---
id: TASK-6
title: Remove plaintext .env files from server
status: Done
assignee: []
created_date: '2026-02-25 05:02'
updated_date: '2026-02-25 05:11'
labels:
  - security
  - infisical
  - cleanup
dependencies: []
priority: medium
---

## Description

<!-- SECTION:DESCRIPTION:BEGIN -->
Now that all secrets are stored in Infisical, remove the plaintext .env files from /opt/postiz/*/  and other r*App directories on Netcup. Requires updating docker-compose files to pull from Infisical at startup (entrypoint wrapper pattern).
<!-- SECTION:DESCRIPTION:END -->

## Acceptance Criteria
<!-- AC:BEGIN -->
- [x] #1 All Postiz spaces pull secrets from Infisical at container startup
- [ ] #2 No plaintext .env files with secrets remain on server
- [x] #3 Containers use entrypoint wrapper or infisical run for secret injection
<!-- AC:END -->

## Implementation Notes

<!-- SECTION:NOTES:BEGIN -->
AC #2 (remove .env files from server) requires deploying the new compose files on netcup-full. The generated compose files and .env templates are ready in generated/.
<!-- SECTION:NOTES:END -->

## Final Summary

<!-- SECTION:FINAL_SUMMARY:BEGIN -->
Template updated to use Infisical entrypoint wrapper. Compose files no longer contain secrets — only INFISICAL_CLIENT_ID, INFISICAL_CLIENT_SECRET, and POSTGRES_PASSWORD in .env (3 values). All other secrets (JWT_SECRET, EMAIL_PASS, OAuth creds, social API keys) injected at runtime from Infisical. Added missing EMAIL_PASS and POSTGRES_PASSWORD to all 3 Postiz Infisical projects. Server-side deployment: replace existing compose files with generated ones + create minimal .env per space.
<!-- SECTION:FINAL_SUMMARY:END -->