Self-host dengan Docker Compose
Paling cepat + paling direkomendasikan untuk small-to-medium team. Stack:
- Postgres 16 (Docker)
- CVSM API (Docker, Go binary)
- Nginx (reverse proxy + TLS)
Prerequisites
- VPS Linux (Ubuntu 22.04+ / Debian 12+ rekomendasi), 1 vCPU + 1 GB RAM cukup untuk < 50 user
- Domain kamu sendiri (misal
vault.company.com) - Docker + Docker Compose terinstall
- Port 80, 443 terbuka
Step 1. Clone distribution repo
cd /optgit clone https://github.com/RenzyArmstrong/Calvery-Vault.git cvsmcd cvsmStep 2. Generate secrets
cat > .env <<EOFPOSTGRES_USER=cvsmPOSTGRES_PASSWORD=$(openssl rand -hex 16)POSTGRES_DB=cvsmDATABASE_URL=postgres://cvsm:REPLACE_ME@postgres:5432/cvsm
JWT_SECRET=$(openssl rand -hex 32)ENCRYPTION_KEY=$(openssl rand -hex 32)
APP_URL=https://vault.company.comALLOWED_ORIGINS=https://vault.company.com
# Optional SMTP untuk email verification + password resetSMTP_HOST=smtp.resend.comSMTP_PORT=587SMTP_USER=resendSMTP_PASSWORD=re_xxxxxxxxxxxxEOF
# Replace REPLACE_ME di DATABASE_URL dengan POSTGRES_PASSWORDPOSTGRES_PASS=$(grep POSTGRES_PASSWORD .env | cut -d= -f2)sed -i "s|REPLACE_ME|$POSTGRES_PASS|" .env
chmod 600 .env # protect dari user lainStep 3. Start stack
docker compose up -dCek status:
docker compose psdocker compose logs api --tail 50Expected: cvsm-api listening di 127.0.0.1:8080.
Step 4. Run migrations
# Apply semua migration berurutan (semua idempotent dengan IF NOT EXISTS)for f in migrations/*.sql; do echo "Applying $f" docker compose exec -T postgres psql -U cvsm -d cvsm < $fdoneStep 5. Nginx + TLS
Install:
apt install -y nginx certbot python3-certbot-nginxConfig:
server { listen 80; server_name vault.company.com; location /.well-known/acme-challenge/ { root /var/www/certbot; } location / { return 301 https://$host$request_uri; }}
server { listen 443 ssl http2; server_name vault.company.com;
ssl_certificate /etc/letsencrypt/live/vault.company.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/vault.company.com/privkey.pem;
location / { proxy_pass http://127.0.0.1:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }}Enable + TLS:
ln -s /etc/nginx/sites-available/cvsm /etc/nginx/sites-enabled/cvsmnginx -t && systemctl reload nginxcertbot --nginx -d vault.company.comStep 6. Buat admin user pertama
Buka https://vault.company.com → register. User pertama otomatis jadi system admin.
Step 7. Pointing SDK ke self-host
const calvery = new Calvery({ token: process.env.CVSM_TOKEN!, team: 'internal', baseUrl: 'https://vault.company.com',})Update
Pull image baru + restart:
cd /opt/cvsmgit pulldocker compose pulldocker compose up -dRun migration baru kalau ada (cek CHANGELOG.md):
docker compose exec -T postgres psql -U cvsm -d cvsm < migrations/011_new.sqlBackup
Database
#!/bin/bashset -eBACKUP_DIR=/var/backups/cvsmmkdir -p $BACKUP_DIRdocker compose -f /opt/cvsm/docker-compose.yml exec -T postgres \ pg_dump -U cvsm cvsm | gzip > $BACKUP_DIR/cvsm-$(date +%F).sql.gz
# Retention: keep 30 harifind $BACKUP_DIR -name "cvsm-*.sql.gz" -mtime +30 -deleteJangan lupa chmod +x dan test manual dulu.
Encryption key
Critical: backup ENCRYPTION_KEY dari .env ke:
- Password manager (1Password / Bitwarden) — untuk akses cepat
- Paper copy di safe — disaster recovery (kalau password manager compromised)
- Second sysadmin (kalau team lebih dari 1)
Tanpa ENCRYPTION_KEY, database backup tidak berguna.
Monitoring (minimal)
# Health checkcurl -f https://vault.company.com/health || echo "DOWN"
# Disk usagedf -h /var/lib/docker/volumes/
# Log errorsdocker compose logs api --since 1h | grep -i errorRecommend: pasang Uptime Kuma untuk visual dashboard.
Scaling
Single-VPS Docker Compose cukup untuk:
- ~100 active users
- ~10k secrets
- ~1k req/min
Beyond itu, pindah ke Kubernetes — lihat Self-host K8s.