feat: inject Navidrome/slskd/Threadfin secrets from Infisical

Replace hardcoded env vars with Infisical entrypoint wrapper that
fetches TOKEN_SECRET, THREADFIN_*, NAVIDROME_*, and SLSKD_* from
the claude-ops/media secret path at container startup.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker-compose.yml

@@ -9,21 +9,22 @@ services:
       - ALL
     security_opt:
       - no-new-privileges:true
+    volumes:
+      - /opt/infisical/entrypoint-wrapper.sh:/infisical-entrypoint.sh:ro
+    entrypoint: ["/infisical-entrypoint.sh"]
+    command: ["node", "server.js"]
     environment:
+      - INFISICAL_CLIENT_ID=${INFISICAL_CLIENT_ID}
+      - INFISICAL_CLIENT_SECRET=${INFISICAL_CLIENT_SECRET}
+      - INFISICAL_PROJECT_SLUG=claude-ops
+      - INFISICAL_SECRET_PATH=/media
+      - INFISICAL_URL=http://infisical:8080
       - SMTP_HOST=${SMTP_HOST:-mail.rmail.online}
       - SMTP_PORT=${SMTP_PORT:-587}
       - SMTP_USER=${SMTP_USER}
       - SMTP_PASS=${SMTP_PASS}
       - ADMIN_EMAIL=${ADMIN_EMAIL:-jeff@jeffemmett.com}
-      - TOKEN_SECRET=${TOKEN_SECRET}
       - THREADFIN_URL=https://threadfin.jefflix.lol
-      - THREADFIN_USER=${THREADFIN_USER}
-      - THREADFIN_PASS=${THREADFIN_PASS}
-      - NAVIDROME_URL=${NAVIDROME_URL:-https://music.jefflix.lol}
-      - NAVIDROME_USER=${NAVIDROME_USER}
-      - NAVIDROME_PASS=${NAVIDROME_PASS}
-      - SLSKD_URL=${SLSKD_URL:-https://slskd.jefflix.lol}
-      - SLSKD_API_KEY=${SLSKD_API_KEY}
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.jefflix-website.rule=Host(`jefflix.lol`) || Host(`www.jefflix.lol`)"
@@ -36,7 +37,11 @@ services:
       start_period: 15s
     networks:
       - traefik-public
+      - infisical-internal
 
 networks:
   traefik-public:
     external: true
+  infisical-internal:
+    external: true
+    name: infisical_infisical-internal