ADR-0002: Infisical for secrets management

Status

Accepted — 2026-03-31

Context

The platform requires secrets management across multiple nodes, repos, and environments (dev/test/staging/prod). Secrets include: Telegram bot tokens, InfluxDB credentials, Ansible vault passwords, machine identity tokens, and future cloud provider credentials.

Core requirements: self-hostable, environment-aware, injectable into Docker and Ansible without extra tooling, operable without Kubernetes at this build stage.

Decision

Self-hosted Infisical on caneast-c1-node3 at https://caneast-c1-node3:8443.

• nginx TLS termination proxy in the same compose stack
• Three projects: archon-platform, archon-apps, archon-cloud
• Four environments per project: dev, test, staging, prod
• Machine identities for pipeline and Ansible injection
• Compose path: /home/operator/platform/infisical/

Alternatives Considered

HashiCorp Vault — More powerful but significantly more complex to operate. Requires dedicated storage backend, unsealing procedure, and high operational overhead. Overkill at this stage.

Azure DevOps variable groups — Vendor-locked, no local injection, no environment promotion. Not viable for nodes provisioned offline.

.env files in repo — No secret versioning, no audit trail, high exposure risk. Eliminated immediately.

Docker secrets — Swarm-only, doesn't extend to Ansible or bare-metal. Not viable cross-stack.

Consequences

• Infisical is a critical dependency — if down, pipeline secret injection fails
• caneast-c1-node3 availability is a prerequisite for CI/CD
• Machine identity tokens must be rotated and managed
• Future: Infisical operator for k3s secret sync (Phase 3)

References

• https://infisical.com/docs/self-hosting/overview
• ADR-0004 (OPNsense as KVM VM) — note caneast-c1-node3 criticality accumulation