Skip to content

n8n (workflow.eidos-global.com)

Second n8n instance at workflow.eidos-global.com, hosted on Dokploy/E2. Stood up as the eventual replacement for the legacy n8n on O1 (25-n8n.md) — workflows will migrate here and the O1 instance will be retired once parity is reached.

Field Value
Public URL https://workflow.eidos-global.com
Audience engineers, ops, possibly business users
Criticality medium — new instance, no paying-customer workflows yet
Maturity hobby
Owner Vishnu Kant
Last reviewed 2026-05-20

1. At a glance

Second n8n estate, deliberately stood up on managed PaaS rather than on O1 directly. The strategic goal is to consolidate all n8n workflows here and retire the O1 instance, removing one of the larger sources of O1 single-host risk (today O1 carries Authentik + Vault + n8n + MinIO + more — see the O1 SPOF note in README.md). Until migration is complete, both instances coexist and the authoritative location of any given workflow must be tracked deliberately.

See 25-n8n.md for the legacy instance still carrying the production-critical TnE Connect AI workflows (timesheet booking, OCR receipts) and the Atlassian/JIRA glue. Until those move, n8n.448.global remains the production system; workflow.eidos-global.com is the build-out target.

2. Business purpose

  • Provide a more resilient home for workflow automation by moving off the O1 single-VPS estate onto managed Dokploy hosting.
  • Consolidate the n8n surface into one instance (today there are two) before the team grows.
  • Give Vishnu a clean environment to rebuild workflows under source control (n8n Git-sync) rather than inheriting the O1 host-only history.

3. Audience

Engineers and any builder-leaning staff (same as 25-n8n.md). Public to the internet at workflow.eidos-global.com; SSO/MFA posture [INFO NEEDED].

4. Hosting & cloud infrastructure

  • Server: E2 EIDOSDev1 Dokploy VPS
  • Platform: Dokploy — see 18-dokploy.md
  • Reverse proxy chain: [CONFIRM] whether workflow.eidos-global.com is fronted by Caddy on E1 → Traefik on E2 (same pattern as the WordPress sites and CRMs) or DNS-pointed directly at E2.

Infrastructure map

Item Value Notes
Public hostname workflow.eidos-global.com DNS provider: GoDaddy (per domains.md)
Backend host E2 (Dokploy)
Open ports 443
TLS cert [CONFIRM] LE via Traefik (Dokploy default)
Reverse proxy Traefik (Dokploy); possibly behind E1 Caddy [CONFIRM]
Container image / version n8nio/n8n:[INFO NEEDED]
Database [INFO NEEDED] (PostgreSQL recommended for prod)
Worker mode [INFO NEEDED]
Active workflows [INFO NEEDED] track which workflows are authoritative here vs O1

Credentials in Vault

All secrets root at kv_pe/kv/workflow.eidos-global.com.

Secret type Vault path Last rotated
n8n admin login kv_pe/kv/workflow.eidos-global.com [INFO NEEDED]
Database password kv_pe/kv/workflow.eidos-global.com [INFO NEEDED]
N8N_ENCRYPTION_KEY kv_pe/kv/workflow.eidos-global.com without this, every stored credential is unrecoverable
Per-workflow third-party credentials n8n stores these encrypted in its DB [INFO NEEDED]

5. Technology behind it

  • Type: off-the-shelf
  • Product: n8n (open-source, n8n.io)
  • Stack: Node.js + Postgres (or SQLite); deployed via Dokploy

6. Data it handles

  • Workflow definitions.
  • Credentials for every external service connected — encrypted but recoverable with N8N_ENCRYPTION_KEY.
  • Execution history (may contain payload data including PII).

7. External dependencies

  • The Dokploy control plane on E2 (see 18-dokploy.md) — if Dokploy is unhealthy, redeploys / env-var edits stop; the running container should keep serving.
  • Whatever third-party APIs migrated workflows call (likely the same set as O1: Atlassian, OpenAI, GitLab, etc. — see 25-n8n.md §7).
  • DNS via GoDaddy.

8. Authentication & access

  • End-user login: n8n local accounts [CONFIRM]
  • OIDC / Authentik? [INFO NEEDED] — should be wired before any production workflow lands here
  • MFA? [INFO NEEDED]

9. Maturity assessment

Dimension Status Evidence
Backups [INFO NEEDED] DB + encryption key — must be in Vault before paying-customer workflows migrate
Workflow versioning [INFO NEEDED] n8n Git-sync should be wired from day one
Monitoring [INFO NEEDED] Beszel coverage of E2 already exists
Alerting [INFO NEEDED] failed-execution → Gotify?
Patching cadence [INFO NEEDED]

Overall maturity: hobby

10. Known risks & vulnerabilities

  • Two-n8n drift — with both n8n.448.global (O1) and workflow.eidos-global.com (E2) live, it is easy for a workflow to be copied/moved without being decommissioned in the other place, producing duplicate executions, stale credentials, or silently broken pipelines. Until the O1 instance is retired, every workflow needs a single declared "home" (and the other side disabled).
  • Encryption-key loss — without N8N_ENCRYPTION_KEY (Vault-resident), every stored credential becomes a dead string. Same risk class as the O1 instance.
  • Workflow definitions not in Git (yet) — same risk class as KI-001 / KI-015. Wire n8n Git-sync to git.projecteidos.com before any production workflow lands here.
  • Public dashboard — the n8n UI on the open internet is a brute-force target; should be behind Authentik OIDC or Wireguard-only.
  • Webhook abuse — public n8n webhook URLs are unauthenticated by default; URL alone is enough to fire workflows.
  • Patch lag — n8n has shipped multiple auth/IDOR CVEs historically.

Follow-on paperwork (not done in this change): the O1 → E2 migration deserves its own KI/RM pair in known-issues.md and phase-2-roadmap.md once the migration plan firms up.

11. Impact if it goes down

  • Today: low — no production workflows here yet.
  • Post-migration: equivalent to the current O1 n8n impact (cascading "this integration stopped working" across the estate; see 25-n8n.md §11).

12. Owner & on-call

  • Primary owner: Vishnu Kant
  • Backup owner: [INFO NEEDED]
  • On-call channel: [INFO NEEDED]

13. References & links