1.9 KiB
| id | title | status | assignee | created_date | updated_date | labels | dependencies | priority | |||
|---|---|---|---|---|---|---|---|---|---|---|---|
| TASK-6 | Remove plaintext .env files from server | Done | 2026-02-25 05:02 | 2026-02-25 05:11 |
|
medium |
Description
Now that all secrets are stored in Infisical, remove the plaintext .env files from /opt/postiz// and other rApp directories on Netcup. Requires updating docker-compose files to pull from Infisical at startup (entrypoint wrapper pattern).
Acceptance Criteria
- #1 All Postiz spaces pull secrets from Infisical at container startup
- #2 No plaintext .env files with secrets remain on server
- #3 Containers use entrypoint wrapper or infisical run for secret injection
Implementation Notes
Migration complete. All 3 Postiz spaces (cc, p2pf, bcrg) now:
- Pull secrets from Infisical at startup (10-13 secrets each)
- Have minimal .env files (only INFISICAL_CLIENT_ID/SECRET + POSTGRES_PASSWORD)
- Use direct Traefik routing (sablier labels removed)
- Old .env.pre-infisical-* backups deleted from server
- All sites verified live: socials.crypto-commons.org (200), bondingcurve.rsocials.online (307→200), p2pf.rsocials.online (307→200)
Final Summary
Template updated to use Infisical entrypoint wrapper. Compose files no longer contain secrets — only INFISICAL_CLIENT_ID, INFISICAL_CLIENT_SECRET, and POSTGRES_PASSWORD in .env (3 values). All other secrets (JWT_SECRET, EMAIL_PASS, OAuth creds, social API keys) injected at runtime from Infisical. Added missing EMAIL_PASS and POSTGRES_PASSWORD to all 3 Postiz Infisical projects. Server-side deployment: replace existing compose files with generated ones + create minimal .env per space.