From 47feb3c7bff4dcd4112f23fd2337bb77142d6073 Mon Sep 17 00:00:00 2001 From: Tiago Ribeiro Date: Thu, 5 Mar 2026 09:40:58 -0300 Subject: [PATCH] docs: atualizar auditoria de acessos e sync de vault --- CONNECTIONS.md | 150 +++++++++++--------------- README.md | 63 +++++------ invista/nexus/CONNECTION-STATUS.md | 162 ++++++----------------------- scripts/README.md | 63 +++++------ scripts/connection-status.json | 10 +- 5 files changed, 146 insertions(+), 302 deletions(-) diff --git a/CONNECTIONS.md b/CONNECTIONS.md index fab4eb5..fe9dd2c 100644 --- a/CONNECTIONS.md +++ b/CONNECTIONS.md @@ -1,113 +1,83 @@ -# Guia de Conexões - Infracloud +# Guia de Conexoes - Infracloud -Documento de referência rápida para conexão aos serviços e servidores. +Documento de referencia rapida para acessos de infraestrutura. -## Serviços e Credenciais +## Ultima validacao -### Tabela Geral +- Data: 2026-03-05 +- Script: `python scripts/check-connections.py` +- Resultado: `20` verificacoes, `14` OK, `6` erros +- Artefato: `scripts/connection-status.json` -| Arquivo ~/.ssh/ | Tipo | Serviço | Status | -|-----------------|------|---------|--------| -| `github` | Chave SSH | GitHub | ✅ | -| `ic-ad` | Chave SSH | Azure DevOps | ✅ | -| `cloudflare-token` | Token | Cloudflare API (Rede5) | ✅ | -| `cloudflare-token-inventcloud` | Token | Cloudflare API (Inventcloud) | ✅ | -| `github-token` | Token | GitHub PAT | ✅ | -| `absam-db-novo` | Credenciais | Absam DB SSH | ❌ (senha) | -| `monday.env` | Token | Monday.com API | ✅ | -| `bookstack-token` | Token | Bookstack API | ✅ | -| `openproject-token` | Token | OpenProject API | ✅ | -| `~/.oci/config` | API Key | Oracle Cloud (OCI) | ✅ | -| `bionexo` | Chave SSH | Bionexo | ❓ | -| `euronodes-object-storage` | Credenciais | Euronodes Object Storage | ✅ | -| `mxroute-api-key` | API Key | MXRoute Email | ❓ | -| `app01-rabbitmq-beecare-origin` | Credenciais | RabbitMQ (Beecare) | ❓ | -| `lh-zeus` | Chave SSH | Zeus (LH) | ❓ | +## Resumo de acessos ---- +| Categoria | Item | Status | Observacao | +|-----------|------|--------|------------| +| VPS | redbull | OK | SSH com chave `~/.ssh/civo` | +| VPS | echo | OK | SSH com chave `~/.ssh/civo` | +| VPS | nc2 | OK | SSH com chave `~/.ssh/civo` | +| VPS | absam-io | OK | Host acessivel, autenticacao por senha | +| Git | github | OK | `ssh -T git@github.com` autenticado | +| Git | bitbucket | OK | Configurado em `~/.ssh/config` | +| API | coolify | OK | HTTP 200 | +| API | forgejo | OK | HTTP 200 | +| API | github | OK | HTTP 200 | +| API | bookstack | OK | HTTP 200 | +| Cloudflare | rede5 | OK | 20 zonas | +| Cloudflare | inventcloud | OK | 3 zonas | +| MXRoute | api | OK | HTTP 200 | +| OCI | namespace | OK | Namespace `grbb7qzeuoag` | +| Kubernetes | cluster-info | ERRO | `kubectl cluster-info` sem retorno valido | +| Object Storage | civo | OK | Bucket acessivel | +| Object Storage | euronodes | OK | Bucket acessivel | -## Oracle Cloud (OCI) +## OCI -Conexão ativa via OCI CLI e SDK (Python). +Conexao OCI esta funcional, com namespace retornado: -| Propriedade | Valor | -|-------------|-------| -| Tenancy | `rede5` (ocid1.tenancy...) | -| Região | `us-ashburn-1` / `sa-saopaulo-1` | -| Config | `~/.oci/config` | +- `grbb7qzeuoag` -### Estrutura de Compartimentos (Top Level) -* **cmp-top-invista**: Produção e Homologação Invista. -* **cmp-top-c6**: Infraestrutura C6. -* **OKE**: Clusters Kubernetes (DEV/HML/PRD). +Pendencia detectada na auditoria: -```bash -# Listar instâncias em execução -oci compute instance list --compartment-id --lifecycle-state RUNNING +- Permissao de arquivos `C:\Users\TiagoRibeiro\.oci\config` e `C:\Users\TiagoRibeiro\.oci\api_key.pem` muito aberta. +- Correcao recomendada: + +```powershell +oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\config +oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\api_key.pem ``` ---- +## Vault de chaves (Civo) -## Azure DevOps +Sincronizacao executada em 2026-03-05: -| Propriedade | Valor | -|-------------|-------| -| Organização | `CN-Squad` | -| Projeto | `Invista FIDC - Nexus` | -| Chave SSH | `ic-ad` / `ic-ad.pub` | -| PAT | `~/.ssh/azure_devops_auth.json` | +- Comando: `node scripts/sync-vault.js upload` +- Origem: `~/.ssh/` +- Destino principal: `Civo bucket rede5 (vault/ssh/)` +- Espelhamento: `Euronodes bucket vault (ssh/)` +- Resultado: 20/20 uploads com sucesso no Civo e 20/20 no espelho + +Comando de validacao: ```bash -# Clonar repositório do Nexus -git clone git@ssh.dev.azure.com:v3/CN-Squad/Invista%20FIDC%20-%20Nexus/ +node scripts/sync-vault.js list ``` ---- +## Credenciais em uso -## GitHub +Todas as credenciais operacionais devem estar em `~/.ssh/`: -| Propriedade | Valor | -|-------------|-------| -| Token | `~/.ssh/github-token` | -| Chave SSH | `github` / `github.pub` | +- `civo` +- `coolify-redbull-token` +- `forgejo-token` +- `cloudflare-token` +- `cloudflare-token-inventcloud` +- `github` e `github-token` +- `ic-ad` +- `bookstack-token` +- `mxroute-api-key` +- `monday.env` --- -## Repositórios de Desenvolvimento (Local) - -| Projeto | Repositório Local | Branch | -|---------|-------------------|--------| -| Q1Agenda | `C:\dev\q1agenda-backend` | `dev` | -| Q1food (BE) | `C:\dev\food-backend` | `dev` | -| Q1food (FE) | `C:\dev\food-frontend` | `dev` | -| Q1Vestuario (BE) | `C:\dev\vestuario-backend` | `dev` | -| Q1Vestuario (FE) | `C:\dev\vestuario-frontend` | `dev` | -| Q1 SITE | `C:\dev\q1site` | `dev` | -| GoHorseJobs | `C:\dev\gohorsejobs` | `dev` | -| PHOTUM | `C:\dev\photum` | `dev` | -| SaveinMed | `C:\dev\saveinmed` | `dev` | -| Q1FIT | `C:\dev\q1fit` | `dev` | -| Zeus | `C:\dev\zeus-suplementos` | `dev` | -| Infracloud | `C:\dev\infracloud` | `main` | - ---- - -## Cloud Database (Absam.io) - -| Database | Usuário | Uso | -|----------|---------|-----| -| saveinmed | saveinmed | Saveinmed Medusa v2 | -| gohorsejobs | ghj | GoHorseJobs Backend | - ---- - -## Euronodes Object Storage - -| Propriedade | Valor | -|-------------|-------| -| Bucket | `vault` | -| Uso | Backup de credenciais (`ssh/`) | - ---- - -*Atualizado em: 2026-02-28* +*Atualizado em: 2026-03-05* diff --git a/README.md b/README.md index a6fc426..638f922 100644 --- a/README.md +++ b/README.md @@ -7,59 +7,46 @@ Documentacao de infraestrutura como codigo (IaC) da Rede5. | Script | Funcao | |--------|--------| | `scripts/check-connections.py` | Verifica todas as conexoes | -| `scripts/backup-vault.py` | Backup credenciais para Object Storage | +| `scripts/sync-vault.js` | Sincroniza credenciais entre `~/.ssh/` e object storage | ## Estrutura -``` +```text infracloud/ -├── CONNECTIONS.md # Guia de conexoes (VPS, APIs, Tokens) -├── OBJECT-STORAGE.md # Object Storages (Civo, Euronodes) -├── containers/ # Container files (.service, .container) -├── inventcloud/ # Projetos Inventcloud -│ └── invista/nexus/ # Invista FIDC - Nexus -│ ├── OCI.md # Documentacao OCI -│ ├── azure-devops/# Conexoes Azure DevOps -│ └── ... -├── scripts/ # Scripts de automacao -│ ├── check-connections.py -│ └── backup-vault.py -└── vps/ # Virtual Private Servers - ├── redbull/ # Coolify DEV (185.194.141.70) - ├── echo/ # Dokku PROD (152.53.120.181) - └── absam-db/ # Cloud Database (Absam.io) +|-- CONNECTIONS.md +|-- OBJECT-STORAGE.md +|-- containers/ +|-- inventcloud/ +| `-- invista/nexus/ +| |-- OCI.md +| `-- azure-devops/ +|-- scripts/ +| |-- check-connections.py +| `-- sync-vault.js +`-- vps/ ``` -## Acesso Rapido +## Acesso rapido -| Servidor | IP | Plataforma | Documentacao | -|----------|-----|------------|--------------| +| Servidor | Endereco | Plataforma | Documentacao | +|----------|----------|------------|--------------| | Redbull | 185.194.141.70 | Coolify v4 | [vps/redbull](./vps/redbull/) | | Echo | 152.53.120.181 | Dokku | [vps/echo](./vps/echo/) | - | Absam DB | db-60604.dc-us-1.absamcloud.com:11985 | PostgreSQL 17 | [vps/absam-db](./vps/absam-db/) | -## Projetos - -### Inventcloud / Invista - -- [**Invista FIDC - Nexus**](./inventcloud/invista/nexus/README.md): Microservicos e cluster OCI OKE - - [OCI Documentation](./inventcloud/invista/nexus/OCI.md) - - [Azure DevOps Connection](./inventcloud/invista/nexus/azure-devops/CONNECTION.md) - ## Conexoes -- [**Guia de Conexoes**](./CONNECTIONS.md): Referencia rapida para VPS, APIs, Tokens +- [Guia de Conexoes](./CONNECTIONS.md) +- [Status Nexus](./invista/nexus/CONNECTION-STATUS.md) -## SSH Hosts +## Ultima auditoria -``` -ssh redbull # 185.194.141.70 (Coolify DEV) -ssh echo # 152.53.120.181 (Dokku PROD) -ssh nc2 # 212.56.41.211 (Contabo) -ssh absam-io # db-60604.dc-us-1.absamcloud.com (PostgreSQL) -``` +- Data: 2026-03-05 +- Comando: `python scripts/check-connections.py` +- Resultado: `14/20` OK (6 erros) +- OCI: OK (namespace `grbb7qzeuoag`) +- Kubernetes/OKE: falha na verificacao de `kubectl cluster-info` --- -*Atualizado em: 2026-02-24* +*Atualizado em: 2026-03-05* diff --git a/invista/nexus/CONNECTION-STATUS.md b/invista/nexus/CONNECTION-STATUS.md index a2f7f77..59b16b2 100644 --- a/invista/nexus/CONNECTION-STATUS.md +++ b/invista/nexus/CONNECTION-STATUS.md @@ -1,137 +1,35 @@ -# Status das Conexoes - 2026-02-21 +# Status das Conexoes - 2026-03-05 -## Resumo +## Resumo da auditoria -| Servico | Status | Obs | -|---------|--------|-----| -| GitHub | ✅ OK | Autenticado | -| Bitbucket | ✅ OK | Bionexo | -| Echo | ✅ OK | Dokku funcionando | -| NC2 | ✅ OK | Contabo funcionando | -| Redbull | ✅ OK | Coolify funcionando | -| OCI CLI | ✅ OK | Conectado | -| Forgejo | ✅ OK | API apenas | -| MXRoute | ✅ OK | Email API | -| Azure DevOps | ❌ FAIL | Chave nao registrada | +- Script: `python scripts/check-connections.py` +- Total: 20 +- OK: 14 +- Erros: 6 +- Arquivo gerado: `C:\dev\infracloud\scripts\connection-status.json` + +## Resultado por bloco + +| Bloco | Status | Observacao | +|------|--------|------------| +| VPS | OK | redbull, echo, nc2 e absam-io acessiveis | +| Git | OK | GitHub autenticado; Bitbucket configurado | +| APIs | OK | Coolify, Forgejo, GitHub e Bookstack HTTP 200 | +| Cloudflare | OK | Rede5 (20 zonas), Inventcloud (3 zonas) | +| MXRoute | OK | HTTP 200 | +| OCI | OK | Namespace `grbb7qzeuoag` | +| Kubernetes (OKE) | ERRO | `kubectl cluster-info` falhou | +| Object Storage | OK | Civo e Euronodes acessiveis | + +## Pendencias tecnicas + +1. Corrigir permissoes de arquivos OCI: +```powershell +oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\config +oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\api_key.pem +``` +2. Revisar contexto do `kubectl` para OKE (contexto invalido ou sem credenciais ativas). --- -## Detalhado - -### ✅ GitHub - -``` -Status: Autenticado -Usuario: tiagoyamamoto -Chave: ~/.ssh/github -``` - -### ✅ Echo (Dokku PROD) - -``` -Status: Online -Hostname: v2202501247812309542 -IP: 152.53.120.181 -Chave: ~/.ssh/civo -``` - -Containers: -- photum.web.1 (Up 45 hours) -- food-backend.web.1 (Up 46 hours) -- q1agenda-backend.web.1 (Up 7 days) -- dokku.postgres.q1agenda-db (Up 7 days) -- dokku.postgres.photum-db (Up 3 weeks) - -### ✅ NC2 (Contabo) - -``` -Status: Online -Hostname: vmi2943543.contaboserver.net -IP: 212.56.41.211 -Chave: ~/.ssh/civo -``` - -Containers: -- redis (Up 5 weeks) -- glances (Up 5 weeks) -- traefik (Up 4 weeks) -- postgres (Up 3 weeks) - -### ✅ Redbull (Coolify DEV) - -``` -Status: Online -Hostname: v2202508247812376908 -IP: 185.194.141.70 -Chave: ~/.ssh/civo -``` - -Containers: -- coolify-sentinel (Up 18 hours) -- coolify-proxy (Up 4 days) -- coolify (Up 4 days) -- coolify-redis (Up 5 days) -- coolify-realtime (Up 5 days) -- coolify-db (Up 5 days) -- forgejo-redbull (Up 4 days) -- vaultwarden (Up) -- Diversas apps Coolify - -### ❌ Azure DevOps - -``` -Status: Falha -Chave: ~/.ssh/ic-ad -Erro: Permission denied (publickey) -``` - -**Acao:** Registrar `~/.ssh/ic-ad.pub` em Azure DevOps > User Settings > SSH public keys - -### ❌ Vim (Dokku PROD) - -``` -Status: Indeterminado -IP: 38.19.201.52 -Chave: ~/.ssh/lh-zeus -Erro: Permission denied (publickey) -``` - -**Acao:** Adicionar chave publica ao servidor - -### ✅ Forgejo - -``` -Status: Online (API) -URL: https://pipe.gohorsejobs.com -Token: ~/.ssh/forgejo-token -Usuario: yamamoto -``` - -**Acesso via API apenas. SSH nao configurado.** - ---- - -## Arquivos Faltando - -| Arquivo | Uso | -|---------|-----| -| cloudflare-token | Cloudflare API | -| coolify-redbull-token | Coolify API | -| github-token | GitHub PAT | -| absam-db-novo | Absam DB | -| absam-token | Absam API | - ---- - -## Acoes Pendentes - -1. [ ] Registrar `ic-ad.pub` no Azure DevOps -2. [ ] Criar arquivos de token faltantes (cloudflare, coolify, github, absam) - ---- - -*Testado em: 2026-02-21* - ---- - -*Testado em: 2026-02-21* +*Testado em: 2026-03-05* diff --git a/scripts/README.md b/scripts/README.md index d7c5276..347ca14 100644 --- a/scripts/README.md +++ b/scripts/README.md @@ -1,8 +1,8 @@ -# Scripts de Utilidade +# Scripts de utilidade ## sync-vault.js -Sincroniza credenciais SSH entre `~/.ssh/` e Object Storages (Civo e Euronodes). +Sincroniza credenciais SSH entre `~/.ssh/` e object storages. ### Uso @@ -10,42 +10,35 @@ Sincroniza credenciais SSH entre `~/.ssh/` e Object Storages (Civo e Euronodes). # Listar arquivos nos buckets node scripts/sync-vault.js list -# Upload local -> cloud +# Upload local -> cloud (Civo + espelho Euronodes) node scripts/sync-vault.js upload -# Download cloud -> local +# Download cloud -> local (origem Civo) node scripts/sync-vault.js download -# Sincronizar Civo -> Euronodes (tudo) +# Sincronizar Civo -> Euronodes node scripts/sync-vault.js sync-civo ``` -### Requisitos - -```bash -cd scripts && npm install -``` - -### Filtros +### Filtros de upload O script ignora automaticamente: + - `known_hosts*` - `authorized_keys` -- Arquivos `.pub` -- Diretórios +- arquivos `.pub` +- diretorios -### Object Storages +### Object storage -| Provider | Bucket | Endpoint | -|----------|--------|----------| -| Civo | rede5 | https://objectstore.nyc1.civo.com | -| Euronodes | vault | https://eu-west-1.euronodes.com | - ---- +| Provider | Bucket | Prefixo | +|----------|--------|---------| +| Civo | `rede5` | `vault/ssh/` | +| Euronodes | `vault` | `ssh/` | ## check-connections.py -Verifica todas as conexões da infraestrutura (VPS, APIs, Cloudflare, OCI, K8s, Object Storage). +Valida conexoes de infraestrutura (VPS, APIs, Cloudflare, OCI, Kubernetes e object storage). ### Uso @@ -53,24 +46,20 @@ Verifica todas as conexões da infraestrutura (VPS, APIs, Cloudflare, OCI, K8s, python scripts/check-connections.py ``` -### Saída +### Saida -- Console: resumo das conexões -- Arquivo: `scripts/connection-status.json` +- Console com resumo +- Arquivo `scripts/connection-status.json` -### Conexões verificadas +### Observacao OCI -| Categoria | Serviços | -|-----------|----------| -| VPS | redbull, echo, nc2, absam-io | -| Git | GitHub SSH | -| APIs | Coolify, Forgejo, GitHub, Bookstack | -| Cloudflare | Rede5, Inventcloud | -| Email | MXRoute | -| OCI | Oracle Cloud Infrastructure | -| Kubernetes | OKE cluster | -| Object Storage | Civo, Euronodes | +Se aparecer warning de permissao de arquivo: + +```powershell +oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\config +oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\api_key.pem +``` --- -*Atualizado em: 2026-02-24* +*Atualizado em: 2026-03-05* diff --git a/scripts/connection-status.json b/scripts/connection-status.json index 3813905..39c6e1e 100644 --- a/scripts/connection-status.json +++ b/scripts/connection-status.json @@ -1,5 +1,5 @@ { - "date": "2026-02-28T07:49:04.374520", + "date": "2026-03-05T09:28:21.758957", "connections": { "vps": { "redbull": { @@ -12,7 +12,7 @@ }, "nc2": { "status": "OK", - "output": "** WARNING: connection is not using a post-quantum key exchange algorithm.\n** This session may be vulnerable to \"store now, decrypt later\" attacks.\n** The server may need to be upgraded. See https://openssh.com/pq.html\nOK" + "output": "OK" }, "absam-io": { "status": "OK", @@ -63,11 +63,11 @@ }, "oci": { "status": "OK", - "namespace": "{\n \"data\": \"grbb7qzeuoag\"\n}" + "namespace": "WARNING: Permissions on C:\\Users\\TiagoRibeiro\\.oci\\config are too open. \nThe following users / groups have permissions to the file and should not: DESKTOP-SG4DDTN\\CodexSandboxUsers. \nTo fix this please try executing the following command: \noci setup repair-file-permissions --file C:\\Users\\TiagoRibeiro\\.oci\\config \nAlternatively to hide this warning, you may set an environment variable; Windows and PowerShell commands follow: \nSET OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=True\n$Env:OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=\"True\"\n\nWARNING: Permissions on C:\\Users\\TiagoRibeiro\\.oci\\api_key.pem are too open. \nThe following users / groups have permissions to the file and should not: DESKTOP-SG4DDTN\\CodexSandboxUsers. \nTo fix this please try executing the following command: \noci setup repair-file-permissions --file C:\\Users\\TiagoRibeiro\\.oci\\api_key.pem \nAlternatively to hide this warning, you may set an environment variable; Windows and PowerShell commands follow: \nSET OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=True\n$Env:OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=\"True\"\n\n{\n \"data\": \"grbb7qzeuoag\"\n}" }, "kubernetes": { - "status": "OK", - "cluster": "Kubernetes control plane is running at https://136.248.124.22:6443" + "status": "ERROR", + "cluster": "" }, "object_storage": { "civo": {