.github/workflows/infra.yaml

@@ -75,7 +75,6 @@ jobs:
           SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD }}
           INFISICAL_ENCRYPTION_KEY: ${{ secrets.INFISICAL_ENCRYPTION_KEY }}
           INFISICAL_AUTH_SECRET: ${{ secrets.INFISICAL_AUTH_SECRET }}
-          INFISICAL_MONGO_PASSWORD: ${{ secrets.INFISICAL_MONGO_PASSWORD }}
           INFISICAL_TOKEN: ${{ secrets.INFISICAL_TOKEN }}
           INFISICAL_URL: https://secrets.koval.net
         run: ansible-playbook --inventory ./inventory ${{ steps.playbooks.outputs.to_run }} -vv

infra/secrets/0000_proxmox_playbook.yaml

@@ -9,7 +9,7 @@
     api_token_secret: "{{ lookup('ansible.builtin.env', 'PROXMOX_TOKEN_SECRET') }}"
     ssh_public: "{{ lookup('ansible.builtin.env', 'SSH_PUBLIC') }}"
     vmname: "{{ inventory_hostname | regex_replace('^([^\\.]+)\\..+$', '\\1') }}"
-    node: pve
+    node: pve2
   module_defaults:
     community.general.proxmox_kvm:
       api_user: "{{ api_user }}"

infra/secrets/0003_infiscal_playbook.yaml

@@ -32,11 +32,6 @@
         path: "{{ user.home }}/{{ app }}/.env"
         regexp: "AUTH_SECRET_VALUE"
         replace: "{{ lookup('ansible.builtin.env', 'INFISICAL_AUTH_SECRET') }}"
-    - name: Replace Mongo Password secret
-      ansible.builtin.replace:
-        path: "{{ user.home }}/{{ app }}/.env"
-        regexp: "MONGO_PASSWORD_VALUE"
-        replace: "{{ lookup('ansible.builtin.env', 'INFISICAL_MONGO_PASSWORD') }}"
     - name: Replace SMTP Password secret
       ansible.builtin.replace:
         path: "{{ user.home }}/{{ app }}/.env"

infra/secrets/infisical/.env

@@ -8,19 +8,17 @@ ENCRYPTION_KEY=ENCRYPTION_KEY_VALUE
 # THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 AUTH_SECRET=AUTH_SECRET_VALUE
 
-# MongoDB
-# Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
-# to the MongoDB container instance or Mongo Cloud
+# Postgres creds
+POSTGRES_PASSWORD=infisical
+POSTGRES_USER=infisical
+POSTGRES_DB=infisical
+
 # Required
-MONGO_URL=mongodb://root:MONGO_PASSWORD_VALUE@mongo:27017/?authSource=admin
+DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
 
 # Redis
 REDIS_URL=redis://redis:6379
 
-# Optional credentials for MongoDB container instance and Mongo-Express
-MONGO_USERNAME=root
-MONGO_PASSWORD=MONGO_PASSWORD_VALUE
-
 # Website URL
 # Required
 SITE_URL=https://secrets.koval.net

infra/secrets/infisical/docker-compose.yml

@@ -1,11 +1,28 @@
 version: "3"
 
 services:
+  db-migration:
+    depends_on:
+      db:
+        condition: service_healthy
+    image: infisical/infisical:latest-postgres
+    env_file: .env
+    command: npm run migration:latest
+    pull_policy: always
+    networks:
+      - infisical
+
   backend:
     restart: unless-stopped
     depends_on:
-      - mongo
-    image: infisical/infisical:latest
+      db:
+        condition: service_healthy
+      redis:
+        condition: service_started
+      db-migration:
+        condition: service_completed_successfully
+    image: infisical/infisical:latest-postgres
+    pull_policy: always
     env_file: .env
     ports:
       - 80:8080
@@ -20,14 +37,18 @@ services:
     ports:
       - 6379:6379
     volumes:
-      - /mnt/nvme/redis-data:/data
+      - /mnt/nvme/redis_data:/data
 
-  mongo:
-    image: mongo
+  db:
+    image: postgres:14-alpine
     restart: always
     env_file: .env
-    environment:
-      - MONGO_INITDB_ROOT_USERNAME=${MONGO_USERNAME}
-      - MONGO_INITDB_ROOT_PASSWORD=${MONGO_PASSWORD}
     volumes:
-      - /mnt/nvme/mongo-data:/data/db
+      - /mnt/nvme/pg_data:/var/lib/postgresql/data
+    networks:
+      - infisical
+    healthcheck:
+      test: "pg_isready --username=${POSTGRES_USER} && psql --username=${POSTGRES_USER} --list"
+      interval: 5s
+      timeout: 10s
+      retries: 10