homelab/docker/stacks/infisical/docker-stack.yml

---
version: "3"

services:
  db-migration:
    container_name: infisical-db-migration
    image: infisical/infisical:v0.108.1-postgres
    environment:
      # Keys
      # Required key for platform encryption/decryption ops
      - ENCRYPTION_KEY=${ENCRYPTION_KEY:-abcdef01234567890}
      # JWT
      # Required secrets to sign JWT tokens
      - AUTH_SECRET=${AUTH_SECRET:-1234567890}
      # Required
      - DB_CONNECTION_URI=postgres://${POSTGRES_USER:-infisical}:${POSTGRES_PASSWORD:-password}@${POSTGRES_HOST:-db.home.mnke.org}:${POSTGRES_PORT:-5432}/${POSTGRES_DB:-infisical}
      - REDIS_URL=redis://redis:6379
      - SITE_URL=https://${INFISICAL_HOST:-infisical.stingray.mnke.org}
    command: npm run migration:latest
    networks:
      - infisical
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role != manager]
      restart_policy:
        condition: none

  backend:
    container_name: infisical-backend
    restart: unless-stopped
    depends_on:
      - redis
      - db-migration
    image: infisical/infisical:v0.108.1-postgres
    environment:
      - NODE_ENV=production
      - PORT=8080
      # Keys
      # Required key for platform encryption/decryption ops
      - ENCRYPTION_KEY=${ENCRYPTION_KEY:-abcdef01234567890}
      # JWT
      # Required secrets to sign JWT tokens
      - AUTH_SECRET=${AUTH_SECRET:-1234567890}
      # Required
      - DB_CONNECTION_URI=postgres://${POSTGRES_USER:-infisical}:${POSTGRES_PASSWORD:-password}@${POSTGRES_HOST:-db.home.mnke.org}:${POSTGRES_PORT:-5432}/${POSTGRES_DB:-infisical}
      - REDIS_URL=redis://redis:6379
      - SITE_URL=https://${INFISICAL_HOST:-infisical.stingray.mnke.org}
    networks:
      - infisical
      - traefik
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.infisical.rule=Host(`${INFISICAL_HOST:-infisical.stingray.mnke.org}`)"
        - "traefik.http.routers.infisical.entrypoints=websecure"
        - "traefik.http.routers.infisical.tls.certresolver=letsencrypt"
        - "traefik.http.services.infisical.loadbalancer.server.port=8080"
        - "traefik.swarm.network=traefik"
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role != manager]
      resources:
        limits:
          cpus: '0.50'
          memory: 1G
        reservations:
          cpus: '0.25'
          memory: 128M

  redis:
    image: redis:7.4.2-alpine
    container_name: infisical-dev-redis
    restart: always
    environment:
      - ALLOW_EMPTY_PASSWORD=yes
    networks:
      - infisical
    volumes:
      - redis_data:/data
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role != manager]
      resources:
        limits:
          cpus: '0.25'
          memory: 128M
        reservations:
          cpus: '0.1'
          memory: 32M

networks:
  infisical:
    name: infisical
  traefik:
    external: true

volumes:
  redis_data:
    driver: local
    driver_opts:
      o: bind
      type: none
      device: ${REDIS_DATA_DIRECTORY:-/mnt/stingray/infisical/redis/data}