homelab/docker/stacks/infisical/docker-stack.yml

version: "3"

services:
  db-migration:
    container_name: infisical-db-migration
    image: infisical/infisical:latest-postgres
    environment:
      # Keys
      # Required key for platform encryption/decryption ops
      - ENCRYPTION_KEY=${ENCRYPTION_KEY:-abcdef01234567890}
      # JWT
      # Required secrets to sign JWT tokens
      - AUTH_SECRET=${AUTH_SECRET:-1234567890}
      # Required
      - DB_CONNECTION_URI=postgres://${POSTGRES_USER:-infisical}:${POSTGRES_PASSWORD:-password}@${POSTGRES_HOST:-db.home.mnke.org}:${POSTGRES_PORT:-5432}/${POSTGRES_DB:-infisical}
      - REDIS_URL=redis://redis:6379
      - SITE_URL=https://${INFISICAL_HOST:-infisical.stingray.mnke.org}
    command: npm run migration:latest
    networks:
      - infisical

  backend:
    container_name: infisical-backend
    restart: unless-stopped
    depends_on:
      - redis
      - db-migration
    image: infisical/infisical:latest-postgres
    environment:
      - NODE_ENV=production
      - PORT=8080
      # Keys
      # Required key for platform encryption/decryption ops
      - ENCRYPTION_KEY=${ENCRYPTION_KEY:-abcdef01234567890}
      # JWT
      # Required secrets to sign JWT tokens
      - AUTH_SECRET=${AUTH_SECRET:-1234567890}
      # Required
      - DB_CONNECTION_URI=postgres://${POSTGRES_USER:-infisical}:${POSTGRES_PASSWORD:-password}@${POSTGRES_HOST:-db.home.mnke.org}:${POSTGRES_PORT:-5432}/${POSTGRES_DB:-infisical}
      - REDIS_URL=redis://redis:6379
      - SITE_URL=https://${INFISICAL_HOST:-infisical.stingray.mnke.org}
    networks:
      - infisical
      - traefik
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.infisical.rule=Host(`${INFISICAL_HOST:-infisical.stingray.mnke.org}`)"
        - "traefik.http.routers.infisical.entrypoints=websecure"
        - "traefik.http.routers.infisical.tls.certresolver=letsencrypt"
        - "traefik.http.services.infisical.loadbalancer.server.port=8080"
        - "traefik.swarm.network=traefik"

  redis:
    image: redis
    container_name: infisical-dev-redis
    restart: always
    environment:
      - ALLOW_EMPTY_PASSWORD=yes
    networks:
      - infisical
    volumes:
      - ${REDIS_DATA_DIRECTORY:-/mnt/gfs/infisical/redis/data}:/data

networks:
  infisical:
  traefik:
    external: true