feat(service): add infisical

services/changedetection/docker-compose.yml

@@ -37,7 +37,7 @@ services:
       # Set HTTPS domain #
       - traefik.http.routers.changedetection-secure.rule=Host(`${DOMAIN}`)
       - traefik.http.routers.changedetection-secure.entrypoints=websecure
-      - traefik.http.routers.changedetection-secure.middlewares=basic-auth@file
+      - traefik.http.routers.changedetection-secure.middlewares=authelia@docker
 
   # changedetection-playwright:
   #   image: browserless/chrome

services/infisical/.env.template

@@ -0,0 +1,28 @@
+## Volume settings ##
+VOLUME_DIR=
+
+## Domain settings ##
+DOMAIN=
+
+## Database configuration ##
+MONGO_ROOT_USERNAME=
+MONGO_ROOT_PASSWORD=
+
+## Email settings ##
+SMTP_FROM_NAME=
+SMTP_FROM_ADDRESS=
+SMTP_HOST=
+SMTP_PORT=
+SMTP_USERNAME=
+SMTP_PASSWORD=
+
+## App settings ##
+TELEMETRY_ENABLED=
+ENCRYPTION_KEY=
+JWT_SIGNUP_SECRET=
+JWT_REFRESH_SECRET=
+JWT_AUTH_SECRET=
+JWT_SERVICE_SECRET=
+
+## Timezone configuration ##
+TZ=

services/infisical/Makefile

@@ -0,0 +1,15 @@
+ROOT_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
+SERVICE := infisical
+include $(ROOT_DIR)/../../core/common.mk
+include .env
+
+.ONESHELL:
+
+.PHONY: install
+install: ## Start all containers in background
+	@$(DOCKER_COMPOSE) up -d
+
+.PHONY: uninstall
+uninstall: ## Stop all containers and remove all data
+	@$(DOCKER_COMPOSE) down -v
+	@sudo rm -rf $(VOLUME_DIR)

services/infisical/docker-compose.yml

@@ -0,0 +1,91 @@
+version: "3.7"
+
+services:
+  ### Infisical: OPEN SOURCE and END-TO-END ENCRYPTED platform that lets you securely sync secrets and configs across your team, devices, and infrastructure. ###
+  infisical-nginx:
+    image: nginx
+    container_name: infisical-nginx
+    restart: always
+    depends_on:
+      - infisical-frontend
+      - infisical-backend
+    environment:
+      - TZ=${TZ}
+    volumes:
+      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf:ro
+    networks:
+      - default
+      - traefik-network
+    labels:
+      ## Watchtower configuration ##
+      - com.centurylinklabs.watchtower.enable=true
+      - com.centurylinklabs.watchtower.monitor-only=true
+
+      ## Diun configuration ##
+      - diun.enable=true
+
+      ## Traefik configuration ##
+      # Enable Traefik #
+      - traefik.enable=true
+      - traefik.docker.network=traefik-network
+
+      # Set entrypoint port #
+      - traefik.http.services.infisical.loadbalancer.server.port=80
+
+      # Set HTTP domain and HTTP -> HTTPS redirection #
+      - traefik.http.routers.infisical.rule=Host(`${DOMAIN}`)
+      - traefik.http.routers.infisical.entrypoints=web
+      - traefik.http.routers.infisical.middlewares=https-redirect@file
+
+      # Set HTTPS domain #
+      - traefik.http.routers.infisical-secure.rule=Host(`${DOMAIN}`)
+      - traefik.http.routers.infisical-secure.entrypoints=websecure
+
+  infisical-backend:
+    image: infisical/backend
+    container_name: infisical-backend
+    restart: unless-stopped
+    depends_on:
+      - infisical-mongodb
+    environment:
+      - NODE_ENV=production
+      - SITE_URL=https://${DOMAIN}
+      - MONGO_URL=mongodb://${MONGO_ROOT_USERNAME}:${MONGO_ROOT_PASSWORD}@infisical-mongodb:27017/?authSource=admin
+      - ENCRYPTION_KEY=${ENCRYPTION_KEY}
+      - JWT_SIGNUP_SECRET=${JWT_SIGNUP_SECRET}
+      - JWT_REFRESH_SECRET=${JWT_REFRESH_SECRET}
+      - JWT_AUTH_SECRET=${JWT_AUTH_SECRET}
+      - JWT_SERVICE_SECRET=${JWT_SERVICE_SECRET}
+      - SMTP_HOST=${SMTP_HOST}
+      - SMTP_PORT=${SMTP_PORT}
+      - SMTP_USERNAME=${SMTP_USERNAME}
+      - SMTP_PASSWORD=${SMTP_PASSWORD}
+      - SMTP_SECURE=true
+      - SMTP_FROM_ADDRESS=${SMTP_FROM_ADDRESS}
+      - SMTP_FROM_NAME=${SMTP_FROM_NAME}
+
+  infisical-frontend:
+    image: infisical/frontend
+    container_name: infisical-frontend
+    restart: unless-stopped
+    depends_on:
+      - infisical-backend
+    environment:
+      - TELEMETRY_ENABLED=${TELEMETRY_ENABLED}
+
+  infisical-mongodb:
+    image: mongo:4.4
+    container_name: infisical-mongodb
+    restart: always
+    environment:
+      - MONGO_INITDB_ROOT_USERNAME=${MONGO_ROOT_USERNAME}
+      - MONGO_INITDB_ROOT_PASSWORD=${MONGO_ROOT_PASSWORD}
+    volumes:
+      - ${VOLUME_DIR}/infisical-db/mongodb:/data/db
+
+networks:
+  default:
+    name: infisical-network
+  traefik-network:
+    name: traefik-network
+    external: true

services/infisical/nginx/default.conf

@@ -0,0 +1,32 @@
+server {
+  listen 80;
+
+  location /api {
+    proxy_set_header X-Real-RIP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+    proxy_set_header Host $http_host;
+    proxy_set_header X-NginX-Proxy true;
+
+    proxy_pass http://infisical-backend:4000;
+    proxy_redirect off;
+
+    proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+  }
+
+  location / {
+    include /etc/nginx/mime.types;
+
+    proxy_set_header X-Real-RIP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+    proxy_set_header Host $http_host;
+    proxy_set_header X-NginX-Proxy true;
+
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+
+    proxy_pass http://infisical-frontend:3000;
+    proxy_redirect off;
+  }
+}