Infisical Infrastructure
Pulumi project that owns everything related to the self-hosted Infisical instance at infisical.studyflash.ch:
Infisical Infrastructure
Pulumi project that owns everything related to the self-hosted Infisical instance at infisical.studyflash.ch:
- The Hetzner Cloud VM running Infisical + Caddy + Postgres + Redis (cpx32 in
nbg1) - The Hetzner firewall in front of it (
infisical-fw— HTTPS/HTTP open, SSH locked to break-glass IP) - Infisical-side resources managed via the Infisical Terraform provider (the
pulumi-managedSecretTag now; projects/environments/identities to follow)
The VM and firewall were provisioned by hand and adopted into Pulumi via pulumi import — no recreation involved. The original cloud-init lives in cloud-init.yaml so the build is reproducible from this repo if the VM ever has to be rebuilt.
The Infisical SDK is generated on demand from the official terraform-provider-infisical via Pulumi's TF bridge — declared in Pulumi.yaml under packages: and regenerated by pulumi install. Trust chain: Infisical's TF provider → Pulumi codegen → us, no third-party intermediary.
Convention: secret paths mirror the monorepo
Every Infisical secret path corresponds 1:1 to a directory in this monorepo:
| Repo dir | Infisical path | What's stored |
|---|---|---|
infra/scripts/ | /infra/scripts/ | AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY (R2 backend auth, shared by every Pulumi stack) |
infra/<stack>/ | /infra/<stack>/ | The stack's own provider creds — Cloudflare/Hetzner/Sentry/etc. tokens |
internal/<stack>/ | /internal/<stack>/ | Same — stack-specific creds |
apps/<app>/ | /apps/<app>/ | The app's runtime secrets |
When you see a path you know which folder owns it; when you create a folder you know where its secrets go. New stacks and apps should follow the same shape.