149 lines
3.4 KiB
Markdown
149 lines
3.4 KiB
Markdown
# Engram Cloud — Configuración de Seguridad
|
|
|
|
Guía completa para securizar Engram Cloud en el VPS.
|
|
|
|
---
|
|
|
|
## Configuración actual
|
|
|
|
- **Servidor:** `https://engram.v-encore-lab.com`
|
|
- **Dashboard:** `https://engram.v-encore-lab.com/dashboard/`
|
|
- **Token:** `e5ace1caed605543642c1032ef9e24f803f092b4ef9863cc068a8eceaa01445b`
|
|
- **Modo:** enterprise con autenticación JWT activa
|
|
- **Proyectos permitidos:** `smoke-project`, `planificacion_proyectos`, `gestion-talleres-2000`
|
|
|
|
---
|
|
|
|
## Docker Compose del VPS
|
|
|
|
Ubicación: `/opt/engram/docker-compose.cloud.yml`
|
|
|
|
```yaml
|
|
services:
|
|
postgres:
|
|
restart: always
|
|
image: postgres:16-alpine
|
|
container_name: engram-cloud-postgres
|
|
environment:
|
|
POSTGRES_USER: engram
|
|
POSTGRES_PASSWORD: engram_dev
|
|
POSTGRES_DB: engram_cloud
|
|
ports:
|
|
- "127.0.0.1:5433:5432"
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U engram -d engram_cloud"]
|
|
interval: 5s
|
|
timeout: 3s
|
|
retries: 10
|
|
volumes:
|
|
- engram-cloud-pg:/var/lib/postgresql/data
|
|
cloud:
|
|
restart: always
|
|
build:
|
|
context: .
|
|
dockerfile: docker/cloud/Dockerfile
|
|
container_name: engram-cloud
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
environment:
|
|
ENGRAM_DATABASE_URL: postgres://engram:engram_dev@postgres:5432/engram_cloud?sslmode=disable
|
|
ENGRAM_JWT_SECRET: "e5ace1caed605543642c1032ef9e24f803f092b4ef9863cc068a8eceaa01445b"
|
|
ENGRAM_CLOUD_TOKEN: "e5ace1caed605543642c1032ef9e24f803f092b4ef9863cc068a8eceaa01445b"
|
|
ENGRAM_CLOUD_ALLOWED_PROJECTS: smoke-project,planificacion_proyectos,gestion-talleres-2000
|
|
ENGRAM_CLOUD_HOST: 0.0.0.0
|
|
ENGRAM_PORT: "18080"
|
|
ports:
|
|
- "127.0.0.1:18080:18080"
|
|
command: ["cloud", "serve"]
|
|
volumes:
|
|
engram-cloud-pg:
|
|
```
|
|
|
|
---
|
|
|
|
## Si el VPS se cae o necesitas reinstalar
|
|
|
|
### 1. Clonar el repo y arrancar
|
|
|
|
```bash
|
|
cd /opt
|
|
sudo git clone https://github.com/Gentleman-Programming/engram
|
|
cd /opt/engram
|
|
```
|
|
|
|
Sobreescribe el docker-compose con la configuración segura:
|
|
|
|
```bash
|
|
cat > /opt/engram/docker-compose.cloud.yml << 'EOF'
|
|
# pega aquí el contenido del bloque de arriba
|
|
EOF
|
|
```
|
|
|
|
Arranca:
|
|
|
|
```bash
|
|
docker compose -f docker-compose.cloud.yml up -d
|
|
```
|
|
|
|
### 2. Conectar a la red de Nginx Proxy Manager
|
|
|
|
```bash
|
|
docker network connect nginx-proxy-manager_default engram-cloud
|
|
```
|
|
|
|
---
|
|
|
|
## Si necesitas regenerar el token
|
|
|
|
En el VPS genera uno nuevo:
|
|
|
|
```bash
|
|
openssl rand -hex 32
|
|
```
|
|
|
|
Actualiza `ENGRAM_JWT_SECRET` y `ENGRAM_CLOUD_TOKEN` en el docker-compose y reinicia:
|
|
|
|
```bash
|
|
docker compose -f docker-compose.cloud.yml up -d --force-recreate cloud
|
|
```
|
|
|
|
---
|
|
|
|
## Acceso al dashboard
|
|
|
|
- URL: `https://engram.v-encore-lab.com/dashboard/`
|
|
- Campo **Cloud Token:** pega el `ENGRAM_CLOUD_TOKEN`
|
|
- Sin el token nadie puede acceder a los datos
|
|
|
|
---
|
|
|
|
## Verificar que el servidor está seguro
|
|
|
|
```bash
|
|
docker logs engram-cloud --tail 10
|
|
```
|
|
|
|
✅ Correcto — debe mostrar solo:
|
|
```
|
|
Starting Engram cloud server on port 18080
|
|
[engram-cloud] listening on 0.0.0.0:18080
|
|
```
|
|
|
|
❌ Inseguro — si aparece esta línea hay que eliminarla del docker-compose:
|
|
```
|
|
warning: ENGRAM_CLOUD_INSECURE_NO_AUTH=1 disables cloud API authentication
|
|
```
|
|
|
|
---
|
|
|
|
## Nginx Proxy Manager — Configuración del proxy host
|
|
|
|
| Campo | Valor |
|
|
|---|---|
|
|
| Domain | `engram.v-encore-lab.com` |
|
|
| Scheme | `http` |
|
|
| Forward Hostname | `engram-cloud` |
|
|
| Forward Port | `18080` |
|
|
| SSL | Let's Encrypt |
|
|
| Force SSL | | |