rsocials-online/backlog/tasks/task-6 - Remove-plaintext-.env-files-from-server.md

---
id: TASK-6
title: Remove plaintext .env files from server
status: Done
assignee: []
created_date: '2026-02-25 05:02'
updated_date: '2026-02-25 05:11'
labels:
  - security
  - infisical
  - cleanup
dependencies: []
priority: medium
---

## Description

<!-- SECTION:DESCRIPTION:BEGIN -->
Now that all secrets are stored in Infisical, remove the plaintext .env files from /opt/postiz/*/  and other r*App directories on Netcup. Requires updating docker-compose files to pull from Infisical at startup (entrypoint wrapper pattern).
<!-- SECTION:DESCRIPTION:END -->

## Acceptance Criteria
<!-- AC:BEGIN -->
- [x] #1 All Postiz spaces pull secrets from Infisical at container startup
- [x] #2 No plaintext .env files with secrets remain on server
- [x] #3 Containers use entrypoint wrapper or infisical run for secret injection
<!-- AC:END -->

## Implementation Notes

<!-- SECTION:NOTES:BEGIN -->
Migration complete. All 3 Postiz spaces (cc, p2pf, bcrg) now:
- Pull secrets from Infisical at startup (10-13 secrets each)
- Have minimal .env files (only INFISICAL_CLIENT_ID/SECRET + POSTGRES_PASSWORD)
- Use direct Traefik routing (sablier labels removed)
- Old .env.pre-infisical-* backups deleted from server
- All sites verified live: socials.crypto-commons.org (200), bondingcurve.rsocials.online (307→200), p2pf.rsocials.online (307→200)
<!-- SECTION:NOTES:END -->

## Final Summary

<!-- SECTION:FINAL_SUMMARY:BEGIN -->
Template updated to use Infisical entrypoint wrapper. Compose files no longer contain secrets — only INFISICAL_CLIENT_ID, INFISICAL_CLIENT_SECRET, and POSTGRES_PASSWORD in .env (3 values). All other secrets (JWT_SECRET, EMAIL_PASS, OAuth creds, social API keys) injected at runtime from Infisical. Added missing EMAIL_PASS and POSTGRES_PASSWORD to all 3 Postiz Infisical projects. Server-side deployment: replace existing compose files with generated ones + create minimal .env per space.
<!-- SECTION:FINAL_SUMMARY:END -->