rede5/infracloud
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: atualizar auditoria de acessos e sync de vault

Browse source
This commit is contained in:
Tiago Ribeiro 2026-03-05 09:40:58 -03:00
parent 179d4c2ba4
commit 47feb3c7bf
5 changed files with 146 additions and 302 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

150
CONNECTIONS.md
View file

@ -1,113 +1,83 @@
# Guia de Conexões - Infracloud # Guia de Conexoes - Infracloud
Documento de referência rápida para conexão aos serviços e servidores. Documento de referencia rapida para acessos de infraestrutura.
## Serviços e Credenciais ## Ultima validacao
### Tabela Geral - Data: 2026-03-05
- Script: `python scripts/check-connections.py`
- Resultado: `20` verificacoes, `14` OK, `6` erros
- Artefato: `scripts/connection-status.json`
| Arquivo ~/.ssh/ | Tipo | Serviço | Status | ## Resumo de acessos
|-----------------|------|---------|--------|
| `github` | Chave SSH | GitHub | ✅ |
| `ic-ad` | Chave SSH | Azure DevOps | ✅ |
| `cloudflare-token` | Token | Cloudflare API (Rede5) | ✅ |
| `cloudflare-token-inventcloud` | Token | Cloudflare API (Inventcloud) | ✅ |
| `github-token` | Token | GitHub PAT | ✅ |
| `absam-db-novo` | Credenciais | Absam DB SSH | ❌ (senha) |
| `monday.env` | Token | Monday.com API | ✅ |
| `bookstack-token` | Token | Bookstack API | ✅ |
| `openproject-token` | Token | OpenProject API | ✅ |
| `~/.oci/config` | API Key | Oracle Cloud (OCI) | ✅ |
| `bionexo` | Chave SSH | Bionexo | ❓ |
| `euronodes-object-storage` | Credenciais | Euronodes Object Storage | ✅ |
| `mxroute-api-key` | API Key | MXRoute Email | ❓ |
| `app01-rabbitmq-beecare-origin` | Credenciais | RabbitMQ (Beecare) | ❓ |
| `lh-zeus` | Chave SSH | Zeus (LH) | ❓ |
--- | Categoria | Item | Status | Observacao |
|-----------|------|--------|------------|
| VPS | redbull | OK | SSH com chave `~/.ssh/civo` |
| VPS | echo | OK | SSH com chave `~/.ssh/civo` |
| VPS | nc2 | OK | SSH com chave `~/.ssh/civo` |
| VPS | absam-io | OK | Host acessivel, autenticacao por senha |
| Git | github | OK | `ssh -T git@github.com` autenticado |
| Git | bitbucket | OK | Configurado em `~/.ssh/config` |
| API | coolify | OK | HTTP 200 |
| API | forgejo | OK | HTTP 200 |
| API | github | OK | HTTP 200 |
| API | bookstack | OK | HTTP 200 |
| Cloudflare | rede5 | OK | 20 zonas |
| Cloudflare | inventcloud | OK | 3 zonas |
| MXRoute | api | OK | HTTP 200 |
| OCI | namespace | OK | Namespace `grbb7qzeuoag` |
| Kubernetes | cluster-info | ERRO | `kubectl cluster-info` sem retorno valido |
| Object Storage | civo | OK | Bucket acessivel |
| Object Storage | euronodes | OK | Bucket acessivel |
## Oracle Cloud (OCI) ## OCI
Conexão ativa via OCI CLI e SDK (Python). Conexao OCI esta funcional, com namespace retornado:
| Propriedade | Valor | - `grbb7qzeuoag`
|-------------|-------|
| Tenancy | `rede5` (ocid1.tenancy...) |
| Região | `us-ashburn-1` / `sa-saopaulo-1` |
| Config | `~/.oci/config` |
### Estrutura de Compartimentos (Top Level) Pendencia detectada na auditoria:
* **cmp-top-invista**: Produção e Homologação Invista.
* **cmp-top-c6**: Infraestrutura C6.
* **OKE**: Clusters Kubernetes (DEV/HML/PRD).
```bash - Permissao de arquivos `C:\Users\TiagoRibeiro\.oci\config` e `C:\Users\TiagoRibeiro\.oci\api_key.pem` muito aberta.
# Listar instâncias em execução - Correcao recomendada:
oci compute instance list --compartment-id <COMPARTMENT_OCID> --lifecycle-state RUNNING
```powershell
oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\config
oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\api_key.pem
``` ```
--- ## Vault de chaves (Civo)
## Azure DevOps Sincronizacao executada em 2026-03-05:
| Propriedade | Valor | - Comando: `node scripts/sync-vault.js upload`
|-------------|-------| - Origem: `~/.ssh/`
| Organização | `CN-Squad` | - Destino principal: `Civo bucket rede5 (vault/ssh/)`
| Projeto | `Invista FIDC - Nexus` | - Espelhamento: `Euronodes bucket vault (ssh/)`
| Chave SSH | `ic-ad` / `ic-ad.pub` | - Resultado: 20/20 uploads com sucesso no Civo e 20/20 no espelho
| PAT | `~/.ssh/azure_devops_auth.json` |
Comando de validacao:
```bash ```bash
# Clonar repositório do Nexus node scripts/sync-vault.js list
git clone git@ssh.dev.azure.com:v3/CN-Squad/Invista%20FIDC%20-%20Nexus/<repo>
``` ```
--- ## Credenciais em uso
## GitHub Todas as credenciais operacionais devem estar em `~/.ssh/`:
| Propriedade | Valor | - `civo`
|-------------|-------| - `coolify-redbull-token`
| Token | `~/.ssh/github-token` | - `forgejo-token`
| Chave SSH | `github` / `github.pub` | - `cloudflare-token`
- `cloudflare-token-inventcloud`
- `github` e `github-token`
- `ic-ad`
- `bookstack-token`
- `mxroute-api-key`
- `monday.env`
--- ---
## Repositórios de Desenvolvimento (Local) *Atualizado em: 2026-03-05*
| Projeto | Repositório Local | Branch |
|---------|-------------------|--------|
| Q1Agenda | `C:\dev\q1agenda-backend` | `dev` |
| Q1food (BE) | `C:\dev\food-backend` | `dev` |
| Q1food (FE) | `C:\dev\food-frontend` | `dev` |
| Q1Vestuario (BE) | `C:\dev\vestuario-backend` | `dev` |
| Q1Vestuario (FE) | `C:\dev\vestuario-frontend` | `dev` |
| Q1 SITE | `C:\dev\q1site` | `dev` |
| GoHorseJobs | `C:\dev\gohorsejobs` | `dev` |
| PHOTUM | `C:\dev\photum` | `dev` |
| SaveinMed | `C:\dev\saveinmed` | `dev` |
| Q1FIT | `C:\dev\q1fit` | `dev` |
| Zeus | `C:\dev\zeus-suplementos` | `dev` |
| Infracloud | `C:\dev\infracloud` | `main` |
---
## Cloud Database (Absam.io)
| Database | Usuário | Uso |
|----------|---------|-----|
| saveinmed | saveinmed | Saveinmed Medusa v2 |
| gohorsejobs | ghj | GoHorseJobs Backend |
---
## Euronodes Object Storage
| Propriedade | Valor |
|-------------|-------|
| Bucket | `vault` |
| Uso | Backup de credenciais (`ssh/`) |
---
*Atualizado em: 2026-02-28*

63
README.md
View file

@ -7,59 +7,46 @@ Documentacao de infraestrutura como codigo (IaC) da Rede5.
| Script | Funcao | | Script | Funcao |
|--------|--------| |--------|--------|
| `scripts/check-connections.py` | Verifica todas as conexoes | | `scripts/check-connections.py` | Verifica todas as conexoes |
| `scripts/backup-vault.py` | Backup credenciais para Object Storage | | `scripts/sync-vault.js` | Sincroniza credenciais entre `~/.ssh/` e object storage |
## Estrutura ## Estrutura
``` ```text
infracloud/ infracloud/
├── CONNECTIONS.md # Guia de conexoes (VPS, APIs, Tokens) |-- CONNECTIONS.md
├── OBJECT-STORAGE.md # Object Storages (Civo, Euronodes) |-- OBJECT-STORAGE.md
├── containers/ # Container files (.service, .container) |-- containers/
├── inventcloud/ # Projetos Inventcloud |-- inventcloud/
│ └── invista/nexus/ # Invista FIDC - Nexus | `-- invista/nexus/
│ ├── OCI.md # Documentacao OCI | |-- OCI.md
│ ├── azure-devops/# Conexoes Azure DevOps | `-- azure-devops/
│ └── ... |-- scripts/
├── scripts/ # Scripts de automacao | |-- check-connections.py
│ ├── check-connections.py | `-- sync-vault.js
│ └── backup-vault.py `-- vps/
└── vps/ # Virtual Private Servers
├── redbull/ # Coolify DEV (185.194.141.70)
├── echo/ # Dokku PROD (152.53.120.181)
└── absam-db/ # Cloud Database (Absam.io)
``` ```
## Acesso Rapido ## Acesso rapido
| Servidor | IP | Plataforma | Documentacao | | Servidor | Endereco | Plataforma | Documentacao |
|----------|-----|------------|--------------| |----------|----------|------------|--------------|
| Redbull | 185.194.141.70 | Coolify v4 | [vps/redbull](./vps/redbull/) | | Redbull | 185.194.141.70 | Coolify v4 | [vps/redbull](./vps/redbull/) |
| Echo | 152.53.120.181 | Dokku | [vps/echo](./vps/echo/) | | Echo | 152.53.120.181 | Dokku | [vps/echo](./vps/echo/) |
| Absam DB | db-60604.dc-us-1.absamcloud.com:11985 | PostgreSQL 17 | [vps/absam-db](./vps/absam-db/) | | Absam DB | db-60604.dc-us-1.absamcloud.com:11985 | PostgreSQL 17 | [vps/absam-db](./vps/absam-db/) |
## Projetos
### Inventcloud / Invista
- [**Invista FIDC - Nexus**](./inventcloud/invista/nexus/README.md): Microservicos e cluster OCI OKE
- [OCI Documentation](./inventcloud/invista/nexus/OCI.md)
- [Azure DevOps Connection](./inventcloud/invista/nexus/azure-devops/CONNECTION.md)
## Conexoes ## Conexoes
- [**Guia de Conexoes**](./CONNECTIONS.md): Referencia rapida para VPS, APIs, Tokens - [Guia de Conexoes](./CONNECTIONS.md)
- [Status Nexus](./invista/nexus/CONNECTION-STATUS.md)
## SSH Hosts ## Ultima auditoria
``` - Data: 2026-03-05
ssh redbull # 185.194.141.70 (Coolify DEV) - Comando: `python scripts/check-connections.py`
ssh echo # 152.53.120.181 (Dokku PROD) - Resultado: `14/20` OK (6 erros)
ssh nc2 # 212.56.41.211 (Contabo) - OCI: OK (namespace `grbb7qzeuoag`)
ssh absam-io # db-60604.dc-us-1.absamcloud.com (PostgreSQL) - Kubernetes/OKE: falha na verificacao de `kubectl cluster-info`
```
--- ---
*Atualizado em: 2026-02-24* *Atualizado em: 2026-03-05*

162
invista/nexus/CONNECTION-STATUS.md
View file

@ -1,137 +1,35 @@
# Status das Conexoes - 2026-02-21 # Status das Conexoes - 2026-03-05
## Resumo ## Resumo da auditoria
| Servico | Status | Obs | - Script: `python scripts/check-connections.py`
|---------|--------|-----| - Total: 20
| GitHub | ✅ OK | Autenticado | - OK: 14
| Bitbucket | ✅ OK | Bionexo | - Erros: 6
| Echo | ✅ OK | Dokku funcionando | - Arquivo gerado: `C:\dev\infracloud\scripts\connection-status.json`
| NC2 | ✅ OK | Contabo funcionando |
| Redbull | ✅ OK | Coolify funcionando | ## Resultado por bloco
| OCI CLI | ✅ OK | Conectado |
| Forgejo | ✅ OK | API apenas | | Bloco | Status | Observacao |
| MXRoute | ✅ OK | Email API | |------|--------|------------|
| Azure DevOps | ❌ FAIL | Chave nao registrada | | VPS | OK | redbull, echo, nc2 e absam-io acessiveis |
| Git | OK | GitHub autenticado; Bitbucket configurado |
| APIs | OK | Coolify, Forgejo, GitHub e Bookstack HTTP 200 |
| Cloudflare | OK | Rede5 (20 zonas), Inventcloud (3 zonas) |
| MXRoute | OK | HTTP 200 |
| OCI | OK | Namespace `grbb7qzeuoag` |
| Kubernetes (OKE) | ERRO | `kubectl cluster-info` falhou |
| Object Storage | OK | Civo e Euronodes acessiveis |
## Pendencias tecnicas
1. Corrigir permissoes de arquivos OCI:
```powershell
oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\config
oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\api_key.pem
```
2. Revisar contexto do `kubectl` para OKE (contexto invalido ou sem credenciais ativas).
--- ---
## Detalhado *Testado em: 2026-03-05*
### ✅ GitHub
```
Status: Autenticado
Usuario: tiagoyamamoto
Chave: ~/.ssh/github
```
### ✅ Echo (Dokku PROD)
```
Status: Online
Hostname: v2202501247812309542
IP: 152.53.120.181
Chave: ~/.ssh/civo
```
Containers:
- photum.web.1 (Up 45 hours)
- food-backend.web.1 (Up 46 hours)
- q1agenda-backend.web.1 (Up 7 days)
- dokku.postgres.q1agenda-db (Up 7 days)
- dokku.postgres.photum-db (Up 3 weeks)
### ✅ NC2 (Contabo)
```
Status: Online
Hostname: vmi2943543.contaboserver.net
IP: 212.56.41.211
Chave: ~/.ssh/civo
```
Containers:
- redis (Up 5 weeks)
- glances (Up 5 weeks)
- traefik (Up 4 weeks)
- postgres (Up 3 weeks)
### ✅ Redbull (Coolify DEV)
```
Status: Online
Hostname: v2202508247812376908
IP: 185.194.141.70
Chave: ~/.ssh/civo
```
Containers:
- coolify-sentinel (Up 18 hours)
- coolify-proxy (Up 4 days)
- coolify (Up 4 days)
- coolify-redis (Up 5 days)
- coolify-realtime (Up 5 days)
- coolify-db (Up 5 days)
- forgejo-redbull (Up 4 days)
- vaultwarden (Up)
- Diversas apps Coolify
### ❌ Azure DevOps
```
Status: Falha
Chave: ~/.ssh/ic-ad
Erro: Permission denied (publickey)
```
**Acao:** Registrar `~/.ssh/ic-ad.pub` em Azure DevOps > User Settings > SSH public keys
### ❌ Vim (Dokku PROD)
```
Status: Indeterminado
IP: 38.19.201.52
Chave: ~/.ssh/lh-zeus
Erro: Permission denied (publickey)
```
**Acao:** Adicionar chave publica ao servidor
### ✅ Forgejo
```
Status: Online (API)
URL: https://pipe.gohorsejobs.com
Token: ~/.ssh/forgejo-token
Usuario: yamamoto
```
**Acesso via API apenas. SSH nao configurado.**
---
## Arquivos Faltando
| Arquivo | Uso |
|---------|-----|
| cloudflare-token | Cloudflare API |
| coolify-redbull-token | Coolify API |
| github-token | GitHub PAT |
| absam-db-novo | Absam DB |
| absam-token | Absam API |
---
## Acoes Pendentes
1. [ ] Registrar `ic-ad.pub` no Azure DevOps
2. [ ] Criar arquivos de token faltantes (cloudflare, coolify, github, absam)
---
*Testado em: 2026-02-21*
---
*Testado em: 2026-02-21*

63
scripts/README.md
View file

@ -1,8 +1,8 @@
# Scripts de Utilidade # Scripts de utilidade
## sync-vault.js ## sync-vault.js
Sincroniza credenciais SSH entre `~/.ssh/` e Object Storages (Civo e Euronodes). Sincroniza credenciais SSH entre `~/.ssh/` e object storages.
### Uso ### Uso
@ -10,42 +10,35 @@ Sincroniza credenciais SSH entre `~/.ssh/` e Object Storages (Civo e Euronodes).
# Listar arquivos nos buckets # Listar arquivos nos buckets
node scripts/sync-vault.js list node scripts/sync-vault.js list
# Upload local -> cloud # Upload local -> cloud (Civo + espelho Euronodes)
node scripts/sync-vault.js upload node scripts/sync-vault.js upload
# Download cloud -> local # Download cloud -> local (origem Civo)
node scripts/sync-vault.js download node scripts/sync-vault.js download
# Sincronizar Civo -> Euronodes (tudo) # Sincronizar Civo -> Euronodes
node scripts/sync-vault.js sync-civo node scripts/sync-vault.js sync-civo
``` ```
### Requisitos ### Filtros de upload
```bash
cd scripts && npm install
```
### Filtros
O script ignora automaticamente: O script ignora automaticamente:
- `known_hosts*` - `known_hosts*`
- `authorized_keys` - `authorized_keys`
- Arquivos `.pub` - arquivos `.pub`
- Diretórios - diretorios
### Object Storages ### Object storage
| Provider | Bucket | Endpoint | | Provider | Bucket | Prefixo |
|----------|--------|----------| |----------|--------|---------|
| Civo | rede5 | https://objectstore.nyc1.civo.com | | Civo | `rede5` | `vault/ssh/` |
| Euronodes | vault | https://eu-west-1.euronodes.com | | Euronodes | `vault` | `ssh/` |
---
## check-connections.py ## check-connections.py
Verifica todas as conexões da infraestrutura (VPS, APIs, Cloudflare, OCI, K8s, Object Storage). Valida conexoes de infraestrutura (VPS, APIs, Cloudflare, OCI, Kubernetes e object storage).
### Uso ### Uso
@ -53,24 +46,20 @@ Verifica todas as conexões da infraestrutura (VPS, APIs, Cloudflare, OCI, K8s,
python scripts/check-connections.py python scripts/check-connections.py
``` ```
### Saída ### Saida
- Console: resumo das conexões - Console com resumo
- Arquivo: `scripts/connection-status.json` - Arquivo `scripts/connection-status.json`
### Conexões verificadas ### Observacao OCI
| Categoria | Serviços | Se aparecer warning de permissao de arquivo:
|-----------|----------|
| VPS | redbull, echo, nc2, absam-io | ```powershell
| Git | GitHub SSH | oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\config
| APIs | Coolify, Forgejo, GitHub, Bookstack | oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\api_key.pem
| Cloudflare | Rede5, Inventcloud | ```
| Email | MXRoute |
| OCI | Oracle Cloud Infrastructure |
| Kubernetes | OKE cluster |
| Object Storage | Civo, Euronodes |
--- ---
*Atualizado em: 2026-02-24* *Atualizado em: 2026-03-05*

10
scripts/connection-status.json
View file

@ -1,5 +1,5 @@
{ {
"date": "2026-02-28T07:49:04.374520", "date": "2026-03-05T09:28:21.758957",
"connections": { "connections": {
"vps": { "vps": {
"redbull": { "redbull": {
@ -12,7 +12,7 @@
}, },
"nc2": { "nc2": {
"status": "OK", "status": "OK",
"output": "** WARNING: connection is not using a post-quantum key exchange algorithm.\n** This session may be vulnerable to \"store now, decrypt later\" attacks.\n** The server may need to be upgraded. See https://openssh.com/pq.html\nOK" "output": "OK"
}, },
"absam-io": { "absam-io": {
"status": "OK", "status": "OK",
@ -63,11 +63,11 @@
}, },
"oci": { "oci": {
"status": "OK", "status": "OK",
"namespace": "{\n \"data\": \"grbb7qzeuoag\"\n}" "namespace": "WARNING: Permissions on C:\\Users\\TiagoRibeiro\\.oci\\config are too open. \nThe following users / groups have permissions to the file and should not: DESKTOP-SG4DDTN\\CodexSandboxUsers. \nTo fix this please try executing the following command: \noci setup repair-file-permissions --file C:\\Users\\TiagoRibeiro\\.oci\\config \nAlternatively to hide this warning, you may set an environment variable; Windows and PowerShell commands follow: \nSET OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=True\n$Env:OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=\"True\"\n\nWARNING: Permissions on C:\\Users\\TiagoRibeiro\\.oci\\api_key.pem are too open. \nThe following users / groups have permissions to the file and should not: DESKTOP-SG4DDTN\\CodexSandboxUsers. \nTo fix this please try executing the following command: \noci setup repair-file-permissions --file C:\\Users\\TiagoRibeiro\\.oci\\api_key.pem \nAlternatively to hide this warning, you may set an environment variable; Windows and PowerShell commands follow: \nSET OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=True\n$Env:OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=\"True\"\n\n{\n \"data\": \"grbb7qzeuoag\"\n}"
}, },
"kubernetes": { "kubernetes": {
"status": "OK", "status": "ERROR",
"cluster": "Kubernetes control plane is running at https://136.248.124.22:6443" "cluster": ""
}, },
"object_storage": { "object_storage": {
"civo": { "civo": {