSWORD_VALUE
+SMTP_FROM_NAME=KovalHome Infisical
+
+# Integration
+# Optional only if integration is used
+CLIENT_ID_HEROKU=
+CLIENT_ID_VERCEL=
+CLIENT_ID_NETLIFY=
+CLIENT_ID_GITHUB=
+CLIENT_ID_GITLAB=
+CLIENT_ID_BITBUCKET=
+CLIENT_SECRET_HEROKU=
+CLIENT_SECRET_VERCEL=
+CLIENT_SECRET_NETLIFY=
+CLIENT_SECRET_GITHUB=
+CLIENT_SECRET_GITLAB=
+CLIENT_SECRET_BITBUCKET=
+CLIENT_SLUG_VERCEL=
+
+# Sentry (optional) for monitoring errors
+SENTRY_DSN=
+
+# Infisical Cloud-specific configs
+# Ignore - Not applicable for self-hosted version
+POSTHOG_HOST=
+POSTHOG_PROJECT_API_KEY=
+
+# SSO-specific variables
+CLIENT_ID_GOOGLE_LOGIN=
+CLIENT_SECRET_GOOGLE_LOGIN=
+
+CLIENT_ID_GITHUB_LOGIN=
+CLIENT_SECRET_GITHUB_LOGIN=
+
+CLIENT_ID_GITLAB_LOGIN=
+CLIENT_SECRET_GITLAB_LOGIN=
+
+# Other
+INVITE_ONLY_SIGNUP=true
+TELEMETRY_ENABLED=false
--- a/infra/secrets/infisical/.gitignore
+++ b/infra/secrets/infisical/.gitignore
@@ -0,0 +1 @@
+!.env
--- a/infra/secrets/infisical/docker-compose.yml
+++ b/infra/secrets/infisical/docker-compose.yml
@@ -0,0 +1,33 @@
+version: "3"
+
+services:
+  backend:
+    restart: unless-stopped
+    depends_on:
+      - mongo
+    image: infisical/infisical:latest
+    env_file: .env
+    ports:
+      - 80:8080
+    environment:
+      - NODE_ENV=production
+
+  redis:
+    image: redis
+    env_file: .env
+    environment:
+      - ALLOW_EMPTY_PASSWORD=yes
+    ports:
+      - 6379:6379
+    volumes:
+      - /mnt/nvme/redis-data:/data
+
+  mongo:
+    image: mongo
+    restart: always
+    env_file: .env
+    environment:
+      - MONGO_INITDB_ROOT_USERNAME=${MONGO_USERNAME}
+      - MONGO_INITDB_ROOT_PASSWORD=${MONGO_PASSWORD}
+    volumes:
+      - /mnt/nvme/mongo-data:/data/db