feat: inject Navidrome/slskd/Threadfin secrets from Infisical

Replace hardcoded env vars with Infisical entrypoint wrapper that fetches TOKEN_SECRET, THREADFIN_*, NAVIDROME_*, and SLSKD_* from the claude-ops/media secret path at container startup. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-30 21:00:25 -07:00 · 2026-03-30 21:00:25 -07:00 · a54e003196
parent b9551d7597
commit a54e003196
1 changed files with 13 additions and 8 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -9,21 +9,22 @@ services:
      - ALL
    security_opt:
      - no-new-privileges:true
    volumes:
      - /opt/infisical/entrypoint-wrapper.sh:/infisical-entrypoint.sh:ro
    entrypoint: ["/infisical-entrypoint.sh"]
    command: ["node", "server.js"]
    environment:
      - INFISICAL_CLIENT_ID=${INFISICAL_CLIENT_ID}
      - INFISICAL_CLIENT_SECRET=${INFISICAL_CLIENT_SECRET}
      - INFISICAL_PROJECT_SLUG=claude-ops
      - INFISICAL_SECRET_PATH=/media
      - INFISICAL_URL=http://infisical:8080
      - SMTP_HOST=${SMTP_HOST:-mail.rmail.online}
      - SMTP_PORT=${SMTP_PORT:-587}
      - SMTP_USER=${SMTP_USER}
      - SMTP_PASS=${SMTP_PASS}
      - ADMIN_EMAIL=${ADMIN_EMAIL:-jeff@jeffemmett.com}
      - TOKEN_SECRET=${TOKEN_SECRET}
      - THREADFIN_URL=https://threadfin.jefflix.lol
      - THREADFIN_USER=${THREADFIN_USER}
      - THREADFIN_PASS=${THREADFIN_PASS}
      - NAVIDROME_URL=${NAVIDROME_URL:-https://music.jefflix.lol}
      - NAVIDROME_USER=${NAVIDROME_USER}
      - NAVIDROME_PASS=${NAVIDROME_PASS}
      - SLSKD_URL=${SLSKD_URL:-https://slskd.jefflix.lol}
      - SLSKD_API_KEY=${SLSKD_API_KEY}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.jefflix-website.rule=Host(`jefflix.lol`) || Host(`www.jefflix.lol`)"
@ -36,7 +37,11 @@ services:
      start_period: 15s
    networks:
      - traefik-public
      - infisical-internal
 networks:
  traefik-public:
    external: true
  infisical-internal:
    external: true
    name: infisical_infisical-internal