Solanasis Docs

infisical-hardening-continuation-prompt

4 min read

Infisical Hardening — Continuation Prompt

Use this prompt to start a new Claude Code session to complete the Infisical security hardening. Created: 2026-03-25

Context

We set up self-hosted Infisical (secrets manager) with a Cloudflare tunnel, automated backups, and started the security lockdown. Most infrastructure is working but several security layers are incomplete.

What’s Done (verified working)

Cloudflare Tunnel

  • sm.solanasis.com → localhost:8580 via existing solanasis tunnel
  • Config: ~/.cloudflared/config.yml in WSL2 Ubuntu (locally-managed tunnel)
  • Tunnel ID: c57c4d9c-e408-4e43-b0d5-190baa70568e
  • DNS CNAME active, tunnel serving traffic

Cloudflare Access (partially done)

  • Zero Trust organization created: solanasis.cloudflareaccess.com
  • Access application created: “Infisical Vault” for sm.solanasis.com (app ID: da38e27f-5a00-4378-afbe-4b7219ceff64)
  • Policy: Allow emails mr.sunshine@solanasis.com and ds@solanasis.com
  • Session duration: 24 hours
  • sm.solanasis.com correctly returns 302 → Cloudflare Access login page

Automated Backups (fully working)

  • Script: C:\_my\_solanasis\solanasis-docs\scheduled-tasks\scripts\backup-infisical.py
  • Schedule: Daily at 2:00 AM via Windows Task Scheduler (\Solanasis\Solanasis - Infisical Backup)
  • Pipeline: pg_dump + .env → tar.gz → AES-256-CBC encrypt (openssl, -pbkdf2 -iter 600000) → git push
  • Storage: dzinreach/infisical-backups (private GitHub repo)
  • Retention: 7 daily + 4 weekly rolling
  • Passphrase: Windows env var INFISICAL_BACKUP_PASSPHRASE (also store in Bitwarden)
  • Already has 2 successful automated runs (2026-03-24 and 2026-03-25)
  • Restore instructions: C:\_my\infisical-backups\README.md
  • Decryption verified working

Infisical Config

  • .env updated: SITE_URL=https://sm.solanasis.com, INVITE_ONLY_SIGNUP=true
  • Docker containers healthy (backend, postgres:14-alpine, redis:7-alpine)
  • Docker Compose at C:\_my\_solanasis\infisical\docker-compose.yml
  • Service inventory updated: C:\_my\_solanasis\solanasis-docs\operations\service-inventory.md

Scheduled Task Registration

  • register-tasks.ps1 updated with Task 4 (Infisical Backup)
  • Task registered and running in Windows Task Scheduler

What’s Broken — Fix First

1. Cloudflare Access Login Methods (CRITICAL)

Problem: When users visit sm.solanasis.com, they see “no login methods available” on the Cloudflare Access page.

Root cause: The Zero Trust organization was created via API but NO identity providers were configured. The identity_providers list is empty.

Fix: Add the One-Time PIN (email OTP) identity provider via the Cloudflare API:

POST /accounts/{account_id}/access/identity_providers
{
  "name": "One-Time PIN",
  "type": "onetimepin",
  "config": {}
}

Credentials for API calls:

  • Account ID: 5bc74cd88016b1dd85d05955675fdba8
  • Auth method: X-Auth-Email: mr.sunshine@solanasis.com + X-Auth-Key: <value of CLOUDFLARE_GLOBAL_API_KEY Windows env var>
  • Read env var: powershell -Command "[System.Environment]::GetEnvironmentVariable('CLOUDFLARE_GLOBAL_API_KEY', 'User')"

After fixing: Test by visiting sm.solanasis.com in incognito — should show email input for OTP.

What’s Still TODO

2. Infisical Admin Panel Settings

Problem: The env var INVITE_ONLY_SIGNUP=true is set, but the admin panel’s own allowSignUp toggle is still true. These are separate mechanisms — both should be disabled.

Also needed:

  • Restrict signup email domain to @solanasis.com
  • Enforce 2FA (TOTP) for all org members
  • Admin email: admin@solanasis.com (from memory — verify at login)

Approach: Either:

  • Authenticate to Infisical API (POST /api/v3/auth/login1 with SRP) and use admin endpoints
  • OR have Dmitri toggle these in the admin panel UI at sm.solanasis.com/admin (3 clicks)

The Infisical auth uses SRP (Secure Remote Password) protocol which is complex to implement programmatically. The UI approach may be faster.

  • Cloudflare dashboard > solanasis.com > Security > WAF
  • Rule: hostname = sm.solanasis.com AND URI contains /api/
  • Rate: 60 requests/min/IP → Block 10 min
  • Can be done via Cloudflare API with the Global API Key

4. Store Credentials in Infisical

These new credentials should be stored in Infisical itself for centralized management:

  • CLOUDFLARE_GLOBAL_API_KEY (currently only in Windows env var)
  • INFISICAL_BACKUP_PASSPHRASE (currently only in Windows env var — ALSO store in Bitwarden)

5. Documentation Gaps

Missing cheatsheet: No Infisical operations cheatsheet exists. Create one at solanasis-docs/operations/infisical-cheatsheet.md covering:

  • How to access (URL, Cloudflare Access flow)
  • How to add/manage secrets
  • sync_env.py usage
  • Backup/restore procedure
  • Docker management (restart, logs, update)
  • Emergency: what to do if ENCRYPTION_KEY is lost

CLAUDE.md updates needed:

  • Add Infisical to the Tech Stack Context in _solanasis/CLAUDE.md
  • Add backup schedule info to the scheduled-tasks setup guide
  • Consider adding Cloudflare Access/Zero Trust management to operations docs

Memory file: Already updated at ~/.claude/projects/c---my/memory/project_secrets_management.md

6. Verify Backup Passphrase in Bitwarden

The passphrase ltQp2/VTzz6AJTgsAb5n4jefGxz1oNF3jWvMch/0z0U= needs to be stored in Bitwarden as “Infisical Backup Encryption Passphrase”. No Bitwarden CLI is installed — this is a manual step.

Key File Paths

FilePurpose
C:\_my\_solanasis\infisical\docker-compose.ymlInfisical Docker stack
C:\_my\_solanasis\infisical\.envInfisical config (ENCRYPTION_KEY, DB creds, SITE_URL)
C:\_my\_solanasis\infisical\sync_env.pySync secrets from Infisical to repo .env files
~/.cloudflared/config.yml (WSL2)Cloudflare tunnel ingress rules
C:\_my\_solanasis\solanasis-docs\scheduled-tasks\scripts\backup-infisical.pyBackup script
C:\_my\_solanasis\solanasis-docs\scheduled-tasks\scripts\register-tasks.ps1Task Scheduler registration
C:\_my\infisical-backups\Encrypted backup repo (daily/ + weekly/)
C:\_my\infisical-backups\README.mdRestore instructions
C:\_my\_solanasis\solanasis-docs\operations\service-inventory.mdService inventory (updated)
C:\_my\.envMaster credentials (has INFISICAL_CLIENT_SECRET)
C:\Users\zasya\.claude\plans\vectorized-frolicking-comet.mdOriginal implementation plan

Cloudflare API Reference

All Zero Trust API calls use:

X-Auth-Email: mr.sunshine@solanasis.com
X-Auth-Key: <CLOUDFLARE_GLOBAL_API_KEY env var>
Account ID: 5bc74cd88016b1dd85d05955675fdba8

Access app ID: da38e27f-5a00-4378-afbe-4b7219ceff64 Access policy ID: 3a898274-8606-41f7-9efd-c322f90aa21a

Instructions for New Session

  1. Start in plan mode — thorough review of everything above
  2. Fix the login methods issue first (critical blocker)
  3. Then work through TODOs 2-6 in priority order
  4. End with a comprehensive verification of the entire Infisical stack
  5. Create the operations cheatsheet and update CLAUDE.md files

Graph View