eenvfyio
Self-hosted · Zero plaintext Open Dashboard →
Getting started

envfyio docs

envfyio is the self-hosted secrets and environment platform for the fyio ecosystem. It runs Infisical on dev102 behind a Tailscale tailnet, with a Cloudflare Access gate on the web UI. All secrets are encrypted at rest — the database never holds plaintext values.

i
The web dashboard is gated by Cloudflare Access. You need to be authenticated with your fyio organisation identity to open it. See Dashboard access.

Quickstart

Three steps to inject secrets into a new fyio service.

1 · Install the Infisical CLI

shell
# macOS
brew install infisical/get-cli/infisical

# npm (any platform)
npm install -g @infisical/cli

2 · Authenticate

shell
infisical login \
  --method=universal-auth \
  --client-id=$INFISICAL_CLIENT_ID \
  --client-secret=$INFISICAL_CLIENT_SECRET \
  --domain=https://envfyio.internal

3 · Run your app with injected secrets

shell
infisical run \
  --projectId gofyio \
  --env production \
  -- node server.js
Secrets are injected as environment variables into the child process. They are never written to disk or logged.

Dashboard access

The Infisical web UI is served at https://envfyio.internal on the Tailscale tailnet. It is also accessible externally via Cloudflare Access at the public hostname — but only after passing the zero-trust identity check.

  1. Connect to the fyio Tailnet (Tailscale installed and authenticated)
  2. Open the dashboard URL — Cloudflare Access will prompt for your fyio email
  3. Authenticate with your Google Workspace or GitHub identity
  4. You now have access to the Infisical dashboard
i
CI runners and k8s pods authenticate via machine identities — they do not go through the web UI or Cloudflare Access.

Create a project

Each fyio app gets one Infisical project. Projects isolate secrets — a service token for gofyio cannot read payfyio secrets.

  1. In the dashboard, click New Project
  2. Set the name to the app slug — e.g. gofyio
  3. Three environments are created automatically: dev, staging, production
  4. Add secrets per environment — never share secrets across environments directly

Machine identities · Universal Auth

Machine identities replace long-lived API keys. Each identity issues short-TTL access tokens scoped to one project + environment.

Create an identity

  1. Dashboard → Access ControlMachine IdentitiesNew
  2. Set name: gofyio/machine-api
  3. Auth method: Universal Auth
  4. Set token TTL — recommended: 8h for services, 1h for CI
  5. Copy the client ID and client secret — store them in your CI secret store or k8s Secret

Scoping access

After creating the identity, assign it to a project with the minimum required permissions.

  1. Open the project → Access ControlAdd member
  2. Select the machine identity
  3. Set role: Viewer (read-only) unless the service needs to write secrets
  4. Optionally restrict to specific environments or secret paths

Revocation

shell · instant revocation
# Via CLI
infisical identities revoke --id identity-id

# Or delete the identity from the dashboard — all tokens expire immediately

CLI · infisical run

Wraps any process and injects secrets as environment variables. The child process sees them as process.env — nothing is written to disk.

shell
infisical run \
  --projectId gofyio \
  --env production \
  --domain https://envfyio.internal \
  -- your-command args

Common options:

--projectIdInfisical project slug
--envdev | staging | production
--domainenvfyio API base URL (tailnet)
--secretOverrideLocal override for a specific key (dev only)
--recursiveInclude secrets from sub-folders

k8s Operator

The Infisical Operator is deployed in the cluster and watches InfisicalSecret CRDs. It syncs secrets from envfyio into Kubernetes Secrets and keeps them up to date.

infisicalsecret.yaml
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: gofyio-secrets
  namespace: gofyio
spec:
  hostAPI: https://envfyio.internal
  resyncInterval: 60
  authentication:
    universalAuth:
      credentialsRef:
        name: gofyio-machine-credentials
        namespace: gofyio
      secretsScope:
        projectSlug: gofyio
        envSlug: production
        secretsPath: "/"
        recursive: true
  managedSecretReference:
    secretName: gofyio-infisical-secrets
    secretNamespace: gofyio
i
Create the gofyio-machine-credentials k8s Secret with clientId and clientSecret from the machine identity you created. The Operator handles token refresh automatically.

@envfyio/sdk

A thin provider wrapper around Infisical for in-process secret fetching. Backend-agnostic — swap to OpenBao without changing app code.

shell
npm install @envfyio/sdk
TypeScript
import { createSecretsClient } from '@envfyio/sdk';

const secrets = createSecretsClient({
  project: 'gofyio',
  env: process.env.NODE_ENV as 'dev' | 'staging' | 'production',
  cacheTtl: 300, // seconds
});

// Typed, cached, never plaintext in source
const stripeKey = await secrets.get('STRIPE_SECRET_KEY');

GitHub Actions

.github/workflows/deploy.yml
- name: Inject secrets from envfyio
  uses: Infisical/secrets-action@v1
  with:
    method: universal-auth
    client-id: ${{ secrets.INFISICAL_CLIENT_ID }}
    client-secret: ${{ secrets.INFISICAL_CLIENT_SECRET }}
    project-id: gofyio
    env-slug: production
    infisical-url: https://envfyio.internal
i
Store only the machine identity client ID and secret in GitHub Actions secrets — nothing else. envfyio fetches all other secrets at runtime.

Rotation

Secret rotation can be triggered manually from the dashboard or via the API. All services using that secret will receive the new value on their next token refresh or restart.

shell · manual rotation
infisical secrets set STRIPE_SECRET_KEY=new-value \
  --projectId gofyio \
  --env production

Audit log

All secret access events are logged with actor, project, environment, secret path, and timestamp. Logs are viewable in the dashboard under Audit Logs.

Fields per log entry:

actorMachine identity or user who made the request
eventREAD | WRITE | DELETE | ROTATE
projectProject slug
envEnvironment slug
pathSecret path within the project
timestampUTC ISO 8601
ipSource IP of the request

Point-in-time recovery

Every secret write creates a new version. Previous versions are retained indefinitely. Roll back to any version from the dashboard.

  1. Open the project → navigate to the secret
  2. Click Version history
  3. Select the version to restore
  4. Click Restore this version — the secret is updated immediately
← Features Open Dashboard →