Self-Hosting Infisical with Standalone Infisical

Deploying Infisical in a standalone environment is a great way to get started with Infisical without having to use containers. This guide will walk you through the process of deploying Infisical in a standalone environment. This is one of the easiest ways to deploy Infisical. It is a single executable, currently only supported on Debian-based systems. The standalone deployment implements the “bring your own database” (BYOD) approach. This means that you will need to provide your own databases (specifically Postgres and Redis) for the Infisical services to use. The standalone deployment does not include any databases. If you wish to streamline the deployment process, we recommend using the Ansible role for Infisical. The Ansible role automates the end to end deployment process, and will take care of everything like databases, redis deployment, web serving, and availability.

Prerequisites

  • A server running a Debian-based operating system (e.g., Ubuntu, Debian)
  • A Postgres database
  • A Redis database

Installing Infisical

Installing Infisical is as simple as running a single command. You can install Infisical by running the following command: 
  $ curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-core/cfg/setup/bash.deb.sh' | sudo bash && sudo apt-get install -y infisical-core

Running Infisical

Running Infisical and serving it to the web has a few steps. Below are the steps to get you started with running Infisical in a standalone environment.
  • Setup environment variables
  • Running Postgres migrations
  • Create system daemon
  • Exposing Infisical to the internet
1

Setup environment variables

To use Infisical you’ll need to configure the environment variables beforehand. You can acheive this by creating an environment file to be used by Infisical.

Create environment file

  $ mkdir -p /etc/infisical && touch /etc/infisical/environment
After creating the environment file, you’ll need to fill it out with your environment variables.

Edit environment file

  $ nano /etc/infisical/environment

  DB_CONNECTION_URI=postgres://user:password@localhost:5432/infisical # Replace with your Postgres database connection URI
  REDIS_URL=redis://localhost:6379 # Replace with your Redis connection URI
  ENCRYPTION_KEY=your_encryption_key # Replace with your encryption key (can be generated with: openssl rand -hex 16)
  AUTH_SECRET=your_auth_secret # Replace with your auth secret (can be generated with: openssl rand -base64 32)
The minimum required environment variables are DB_CONNECTION_URI, REDIS_URL, ENCRYPTION_KEY, and AUTH_SECRET. We recommend You take a look at our list of all available environment variables, and configure the ones you need.
2

Running Postgres migrations

Assuming you’re starting with a fresh Postgres database, you’ll need to run the Postgres migrations to syncronize the database schema. The migration command will use the environment variables you configured in the previous step.
  $ eval $(cat /etc/infisical/environment) infisical-core migration:latest
This step will need to be repeated if you update Infisical in the future.
3

Create service file

  $ nano /etc/systemd/system/infisical.service
4

Create Infisical service

Create a systemd service file for Infisical. Creating a systemd service file will allow Infisical to start automatically when the system boots or in case of a crash.
  $ nano /etc/systemd/system/infisical.service

  [Unit]
  Description=Infisical Service
  After=network.target

  [Service]
  # The path to the environment file we created in the previous step
  EnvironmentFile=/etc/infisical/environment
  Type=simple
  # Change the user to the user you want to run Infisical as
  User=root
  ExecStart=/usr/local/bin/infisical-core
  Restart=always
  RestartSec=30

  [Install]
  WantedBy=multi-user.target
Now we need to reload the systemd daemon and start the Infisical service.
  $ systemctl daemon-reload
  $ systemctl start infisical
  $ systemctl enable infisical
You can check the status of the Infisical service by running systemctl status infisical. It is also a good idea to check the logs for any errors by running journalctl --no-pager -u infisical.
5

Exposing Infisical to the internet

Exposing Infisical to the internet requires setting up a reverse proxy. You can use any reverse proxy of your choice, but we recommend using HAProxy or Nginx. Below is an example of how to set up a reverse proxy using HAProxy.

Install HAProxy

  $ apt-get install -y haproxy

Edit HAProxy configuration

  $ nano /etc/haproxy/haproxy.cfg

  global
      log /dev/log local0
      log /dev/log local1 notice
      chroot /var/lib/haproxy
      stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
      stats timeout 30s
      user haproxy
      group haproxy
      daemon

  defaults
      log global
      mode http
      option httplog
      option dontlognull
      timeout connect 5000
      timeout client  50000
      timeout server  50000

  frontend http-in
      bind *:80
      default_backend infisical

  backend infisical
      server infisicalapp 127.0.0.1:8080 check
If you decide to use Nginx, then please be aware that the configuration will be different. Infisical listens on port 8080.

Restart HAProxy

  $ systemctl restart haproxy
And that’s it! You have successfully deployed Infisical in a standalone environment. You can now access Infisical by visiting http://your-server-ip.
Please take note that the Infisical team cannot provide infrastructure support for free self-hosted deployments.
If you need help with infrastructure, we recommend upgrading to a paid plan which includes infrastructure support.You can also join our community Slack for help and support from the community.

Troubleshooting