docker compose docs with postgres

Patch identity access token + client secret TTL

.env.example

@@ -3,16 +3,18 @@
 # THIS IS A SAMPLE ENCRYPTION KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
 
+# Required
+DB_CONNECTION_URI=postgres://infisical:infisical@db:5432/infisical
+
 # JWT
 # Required secrets to sign JWT tokens
 # THIS IS A SAMPLE AUTH_SECRET KEY AND SHOULD NEVER BE USED FOR PRODUCTION
 AUTH_SECRET=5lrMXKKWCVocS/uerPsl7V+TX/aaUaI7iDkgl3tSmLE=
 
-# MongoDB
-# Backend will connect to the MongoDB instance at connection string MONGO_URL which can either be a ref
-# to the MongoDB container instance or Mongo Cloud
-# Required
-MONGO_URL=mongodb://root:example@mongo:27017/?authSource=admin
+# Postgres creds
+POSTGRES_PASSWORD=infisical
+POSTGRES_USER=infisical
+POSTGRES_DB=infisical
 
 # Redis
 REDIS_URL=redis://redis:6379

.github/workflows/check-api-for-breaking-changes.yml

@@ -28,7 +28,7 @@ jobs:
         run: docker build --tag infisical-api .
         working-directory: backend
       - name: Start postgres and redis
-        run: touch .env && docker-compose -f docker-compose.pg.yml up -d db redis
+        run: touch .env && docker-compose -f docker-compose.prod.yml up -d db redis
       - name: Start the server
         run: |
             echo "SECRET_SCANNING_GIT_APP_ID=793712" >> .env
@@ -42,8 +42,28 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version: '1.21.5'
-      - name: Wait for containers to be stable
-        run: timeout 60s sh -c 'until docker ps | grep infisical-api | grep -q healthy; do echo "Waiting for container to be healthy..."; sleep 2; done'
+      - name: Wait for container to be stable and check logs
+        run: |
+          SECONDS=0
+          HEALTHY=0
+          while [ $SECONDS -lt 60 ]; do
+            if docker ps | grep infisical-api | grep -q healthy; then
+              echo "Container is healthy."
+              HEALTHY=1
+              break
+            fi
+            echo "Waiting for container to be healthy... ($SECONDS seconds elapsed)"
+
+            docker logs infisical-api
+
+            sleep 2
+            SECONDS=$((SECONDS+2))
+          done
+      
+          if [ $HEALTHY -ne 1 ]; then
+            echo "Container did not become healthy in time"
+            exit 1
+          fi
       - name: Install openapi-diff
         run: go install github.com/tufin/oasdiff@latest
       - name: Running OpenAPI Spec diff action

Makefile

@@ -5,16 +5,10 @@ push:
 	docker-compose -f docker-compose.yml push
 
 up-dev:
-	docker-compose -f docker-compose.dev.yml up --build
-
-up-pg-dev:
-	docker compose -f docker-compose.pg.yml up --build
-
-i-dev:
-	infisical run -- docker-compose -f docker-compose.dev.yml up --build
+	docker compose -f docker-compose.dev.yml up --build
 
 up-prod:
-	docker-compose -f docker-compose.yml up --build
+	docker-compose -f docker-compose.prod.yml up --build
 
 down:
 	docker-compose down

README.md

@@ -84,13 +84,13 @@ To set up and run Infisical locally, make sure you have Git and Docker installed
 Linux/macOS:
 
 ```console
-git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.example .env && docker-compose -f docker-compose.yml up
+git clone https://github.com/Infisical/infisical && cd "$(basename $_ .git)" && cp .env.example .env && docker-compose -f docker-compose.prod.yml up
 ```
 
 Windows Command Prompt:
 
 ```console
-git clone https://github.com/Infisical/infisical && cd infisical && copy .env.example .env && docker-compose -f docker-compose.yml up
+git clone https://github.com/Infisical/infisical && cd infisical && copy .env.example .env && docker-compose -f docker-compose.prod.yml up
 ```
 
 Create an account at `http://localhost:80`

backend/src/services/identity-access-token/identity-access-token-service.ts

@@ -35,12 +35,12 @@ export const identityAccessTokenServiceFactory = ({
     }
 
     // ttl check
-    if (accessTokenTTL > 0) {
+    if (Number(accessTokenTTL) > 0) {
       const currentDate = new Date();
       if (accessTokenLastRenewedAt) {
         // access token has been renewed
         const accessTokenRenewed = new Date(accessTokenLastRenewedAt);
-        const ttlInMilliseconds = accessTokenTTL * 1000;
+        const ttlInMilliseconds = Number(accessTokenTTL) * 1000;
         const expirationDate = new Date(accessTokenRenewed.getTime() + ttlInMilliseconds);
 
         if (currentDate > expirationDate)
@@ -50,7 +50,7 @@ export const identityAccessTokenServiceFactory = ({
       } else {
         // access token has never been renewed
         const accessTokenCreated = new Date(accessTokenCreatedAt);
-        const ttlInMilliseconds = accessTokenTTL * 1000;
+        const ttlInMilliseconds = Number(accessTokenTTL) * 1000;
         const expirationDate = new Date(accessTokenCreated.getTime() + ttlInMilliseconds);
 
         if (currentDate > expirationDate)
@@ -61,9 +61,9 @@ export const identityAccessTokenServiceFactory = ({
     }
 
     // max ttl checks
-    if (accessTokenMaxTTL > 0) {
+    if (Number(accessTokenMaxTTL) > 0) {
       const accessTokenCreated = new Date(accessTokenCreatedAt);
-      const ttlInMilliseconds = accessTokenMaxTTL * 1000;
+      const ttlInMilliseconds = Number(accessTokenMaxTTL) * 1000;
       const currentDate = new Date();
       const expirationDate = new Date(accessTokenCreated.getTime() + ttlInMilliseconds);
 
@@ -72,7 +72,7 @@ export const identityAccessTokenServiceFactory = ({
           message: "Failed to renew MI access token due to Max TTL expiration"
         });
 
-      const extendToDate = new Date(currentDate.getTime() + accessTokenTTL);
+      const extendToDate = new Date(currentDate.getTime() + Number(accessTokenTTL));
       if (extendToDate > expirationDate)
         throw new UnauthorizedError({
           message: "Failed to renew MI access token past its Max TTL expiration"

backend/src/services/identity-ua/identity-ua-service.ts

@@ -69,9 +69,9 @@ export const identityUaServiceFactory = ({
     if (!validClientSecretInfo) throw new UnauthorizedError();
 
     const { clientSecretTTL, clientSecretNumUses, clientSecretNumUsesLimit } = validClientSecretInfo;
-    if (clientSecretTTL > 0) {
+    if (Number(clientSecretTTL) > 0) {
       const clientSecretCreated = new Date(validClientSecretInfo.createdAt);
-      const ttlInMilliseconds = clientSecretTTL * 1000;
+      const ttlInMilliseconds = Number(clientSecretTTL) * 1000;
       const currentDate = new Date();
       const expirationTime = new Date(clientSecretCreated.getTime() + ttlInMilliseconds);
 
@@ -124,7 +124,10 @@ export const identityUaServiceFactory = ({
       } as TIdentityAccessTokenJwtPayload,
       appCfg.AUTH_SECRET,
       {
-        expiresIn: identityAccessToken.accessTokenMaxTTL === 0 ? undefined : identityAccessToken.accessTokenMaxTTL
+        expiresIn:
+          Number(identityAccessToken.accessTokenMaxTTL) === 0
+            ? undefined
+            : Number(identityAccessToken.accessTokenMaxTTL)
       }
     );
 

docker-compose.dev.yml

@@ -1,4 +1,4 @@
-version: '3'
+version: "3.9"
 
 services:
   nginx:
@@ -10,36 +10,84 @@ services:
     volumes:
       - ./nginx/default.dev.conf:/etc/nginx/conf.d/default.conf:ro
     depends_on:
-      - frontend
       - backend
-    networks:
-      - infisical-dev
+      - frontend
 
-  backend:
-    container_name: infisical-dev-backend
-    restart: unless-stopped
+  db:
+    image: postgres:14-alpine
+    ports:
+      - "5432:5432"
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: infisical
+      POSTGRES_USER: infisical
+      POSTGRES_DB: infisical
+
+  redis:
+    image: redis
+    container_name: infisical-dev-redis
+    environment:
+      - ALLOW_EMPTY_PASSWORD=yes
+    ports:
+      - 6379:6379
+    volumes:
+      - redis_data:/data
+
+  redis-commander:
+    container_name: infisical-dev-redis-commander
+    image: rediscommander/redis-commander
+    restart: always
     depends_on:
-      - mongo
-      - smtp-server
       - redis
+    environment:
+      - REDIS_HOSTS=local:redis:6379
+    ports:
+      - "8085:8081"
+
+  db-test:
+    profiles: ["test"]
+    image: postgres:14-alpine
+    ports:
+      - "5430:5432"
+    environment:
+      POSTGRES_PASSWORD: infisical
+      POSTGRES_USER: infisical
+      POSTGRES_DB: infisical-test
+
+  db-migration:
+    container_name: infisical-db-migration
+    depends_on:
+      - db
     build:
       context: ./backend
-      dockerfile: Dockerfile
-    volumes:
-      - ./backend/src:/app/src
-      - ./backend/nodemon.json:/app/nodemon.json
-      - /app/node_modules
-      - ./backend/api-documentation.json:/app/api-documentation.json
-      - ./backend/swagger.ts:/app/swagger.ts
-    command: npm run dev
+      dockerfile: Dockerfile.dev
     env_file: .env
+    environment:
+      - DB_CONNECTION_URI=postgres://infisical:infisical@db/infisical?sslmode=disable
+    command: npm run migration:latest
+
+  backend:
+    container_name: infisical-dev-api
+    build:
+      context: ./backend
+      dockerfile: Dockerfile.dev
+    depends_on:
+      db:
+        condition: service_started
+      redis:
+        condition: service_started
+      db-migration:
+        condition: service_completed_successfully
+    env_file:
+      - .env
+    ports:
+      - 4000:4000
     environment:
       - NODE_ENV=development
-      - MONGO_URL=mongodb://root:example@mongo:27017/?authSource=admin
-    networks:
-      - infisical-dev
-    extra_hosts:
-      - "host.docker.internal:host-gateway"
+      - DB_CONNECTION_URI=postgres://infisical:infisical@db/infisical?sslmode=disable
+    volumes:
+      - ./backend/src:/app/src
 
   frontend:
     container_name: infisical-dev-frontend
@@ -55,81 +103,31 @@ services:
     env_file: .env
     environment:
       - NEXT_PUBLIC_ENV=development
-      - INFISICAL_TELEMETRY_ENABLED=${TELEMETRY_ENABLED}
-    networks:
-      - infisical-dev
+      - INFISICAL_TELEMETRY_ENABLED=false
 
-  mongo:
-    image: mongo
-    container_name: infisical-dev-mongo
+  pgadmin:
+    image: dpage/pgadmin4
     restart: always
-    env_file: .env
     environment:
-      - MONGO_INITDB_ROOT_USERNAME=root
-      - MONGO_INITDB_ROOT_PASSWORD=example
-    volumes:
-      - mongo-data:/data/db
-    networks:
-      - infisical-dev
-
-  mongo-express:
-    container_name: infisical-dev-mongo-express
-    image: mongo-express
-    restart: always
-    depends_on:
-      - mongo
-    env_file: .env
-    environment:
-      - ME_CONFIG_MONGODB_ADMINUSERNAME=root
-      - ME_CONFIG_MONGODB_ADMINPASSWORD=example
-      - ME_CONFIG_MONGODB_URL=mongodb://root:example@mongo:27017/
+      PGADMIN_DEFAULT_EMAIL: admin@example.com
+      PGADMIN_DEFAULT_PASSWORD: pass
     ports:
-      - 8081:8081
-    networks:
-      - infisical-dev
+      - 5050:80
+    depends_on:
+      - db
 
   smtp-server:
     container_name: infisical-dev-smtp-server
     image: lytrax/mailhog:latest # https://github.com/mailhog/MailHog/issues/353#issuecomment-821137362
     restart: always
     logging:
-      driver: 'none' # disable saving logs
+      driver: "none" # disable saving logs
     ports:
       - 1025:1025 # SMTP server
       - 8025:8025 # Web UI
-    networks:
-      - infisical-dev
-
-  redis:
-    image: redis
-    container_name: infisical-dev-redis
-    environment:
-      - ALLOW_EMPTY_PASSWORD=yes
-    ports:
-      - 6379:6379
-    volumes:
-        - redis_data:/data
-    networks:
-      - infisical-dev
-
-  redis-commander:
-    container_name: infisical-dev-redis-commander
-    image: rediscommander/redis-commander
-    restart: always
-    depends_on:
-      - redis
-    environment:
-      - REDIS_HOSTS=local:redis:6379
-    ports:
-      - "8085:8081"
-    networks:
-      - infisical-dev
 
 volumes:
-  mongo-data:
+  postgres-data:
     driver: local
   redis_data:
     driver: local
-
-networks:
-  infisical-dev:

docker-compose.pg.yml

@@ -1,146 +0,0 @@
-version: "3.9"
-
-services:
-  nginx:
-    container_name: infisical-dev-nginx
-    image: nginx
-    restart: always
-    ports:
-      - 8080:80
-    volumes:
-      - ./nginx/default.dev.conf:/etc/nginx/conf.d/default.conf:ro
-    depends_on:
-      - backend
-      - frontend
-
-  db:
-    image: postgres:14-alpine
-    ports:
-      - "5432:5432"
-    volumes:
-      - postgres-data:/var/lib/postgresql/data
-    environment:
-      POSTGRES_PASSWORD: infisical
-      POSTGRES_USER: infisical
-      POSTGRES_DB: infisical
-
-  redis:
-    image: redis
-    container_name: infisical-dev-redis
-    environment:
-      - ALLOW_EMPTY_PASSWORD=yes
-    ports:
-      - 6379:6379
-    volumes:
-      - redis_data:/data
-
-  redis-commander:
-    container_name: infisical-dev-redis-commander
-    image: rediscommander/redis-commander
-    restart: always
-    depends_on:
-      - redis
-    environment:
-      - REDIS_HOSTS=local:redis:6379
-    ports:
-      - "8085:8081"
-
-  db-test:
-    profiles: ["test"]
-    image: postgres:14-alpine
-    ports:
-      - "5430:5432"
-    environment:
-      POSTGRES_PASSWORD: infisical
-      POSTGRES_USER: infisical
-      POSTGRES_DB: infisical-test
-
-  backend:
-    container_name: infisical-dev-api
-    build:
-      context: ./backend
-      dockerfile: Dockerfile.dev
-    depends_on:
-      - db
-      - redis
-    env_file:
-      - .env
-    ports:
-      - 4000:4000
-    environment:
-      - NODE_ENV=development
-      - DB_CONNECTION_URI=postgres://infisical:infisical@db/infisical?sslmode=disable
-    volumes:
-      - ./backend/src:/app/src
-
-  frontend:
-    container_name: infisical-dev-frontend
-    restart: unless-stopped
-    depends_on:
-      - backend
-    build:
-      context: ./frontend
-      dockerfile: Dockerfile.dev
-    volumes:
-      - ./frontend/src:/app/src/ # mounted whole src to avoid missing reload on new files
-      - ./frontend/public:/app/public
-    env_file: .env
-    environment:
-      - NEXT_PUBLIC_ENV=development
-      - INFISICAL_TELEMETRY_ENABLED=false
-
-  pgadmin:
-    image: dpage/pgadmin4
-    restart: always
-    environment:
-      PGADMIN_DEFAULT_EMAIL: admin@example.com
-      PGADMIN_DEFAULT_PASSWORD: pass
-    ports:
-      - 5050:80
-    depends_on:
-      - db
-
-  smtp-server:
-    container_name: infisical-dev-smtp-server
-    image: lytrax/mailhog:latest # https://github.com/mailhog/MailHog/issues/353#issuecomment-821137362
-    restart: always
-    logging:
-      driver: "none" # disable saving logs
-    ports:
-      - 1025:1025 # SMTP server
-      - 8025:8025 # Web UI
-
-  # mongo:
-  #   image: mongo
-  #   container_name: infisical-dev-mongo
-  #   restart: always
-  #   env_file: .env
-  #   environment:
-  #     - MONGO_INITDB_ROOT_USERNAME=root
-  #     - MONGO_INITDB_ROOT_PASSWORD=example
-  #   volumes:
-  #     - mongo-data:/data/db
-  #   ports:
-  #     - 27017:27017
-  #
-  # mongo-express:
-  #   container_name: infisical-dev-mongo-express
-  #   image: mongo-express
-  #   restart: always
-  #   depends_on:
-  #     - mongo
-  #   env_file: .env
-  #   environment:
-  #     - ME_CONFIG_MONGODB_ADMINUSERNAME=root
-  #     - ME_CONFIG_MONGODB_ADMINPASSWORD=example
-  #     - ME_CONFIG_MONGODB_URL=mongodb://root:example@mongo:27017/
-  #   ports:
-  #     - 8081:8081
-
-volumes:
-  postgres-data:
-    driver: local
-  redis_data:
-    driver: local
-  mongo-data:
-    driver: local

docker-compose.prod.yml

@@ -1,12 +1,27 @@
 version: "3"
 
 services:
+  db-migration:
+    container_name: infisical-db-migration
+    depends_on:
+      - db
+    image: infisical/infisical:latest-postgres
+    env_file: .env
+    command: npm run migration:latest
+    networks:
+      - infisical
+
   backend:
     container_name: infisical-backend
     restart: unless-stopped
     depends_on:
-      - mongo
-    image: infisical/infisical:latest
+      db:
+        condition: service_started
+      redis:
+        condition: service_started
+      db-migration:
+        condition: service_completed_successfully
+    image: infisical/infisical:latest-postgres
     env_file: .env
     ports:
       - 80:8080
@@ -28,21 +43,18 @@ services:
     volumes:
       - redis_data:/data
 
-  mongo:
-    container_name: infisical-mongo
-    image: mongo
+  db:
+    container_name: infisical-db
+    image: postgres:14-alpine
     restart: always
     env_file: .env
-    environment:
-      - MONGO_INITDB_ROOT_USERNAME=${MONGO_USERNAME}
-      - MONGO_INITDB_ROOT_PASSWORD=${MONGO_PASSWORD}
     volumes:
-      - mongo-data:/data/db
+      - pg_data:/data/db
     networks:
       - infisical
 
 volumes:
-  mongo-data:
+  pg_data:
     driver: local
   redis_data:
     driver: local

docs/self-hosting/configuration/envars.mdx

@@ -18,8 +18,8 @@ Other environment variables are listed below to increase the functionality of yo
       Must be a random 32 byte base64 string. Can be generated with `openssl rand -base64 32`
     </ParamField>
 
-    <ParamField query="MONGO_URL" type="string" default="none" required>
-      Mongo connection string. *TLS based connection string is not yet supported
+    <ParamField query="DB_CONNECTION_URI" type="string" default="none" required>
+      Postgres database connection string.
     </ParamField>
 
     <ParamField query="REDIS_URL" type="string" default="none" required>

docs/self-hosting/deployment-options/docker-compose.mdx

@@ -2,53 +2,79 @@
 title: "Docker Compose"
 description: "Run Infisical with Docker Compose template"
 ---
+Install Infisical using Docker compose. This self hosting method contains all of the required components needed 
+to run a functional instance of Infisical.
 
-<Steps>
-  <Step title="Install Docker on your VM">
-    ```bash
-    # Example in ubuntu
-    apt-get update
-    apt-get upgrade
-    apt install docker-compose
-    ```
-  </Step>
-  <Step title="Download required files">
-    2.1. Run the command below to download the `.env` file template.
-    
-    ```bash
-    wget -O .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
-    ```
-    
-    2.2. Run the command below to download the docker compose template.
-    
-    ```bash
-    wget -O docker-compose.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.yml
-    ```
-    
-    2.3. Run the command below to download the `nginx` config file.
-    
-    ```bash
-    mkdir nginx && wget -O ./nginx/default.conf https://raw.githubusercontent.com/Infisical/infisical/main/nginx/default.dev.conf
-    ```
-  
-  </Step>
-  <Step title="Update the .env file">
-    Running Infisical requires a few environment variables to be set.
-    At minimum, Infisical requires that you set the variables `ENCRYPTION_KEY`, `AUTH_SECRET`, `MONGO_URL`, and `REDIS_URL` which you can read more about [here](/self-hosting/configuration/envars).
+## Prerequisites
+- [Docker](https://docs.docker.com/engine/install/)
+- [Docker compose](https://docs.docker.com/compose/install/)
 
-    Tweak the `.env` accordingly.
+<Warning>
+This Docker Compose configuration is not designed for high-availability production scenarios. 
+It includes just the essential components needed to set up an Infisical proof of concept (POC). 
+Additional configuration is required to enhance data redundancy and ensure higher availability for production environments.
+</Warning>
 
-    ```bash
-    nano .env
-    ```
-  </Step>
-  <Step title="Start Infisical">
-    Finally, run the command below to get Infisical up and running (in detached mode).
+## Verify prerequisites
+    To verify that Docker compose and Docker are installed on the machine where you plan to install Infisical, run the following commands.
 
+    Check for docker installation
     ```bash
-    docker-compose -f docker-compose.yml up -d
+    docker
     ```
 
-    Your Infisical installation is complete and should be running on port `80` or `http://localhost:80`.
-  </Step>
-</Steps>
+    Check for docker compose installation
+    ```bash
+    docker-compose 
+    ```
+
+## Download docker compose file
+You can obtain the Infisical docker compose file by using a command-line downloader such as `wget` or `curl`.
+If your system doesn't have either of these, you can use a equivalent command that works with your machine.
+
+<Tabs>
+  <Tab title="curl">
+    ```bash
+    curl -o docker-compose.prod.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.prod.yml
+    ```
+  </Tab>
+  <Tab title="wget">
+    ```bash 
+    wget -O docker-compose.prod.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.prod.yml
+    ```
+  </Tab>
+</Tabs>
+
+## Configure instance credentials
+Infisical requires a set of credentials used for connecting to dependent services such as Postgres, Redis, etc.
+The default credentials can be downloaded using the one of the commands listed below. 
+
+<Tabs>
+  <Tab title="curl">
+    ```bash
+      curl -o .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
+    ```
+  </Tab>
+  <Tab title="wget">
+    ```bash 
+      wget -O .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
+    ```
+  </Tab>
+</Tabs>
+
+Once downloaded, the credentials file will be saved to your working directly as `.env` file.
+View all available configurations [here](/self-hosting/configuration/envars).
+
+<Warning>
+  The default .env file contains credentials that are intended solely for testing purposes.
+  For production use, please generate a new `ENCRYPTION_KEY` and `AUTH_SECRET`. Instructions to do so, can be found [here](/self-hosting/configuration/envars)
+</Warning>
+
+## Start Infisical
+Run the command below to start Infisical and all related services. 
+
+```bash
+docker-compose -f docker-compose.prod.yml up
+```
+
+Your Infisical instance should now be running on port `80`. To access your instance, visit `http://localhost:80`.