Migration note: Migrated from ADR-0002 on 2026-05-02 per ADR-0047. Original file retained at
docs/adr/0002-infisical-for-secrets.mdwith deprecation banner.
IAM-0001: Infisical for Secrets Management¶
Sources¶
- ADR-0002: Infisical for secrets management (2026-03-31)
| Field | Value |
|---|---|
| ID | IAM-0001 |
| Date | 2026-03-31 |
| Status | Accepted |
| Deciders | Ben Peries |
| Class | security/IAM |
Status¶
Accepted — 2026-03-31 Updated — 2026-04-11: Added decision matrix and 1Password Connect evaluation
Context¶
The platform requires secrets management across multiple nodes, repos, and environments (dev/test/staging/prod). Secrets include: Telegram bot tokens, InfluxDB credentials, Ansible vault passwords, machine identity tokens, and future cloud provider credentials.
Core requirements: self-hostable, environment-aware, injectable into Docker and Ansible without extra tooling, operable without Kubernetes at this build stage.
Decision¶
Self-hosted Infisical on caneast-site1-node3 at https://REDACTED:8443.
- nginx TLS termination proxy in the same compose stack
- Three projects:
archon-platform,archon-apps,archon-cloud - Four environments per project:
dev,test,staging,prod - Machine identities for pipeline and Ansible injection
- Compose path:
/home/operator/platform/infisical/
Alternatives Considered¶
HashiCorp Vault — More powerful but significantly more complex to operate. Requires dedicated storage backend, unsealing procedure, and high operational overhead. Overkill at this stage.
Azure DevOps variable groups — Vendor-locked, no local injection, no environment promotion. Not viable for nodes provisioned offline.
.env files in repo — No secret versioning, no audit trail, high exposure risk. Eliminated immediately.
Docker secrets — Swarm-only, doesn't extend to Ansible or bare-metal. Not viable cross-stack.
Consequences¶
- Infisical is a critical dependency — if down, pipeline secret injection fails
caneast-site1-node3availability is a prerequisite for CI/CD- Machine identity tokens must be rotated and managed
- Future: Infisical operator for k3s secret sync (Phase 3)
References¶
- https://infisical.com/docs/self-hosting/overview
- PLAT-0001 (OPNsense KVM firewall) — note caneast-site1-node3 criticality accumulation
Addendum — 2026-04-11¶
1Password Connect Evaluation¶
1Password Connect was evaluated as a potential second secrets tool for developer workstation and AI agent credential use. Rejected. Infisical covers all scopes without introducing a second tool.
Decision Matrix¶
| Tool | Self-hosted | Open Source | Air-gappable | Env promotion | k3s operator | Dynamic secrets | Cost |
|---|---|---|---|---|---|---|---|
| Infisical | Yes (full) | Yes (MIT) | Yes | Yes (dev/test/staging/prod) | Yes | Roadmap | Free self-hosted |
| HashiCorp Vault | Yes | No (BSL 2023) | Yes | Yes | Yes | Yes | Complex ops |
| 1Password Connect | Partial (cache only) | No | No (SaaS sync required) | No | No | No | Paid |
| Azure DevOps variable groups | No | No | No | Limited | No | No | Vendor lock-in |
| Doppler | No | No | No | Yes | No | No | SaaS only |
.env files in repo |
N/A | N/A | Yes | No | No | No | Security risk |
Ruling¶
Infisical remains the single secrets manager for all scopes: pipelines, Ansible, k3s, nodes, and developer workstation credentials. No second tool is warranted. Any future re-evaluation must supersede this ADR with a new ADR, not patch this file.