jeffemmett
/
p2pwiki-ai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Wire Infisical secret injection for ANTHROPIC_API_KEY 

- Add Python entrypoint.sh to fetch secrets from Infisical
- Remove ANTHROPIC_API_KEY from compose env, add INFISICAL_* vars
- P2P Foundation stack (blog_static/) DB passwords deferred to separate task

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jeff Emmett 2026-02-24 09:32:37 -08:00
parent 3d745ceba6
commit 6e08b21978
3 changed files with 76 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Dockerfile
View File

@ -31,6 +31,10 @@ RUN pip install --no-cache-dir /wheels/*.whl && rm -rf /wheels
COPY src/ src/ COPY src/ src/
COPY web/ web/ COPY web/ web/
# Copy Infisical entrypoint
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
# Create data directories # Create data directories
RUN mkdir -p data/chroma data/review_queue RUN mkdir -p data/chroma data/review_queue
@ -46,4 +50,5 @@ HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD python -c "import httpx; httpx.get('http://localhost:8420/health')" || exit 1 CMD python -c "import httpx; httpx.get('http://localhost:8420/health')" || exit 1
# Run the application # Run the application
ENTRYPOINT ["/entrypoint.sh"]
CMD ["python", "-m", "uvicorn", "src.api:app", "--host", "0.0.0.0", "--port", "8420"] CMD ["python", "-m", "uvicorn", "src.api:app", "--host", "0.0.0.0", "--port", "8420"]

6
docker-compose.yml
View File

@ -16,12 +16,14 @@ services:
# Ollama connection (adjust host for your setup) # Ollama connection (adjust host for your setup)
- OLLAMA_BASE_URL=${OLLAMA_BASE_URL:-http://host.docker.internal:11434} - OLLAMA_BASE_URL=${OLLAMA_BASE_URL:-http://host.docker.internal:11434}
- OLLAMA_MODEL=${OLLAMA_MODEL:-llama3.2} - OLLAMA_MODEL=${OLLAMA_MODEL:-llama3.2}
# Claude API (optional, for higher quality drafts)
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-}
- CLAUDE_MODEL=${CLAUDE_MODEL:-claude-sonnet-4-20250514} - CLAUDE_MODEL=${CLAUDE_MODEL:-claude-sonnet-4-20250514}
# Hybrid routing settings # Hybrid routing settings
- USE_CLAUDE_FOR_DRAFTS=${USE_CLAUDE_FOR_DRAFTS:-true} - USE_CLAUDE_FOR_DRAFTS=${USE_CLAUDE_FOR_DRAFTS:-true}
- USE_OLLAMA_FOR_CHAT=${USE_OLLAMA_FOR_CHAT:-true} - USE_OLLAMA_FOR_CHAT=${USE_OLLAMA_FOR_CHAT:-true}
# Infisical (fetches ANTHROPIC_API_KEY at startup)
- INFISICAL_CLIENT_ID=${INFISICAL_CLIENT_ID}
- INFISICAL_CLIENT_SECRET=${INFISICAL_CLIENT_SECRET}
- INFISICAL_PROJECT_SLUG=p2pwiki
labels: labels:
# Traefik labels for reverse proxy # Traefik labels for reverse proxy
- "traefik.enable=true" - "traefik.enable=true"

67
entrypoint.sh Executable file
View File

@ -0,0 +1,67 @@
#!/bin/sh
# Infisical secret injection entrypoint (Python)
# Fetches secrets from Infisical API and injects them as env vars before starting the app.
# Required env vars: INFISICAL_CLIENT_ID, INFISICAL_CLIENT_SECRET
# Optional: INFISICAL_PROJECT_SLUG, INFISICAL_ENV (default: prod),
# INFISICAL_URL (default: http://infisical:8080)
set -e
export INFISICAL_URL="${INFISICAL_URL:-http://infisical:8080}"
export INFISICAL_ENV="${INFISICAL_ENV:-prod}"
# IMPORTANT: Set INFISICAL_PROJECT_SLUG in your docker-compose.yml
export INFISICAL_PROJECT_SLUG="${INFISICAL_PROJECT_SLUG:?INFISICAL_PROJECT_SLUG must be set}"
if [ -z "$INFISICAL_CLIENT_ID" ] || [ -z "$INFISICAL_CLIENT_SECRET" ]; then
echo "[infisical] No credentials set, starting without secret injection"
exec "$@"
fi
echo "[infisical] Fetching secrets from ${INFISICAL_PROJECT_SLUG}/${INFISICAL_ENV}..."
EXPORTS=$(python3 -c "
import urllib.request, json, os, sys
base = os.environ['INFISICAL_URL']
slug = os.environ['INFISICAL_PROJECT_SLUG']
env = os.environ['INFISICAL_ENV']
try:
data = json.dumps({'clientId': os.environ['INFISICAL_CLIENT_ID'], 'clientSecret': os.environ['INFISICAL_CLIENT_SECRET']}).encode()
req = urllib.request.Request(f'{base}/api/v1/auth/universal-auth/login', data=data, headers={'Content-Type': 'application/json'})
auth = json.loads(urllib.request.urlopen(req).read())
token = auth.get('accessToken')
if not token:
print('[infisical] Auth failed', file=sys.stderr)
sys.exit(1)
req = urllib.request.Request(f'{base}/api/v3/secrets/raw?workspaceSlug={slug}&environment={env}&secretPath=/&recursive=true')
req.add_header('Authorization', f'Bearer {token}')
secrets = json.loads(urllib.request.urlopen(req).read())
if 'secrets' not in secrets:
print('[infisical] No secrets returned', file=sys.stderr)
sys.exit(1)
for s in secrets['secrets']:
key = s['secretKey']
val = s['secretValue'].replace(\"'\", \"'\\\\'\")
print(f\"export {key}='{val}'\")
except Exception as e:
print(f'[infisical] Error: {e}', file=sys.stderr)
sys.exit(1)
" 2>&1) || {
echo "[infisical] WARNING: Failed to fetch secrets, starting with existing env vars"
exec "$@"
}
if echo "$EXPORTS" | grep -q "^export "; then
COUNT=$(echo "$EXPORTS" | grep -c "^export ")
eval "$EXPORTS"
echo "[infisical] Injected ${COUNT} secrets"
else
echo "[infisical] WARNING: $EXPORTS"
echo "[infisical] Starting with existing env vars"
fi
exec "$@"