Skip to content
Klutch.sh Docs

Deploying an Infisical App

Introduction

Infisical is an open-source secrets management platform built with Node.js and MongoDB. Deploying Infisical with a Dockerfile on Klutch.sh gives you reproducible builds, managed secrets, and persistent storage for vault data—all managed from klutch.sh/app. This guide covers installation, repository prep, a production-ready Dockerfile, deployment steps, Nixpacks overrides, and best practices to keep secrets secure.

Prerequisites

  • A Klutch.sh account (create one)
  • A GitHub repository containing your Infisical code/config (GitHub is the only supported git source)
  • Docker familiarity and Node.js 18+ for local testing
  • MongoDB connection details (as a Klutch.sh TCP app or external)
  • Optional: Redis for caching

For platform onboarding, see the Quick Start.

Architecture and ports

  • Infisical serves HTTP APIs and UI; set the internal container port to 8080.
  • MongoDB (and Redis, if used) should run as separate Klutch.sh TCP apps. Expose them on port 8000 and connect internally on 27017 (MongoDB) and 6379 (Redis).
  • Persistent storage is recommended for file uploads (if enabled) and cached artifacts.

Repository layout

infisical/
├── apps/                   # Backend and frontend packages
├── storage/                # Optional uploads/cache (mount as volume)
├── Dockerfile              # Must be at repo root for auto-detection
├── package.json
├── pnpm-lock.yaml          # or yarn.lock / package-lock.json
└── .env.example            # Template only; no secrets

Keep secrets out of Git; store them in Klutch.sh environment variables.

Installation (local) and starter commands

Install dependencies and run locally before pushing to GitHub:

Terminal window
pnpm install
pnpm build
pnpm start -- --port 8080

If you run migrations or seed scripts, add:

Terminal window
pnpm db:migrate

Optional helper start.sh for portability and Nixpacks fallback:

#!/usr/bin/env bash
set -euo pipefail
pnpm db:migrate || true
pnpm start -- --port 8080

Make it executable with chmod +x start.sh.

Dockerfile for Infisical (production-ready)

Place this Dockerfile at the repo root; Klutch.sh auto-detects it (no Docker selection in the UI):

FROM node:18-alpine AS build
WORKDIR /app


COPY package.json pnpm-lock.yaml* yarn.lock* package-lock.json* ./
RUN corepack enable
RUN pnpm install --frozen-lockfile


COPY . .
RUN pnpm build


FROM node:18-alpine
WORKDIR /app
ENV NODE_ENV=production PORT=8080


COPY --from=build /app /app
RUN corepack enable && pnpm install --prod --frozen-lockfile


EXPOSE 8080
CMD ["pnpm", "start", "--", "--port", "8080"]

Notes:

  • Add build tools in the build stage if native modules are present (apk add --no-cache python3 make g++).
  • Keep storage/ writable and mount it as a volume if you enable file uploads or cache on disk.

Environment variables (Klutch.sh)

Set these in the Klutch.sh app settings (Secrets tab) before deploying:

  • NODE_ENV=production
  • PORT=8080
  • APP_BASE_URL=https://example-app.klutch.sh
  • MONGODB_URI=mongodb://<user>:<password>@<host>:<port>/<db>
  • REDIS_URL=redis://<user>:<password>@<host>:<port> (if using Redis)
  • ENCRYPTION_KEY=<32-byte-key>
  • JWT_SECRET=<jwt-secret>
  • STORAGE_DIR=/app/storage/uploads (if enabling uploads)

If you deploy without the Dockerfile and need Nixpacks overrides:

  • NIXPACKS_BUILD_CMD=pnpm install --frozen-lockfile && pnpm build
  • NIXPACKS_START_CMD=pnpm start -- --port 8080
  • NIXPACKS_NODE_VERSION=18

These keep Infisical compatible with Nixpacks defaults when a Dockerfile is absent.

Attach persistent volumes

In Klutch.sh storage settings, add mount paths and sizes (no names required):

  • /app/storage/uploads — for file attachments if enabled.
  • /app/.cache — optional cache to speed rebuilds if your app writes there.

Ensure these paths are writable inside the container.

Deploy Infisical on Klutch.sh (Dockerfile workflow)

  1. Push your repository (with the Dockerfile at the root) to GitHub.
  2. Open klutch.sh/app, create a project, and add an app.
  3. Connect the GitHub repository; Klutch.sh automatically detects the Dockerfile.
  4. Choose HTTP traffic for Infisical.
  5. Set the internal port to 8080.
  6. Add the environment variables above (database, Redis, encryption/JWT secrets, and any NIXPACKS_* overrides if you temporarily deploy without the Dockerfile).
  7. Attach persistent volumes for /app/storage/uploads (and /app/.cache if used), choosing sizes that fit your usage.
  8. Deploy. Your Infisical instance will be reachable at https://example-app.klutch.sh; attach a custom domain if desired.

For MongoDB or Redis on Klutch.sh, create separate TCP apps, expose them on port 8000, and point MONGODB_URI or REDIS_URL to those endpoints (internal ports 27017/6379).

Health checks and production tips

  • Add a /health endpoint that checks DB/Redis connectivity.
  • Enforce HTTPS at the edge; forward HTTP to port 8080 internally.
  • Rotate ENCRYPTION_KEY and JWT_SECRET carefully to avoid disrupting clients.
  • Monitor volume usage for uploads/cache and resize before they fill.
  • Keep lockfiles committed and Node versions pinned for reproducible builds.

Infisical on Klutch.sh combines reproducible Docker builds with managed secrets, optional persistent volumes, and flexible HTTP/TCP routing. With the Dockerfile at the repo root and ports set to 8080 for the app (8000 externally for TCP databases or caches), you can run secure secrets management without extra YAML or workflow overhead.