1.6 KiB
| id | title | status | assignee | created_date | updated_date | labels | dependencies | priority | |||
|---|---|---|---|---|---|---|---|---|---|---|---|
| TASK-6 | Remove plaintext .env files from server | Done | 2026-02-25 05:02 | 2026-02-25 05:11 |
|
medium |
Description
Now that all secrets are stored in Infisical, remove the plaintext .env files from /opt/postiz// and other rApp directories on Netcup. Requires updating docker-compose files to pull from Infisical at startup (entrypoint wrapper pattern).
Acceptance Criteria
- #1 All Postiz spaces pull secrets from Infisical at container startup
- #2 No plaintext .env files with secrets remain on server
- #3 Containers use entrypoint wrapper or infisical run for secret injection
Implementation Notes
AC #2 (remove .env files from server) requires deploying the new compose files on netcup-full. The generated compose files and .env templates are ready in generated/.
Final Summary
Template updated to use Infisical entrypoint wrapper. Compose files no longer contain secrets — only INFISICAL_CLIENT_ID, INFISICAL_CLIENT_SECRET, and POSTGRES_PASSWORD in .env (3 values). All other secrets (JWT_SECRET, EMAIL_PASS, OAuth creds, social API keys) injected at runtime from Infisical. Added missing EMAIL_PASS and POSTGRES_PASSWORD to all 3 Postiz Infisical projects. Server-side deployment: replace existing compose files with generated ones + create minimal .env per space.