rede5/infracloud
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: atualizar auditoria de acessos e sync de vault

Browse source
This commit is contained in:
Tiago Ribeiro 2026-03-05 09:40:58 -03:00
parent 179d4c2ba4
commit 47feb3c7bf
5 changed files with 146 additions and 302 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

150
CONNECTIONS.md
View file

@ -1,113 +1,83 @@
# Guia de Conexões - Infracloud
# Guia de Conexoes - Infracloud
Documento de referência rápida para conexão aos serviços e servidores.
Documento de referencia rapida para acessos de infraestrutura.
## Serviços e Credenciais
## Ultima validacao
### Tabela Geral
- Data: 2026-03-05
- Script: `python scripts/check-connections.py`
- Resultado: `20` verificacoes, `14` OK, `6` erros
- Artefato: `scripts/connection-status.json`
| Arquivo ~/.ssh/ | Tipo | Serviço | Status |
|-----------------|------|---------|--------|
| `github` | Chave SSH | GitHub | ✅ |
| `ic-ad` | Chave SSH | Azure DevOps | ✅ |
| `cloudflare-token` | Token | Cloudflare API (Rede5) | ✅ |
| `cloudflare-token-inventcloud` | Token | Cloudflare API (Inventcloud) | ✅ |
| `github-token` | Token | GitHub PAT | ✅ |
| `absam-db-novo` | Credenciais | Absam DB SSH | ❌ (senha) |
| `monday.env` | Token | Monday.com API | ✅ |
| `bookstack-token` | Token | Bookstack API | ✅ |
| `openproject-token` | Token | OpenProject API | ✅ |
| `~/.oci/config` | API Key | Oracle Cloud (OCI) | ✅ |
| `bionexo` | Chave SSH | Bionexo | ❓ |
| `euronodes-object-storage` | Credenciais | Euronodes Object Storage | ✅ |
| `mxroute-api-key` | API Key | MXRoute Email | ❓ |
| `app01-rabbitmq-beecare-origin` | Credenciais | RabbitMQ (Beecare) | ❓ |
| `lh-zeus` | Chave SSH | Zeus (LH) | ❓ |
## Resumo de acessos
---
| Categoria | Item | Status | Observacao |
|-----------|------|--------|------------|
| VPS | redbull | OK | SSH com chave `~/.ssh/civo` |
| VPS | echo | OK | SSH com chave `~/.ssh/civo` |
| VPS | nc2 | OK | SSH com chave `~/.ssh/civo` |
| VPS | absam-io | OK | Host acessivel, autenticacao por senha |
| Git | github | OK | `ssh -T git@github.com` autenticado |
| Git | bitbucket | OK | Configurado em `~/.ssh/config` |
| API | coolify | OK | HTTP 200 |
| API | forgejo | OK | HTTP 200 |
| API | github | OK | HTTP 200 |
| API | bookstack | OK | HTTP 200 |
| Cloudflare | rede5 | OK | 20 zonas |
| Cloudflare | inventcloud | OK | 3 zonas |
| MXRoute | api | OK | HTTP 200 |
| OCI | namespace | OK | Namespace `grbb7qzeuoag` |
| Kubernetes | cluster-info | ERRO | `kubectl cluster-info` sem retorno valido |
| Object Storage | civo | OK | Bucket acessivel |
| Object Storage | euronodes | OK | Bucket acessivel |
## Oracle Cloud (OCI)
## OCI
Conexão ativa via OCI CLI e SDK (Python).
Conexao OCI esta funcional, com namespace retornado:
| Propriedade | Valor |
|-------------|-------|
| Tenancy | `rede5` (ocid1.tenancy...) |
| Região | `us-ashburn-1` / `sa-saopaulo-1` |
| Config | `~/.oci/config` |
- `grbb7qzeuoag`
### Estrutura de Compartimentos (Top Level)
* **cmp-top-invista**: Produção e Homologação Invista.
* **cmp-top-c6**: Infraestrutura C6.
* **OKE**: Clusters Kubernetes (DEV/HML/PRD).
Pendencia detectada na auditoria:
```bash
# Listar instâncias em execução
oci compute instance list --compartment-id <COMPARTMENT_OCID> --lifecycle-state RUNNING
- Permissao de arquivos `C:\Users\TiagoRibeiro\.oci\config` e `C:\Users\TiagoRibeiro\.oci\api_key.pem` muito aberta.
- Correcao recomendada:
```powershell
oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\config
oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\api_key.pem
```
---
## Vault de chaves (Civo)
## Azure DevOps
Sincronizacao executada em 2026-03-05:
| Propriedade | Valor |
|-------------|-------|
| Organização | `CN-Squad` |
| Projeto | `Invista FIDC - Nexus` |
| Chave SSH | `ic-ad` / `ic-ad.pub` |
| PAT | `~/.ssh/azure_devops_auth.json` |
- Comando: `node scripts/sync-vault.js upload`
- Origem: `~/.ssh/`
- Destino principal: `Civo bucket rede5 (vault/ssh/)`
- Espelhamento: `Euronodes bucket vault (ssh/)`
- Resultado: 20/20 uploads com sucesso no Civo e 20/20 no espelho
Comando de validacao:
```bash
# Clonar repositório do Nexus
git clone git@ssh.dev.azure.com:v3/CN-Squad/Invista%20FIDC%20-%20Nexus/<repo>
node scripts/sync-vault.js list
```
---
## Credenciais em uso
## GitHub
Todas as credenciais operacionais devem estar em `~/.ssh/`:
| Propriedade | Valor |
|-------------|-------|
| Token | `~/.ssh/github-token` |
| Chave SSH | `github` / `github.pub` |
- `civo`
- `coolify-redbull-token`
- `forgejo-token`
- `cloudflare-token`
- `cloudflare-token-inventcloud`
- `github` e `github-token`
- `ic-ad`
- `bookstack-token`
- `mxroute-api-key`
- `monday.env`
---
## Repositórios de Desenvolvimento (Local)
| Projeto | Repositório Local | Branch |
|---------|-------------------|--------|
| Q1Agenda | `C:\dev\q1agenda-backend` | `dev` |
| Q1food (BE) | `C:\dev\food-backend` | `dev` |
| Q1food (FE) | `C:\dev\food-frontend` | `dev` |
| Q1Vestuario (BE) | `C:\dev\vestuario-backend` | `dev` |
| Q1Vestuario (FE) | `C:\dev\vestuario-frontend` | `dev` |
| Q1 SITE | `C:\dev\q1site` | `dev` |
| GoHorseJobs | `C:\dev\gohorsejobs` | `dev` |
| PHOTUM | `C:\dev\photum` | `dev` |
| SaveinMed | `C:\dev\saveinmed` | `dev` |
| Q1FIT | `C:\dev\q1fit` | `dev` |
| Zeus | `C:\dev\zeus-suplementos` | `dev` |
| Infracloud | `C:\dev\infracloud` | `main` |
---
## Cloud Database (Absam.io)
| Database | Usuário | Uso |
|----------|---------|-----|
| saveinmed | saveinmed | Saveinmed Medusa v2 |
| gohorsejobs | ghj | GoHorseJobs Backend |
---
## Euronodes Object Storage
| Propriedade | Valor |
|-------------|-------|
| Bucket | `vault` |
| Uso | Backup de credenciais (`ssh/`) |
---
*Atualizado em: 2026-02-28*
*Atualizado em: 2026-03-05*

63
README.md
View file

@ -7,59 +7,46 @@ Documentacao de infraestrutura como codigo (IaC) da Rede5.
| Script | Funcao |
|--------|--------|
| `scripts/check-connections.py` | Verifica todas as conexoes |
| `scripts/backup-vault.py` | Backup credenciais para Object Storage |
| `scripts/sync-vault.js` | Sincroniza credenciais entre `~/.ssh/` e object storage |
## Estrutura
```
```text
infracloud/
├── CONNECTIONS.md # Guia de conexoes (VPS, APIs, Tokens)
├── OBJECT-STORAGE.md # Object Storages (Civo, Euronodes)
├── containers/ # Container files (.service, .container)
├── inventcloud/ # Projetos Inventcloud
│ └── invista/nexus/ # Invista FIDC - Nexus
│ ├── OCI.md # Documentacao OCI
│ ├── azure-devops/# Conexoes Azure DevOps
│ └── ...
├── scripts/ # Scripts de automacao
│ ├── check-connections.py
│ └── backup-vault.py
└── vps/ # Virtual Private Servers
├── redbull/ # Coolify DEV (185.194.141.70)
├── echo/ # Dokku PROD (152.53.120.181)
└── absam-db/ # Cloud Database (Absam.io)
|-- CONNECTIONS.md
|-- OBJECT-STORAGE.md
|-- containers/
|-- inventcloud/
| `-- invista/nexus/
| |-- OCI.md
| `-- azure-devops/
|-- scripts/
| |-- check-connections.py
| `-- sync-vault.js
`-- vps/
```
## Acesso Rapido
## Acesso rapido
| Servidor | IP | Plataforma | Documentacao |
|----------|-----|------------|--------------|
| Servidor | Endereco | Plataforma | Documentacao |
|----------|----------|------------|--------------|
| Redbull | 185.194.141.70 | Coolify v4 | [vps/redbull](./vps/redbull/) |
| Echo | 152.53.120.181 | Dokku | [vps/echo](./vps/echo/) |
| Absam DB | db-60604.dc-us-1.absamcloud.com:11985 | PostgreSQL 17 | [vps/absam-db](./vps/absam-db/) |
## Projetos
### Inventcloud / Invista
- [**Invista FIDC - Nexus**](./inventcloud/invista/nexus/README.md): Microservicos e cluster OCI OKE
- [OCI Documentation](./inventcloud/invista/nexus/OCI.md)
- [Azure DevOps Connection](./inventcloud/invista/nexus/azure-devops/CONNECTION.md)
## Conexoes
- [**Guia de Conexoes**](./CONNECTIONS.md): Referencia rapida para VPS, APIs, Tokens
- [Guia de Conexoes](./CONNECTIONS.md)
- [Status Nexus](./invista/nexus/CONNECTION-STATUS.md)
## SSH Hosts
## Ultima auditoria
```
ssh redbull # 185.194.141.70 (Coolify DEV)
ssh echo # 152.53.120.181 (Dokku PROD)
ssh nc2 # 212.56.41.211 (Contabo)
ssh absam-io # db-60604.dc-us-1.absamcloud.com (PostgreSQL)
```
- Data: 2026-03-05
- Comando: `python scripts/check-connections.py`
- Resultado: `14/20` OK (6 erros)
- OCI: OK (namespace `grbb7qzeuoag`)
- Kubernetes/OKE: falha na verificacao de `kubectl cluster-info`
---
*Atualizado em: 2026-02-24*
*Atualizado em: 2026-03-05*

162
invista/nexus/CONNECTION-STATUS.md
View file

@ -1,137 +1,35 @@
# Status das Conexoes - 2026-02-21
# Status das Conexoes - 2026-03-05
## Resumo
## Resumo da auditoria
| Servico | Status | Obs |
|---------|--------|-----|
| GitHub | ✅ OK | Autenticado |
| Bitbucket | ✅ OK | Bionexo |
| Echo | ✅ OK | Dokku funcionando |
| NC2 | ✅ OK | Contabo funcionando |
| Redbull | ✅ OK | Coolify funcionando |
| OCI CLI | ✅ OK | Conectado |
| Forgejo | ✅ OK | API apenas |
| MXRoute | ✅ OK | Email API |
| Azure DevOps | ❌ FAIL | Chave nao registrada |
- Script: `python scripts/check-connections.py`
- Total: 20
- OK: 14
- Erros: 6
- Arquivo gerado: `C:\dev\infracloud\scripts\connection-status.json`
## Resultado por bloco
| Bloco | Status | Observacao |
|------|--------|------------|
| VPS | OK | redbull, echo, nc2 e absam-io acessiveis |
| Git | OK | GitHub autenticado; Bitbucket configurado |
| APIs | OK | Coolify, Forgejo, GitHub e Bookstack HTTP 200 |
| Cloudflare | OK | Rede5 (20 zonas), Inventcloud (3 zonas) |
| MXRoute | OK | HTTP 200 |
| OCI | OK | Namespace `grbb7qzeuoag` |
| Kubernetes (OKE) | ERRO | `kubectl cluster-info` falhou |
| Object Storage | OK | Civo e Euronodes acessiveis |
## Pendencias tecnicas
1. Corrigir permissoes de arquivos OCI:
```powershell
oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\config
oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\api_key.pem
```
2. Revisar contexto do `kubectl` para OKE (contexto invalido ou sem credenciais ativas).
---
## Detalhado
### ✅ GitHub
```
Status: Autenticado
Usuario: tiagoyamamoto
Chave: ~/.ssh/github
```
### ✅ Echo (Dokku PROD)
```
Status: Online
Hostname: v2202501247812309542
IP: 152.53.120.181
Chave: ~/.ssh/civo
```
Containers:
- photum.web.1 (Up 45 hours)
- food-backend.web.1 (Up 46 hours)
- q1agenda-backend.web.1 (Up 7 days)
- dokku.postgres.q1agenda-db (Up 7 days)
- dokku.postgres.photum-db (Up 3 weeks)
### ✅ NC2 (Contabo)
```
Status: Online
Hostname: vmi2943543.contaboserver.net
IP: 212.56.41.211
Chave: ~/.ssh/civo
```
Containers:
- redis (Up 5 weeks)
- glances (Up 5 weeks)
- traefik (Up 4 weeks)
- postgres (Up 3 weeks)
### ✅ Redbull (Coolify DEV)
```
Status: Online
Hostname: v2202508247812376908
IP: 185.194.141.70
Chave: ~/.ssh/civo
```
Containers:
- coolify-sentinel (Up 18 hours)
- coolify-proxy (Up 4 days)
- coolify (Up 4 days)
- coolify-redis (Up 5 days)
- coolify-realtime (Up 5 days)
- coolify-db (Up 5 days)
- forgejo-redbull (Up 4 days)
- vaultwarden (Up)
- Diversas apps Coolify
### ❌ Azure DevOps
```
Status: Falha
Chave: ~/.ssh/ic-ad
Erro: Permission denied (publickey)
```
**Acao:** Registrar `~/.ssh/ic-ad.pub` em Azure DevOps > User Settings > SSH public keys
### ❌ Vim (Dokku PROD)
```
Status: Indeterminado
IP: 38.19.201.52
Chave: ~/.ssh/lh-zeus
Erro: Permission denied (publickey)
```
**Acao:** Adicionar chave publica ao servidor
### ✅ Forgejo
```
Status: Online (API)
URL: https://pipe.gohorsejobs.com
Token: ~/.ssh/forgejo-token
Usuario: yamamoto
```
**Acesso via API apenas. SSH nao configurado.**
---
## Arquivos Faltando
| Arquivo | Uso |
|---------|-----|
| cloudflare-token | Cloudflare API |
| coolify-redbull-token | Coolify API |
| github-token | GitHub PAT |
| absam-db-novo | Absam DB |
| absam-token | Absam API |
---
## Acoes Pendentes
1. [ ] Registrar `ic-ad.pub` no Azure DevOps
2. [ ] Criar arquivos de token faltantes (cloudflare, coolify, github, absam)
---
*Testado em: 2026-02-21*
---
*Testado em: 2026-02-21*
*Testado em: 2026-03-05*

63
scripts/README.md
View file

@ -1,8 +1,8 @@
# Scripts de Utilidade
# Scripts de utilidade
## sync-vault.js
Sincroniza credenciais SSH entre `~/.ssh/` e Object Storages (Civo e Euronodes).
Sincroniza credenciais SSH entre `~/.ssh/` e object storages.
### Uso
@ -10,42 +10,35 @@ Sincroniza credenciais SSH entre `~/.ssh/` e Object Storages (Civo e Euronodes).
# Listar arquivos nos buckets
node scripts/sync-vault.js list
# Upload local -> cloud
# Upload local -> cloud (Civo + espelho Euronodes)
node scripts/sync-vault.js upload
# Download cloud -> local
# Download cloud -> local (origem Civo)
node scripts/sync-vault.js download
# Sincronizar Civo -> Euronodes (tudo)
# Sincronizar Civo -> Euronodes
node scripts/sync-vault.js sync-civo
```
### Requisitos
```bash
cd scripts && npm install
```
### Filtros
### Filtros de upload
O script ignora automaticamente:
- `known_hosts*`
- `authorized_keys`
- Arquivos `.pub`
- Diretórios
- arquivos `.pub`
- diretorios
### Object Storages
### Object storage
| Provider | Bucket | Endpoint |
|----------|--------|----------|
| Civo | rede5 | https://objectstore.nyc1.civo.com |
| Euronodes | vault | https://eu-west-1.euronodes.com |
---
| Provider | Bucket | Prefixo |
|----------|--------|---------|
| Civo | `rede5` | `vault/ssh/` |
| Euronodes | `vault` | `ssh/` |
## check-connections.py
Verifica todas as conexões da infraestrutura (VPS, APIs, Cloudflare, OCI, K8s, Object Storage).
Valida conexoes de infraestrutura (VPS, APIs, Cloudflare, OCI, Kubernetes e object storage).
### Uso
@ -53,24 +46,20 @@ Verifica todas as conexões da infraestrutura (VPS, APIs, Cloudflare, OCI, K8s,
python scripts/check-connections.py
```
### Saída
### Saida
- Console: resumo das conexões
- Arquivo: `scripts/connection-status.json`
- Console com resumo
- Arquivo `scripts/connection-status.json`
### Conexões verificadas
### Observacao OCI
| Categoria | Serviços |
|-----------|----------|
| VPS | redbull, echo, nc2, absam-io |
| Git | GitHub SSH |
| APIs | Coolify, Forgejo, GitHub, Bookstack |
| Cloudflare | Rede5, Inventcloud |
| Email | MXRoute |
| OCI | Oracle Cloud Infrastructure |
| Kubernetes | OKE cluster |
| Object Storage | Civo, Euronodes |
Se aparecer warning de permissao de arquivo:
```powershell
oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\config
oci setup repair-file-permissions --file C:\Users\TiagoRibeiro\.oci\api_key.pem
```
---
*Atualizado em: 2026-02-24*
*Atualizado em: 2026-03-05*

10
scripts/connection-status.json
View file

@ -1,5 +1,5 @@
{
"date": "2026-02-28T07:49:04.374520",
"date": "2026-03-05T09:28:21.758957",
"connections": {
"vps": {
"redbull": {
@ -12,7 +12,7 @@
},
"nc2": {
"status": "OK",
"output": "** WARNING: connection is not using a post-quantum key exchange algorithm.\n** This session may be vulnerable to \"store now, decrypt later\" attacks.\n** The server may need to be upgraded. See https://openssh.com/pq.html\nOK"
"output": "OK"
},
"absam-io": {
"status": "OK",
@ -63,11 +63,11 @@
},
"oci": {
"status": "OK",
"namespace": "{\n \"data\": \"grbb7qzeuoag\"\n}"
"namespace": "WARNING: Permissions on C:\\Users\\TiagoRibeiro\\.oci\\config are too open. \nThe following users / groups have permissions to the file and should not: DESKTOP-SG4DDTN\\CodexSandboxUsers. \nTo fix this please try executing the following command: \noci setup repair-file-permissions --file C:\\Users\\TiagoRibeiro\\.oci\\config \nAlternatively to hide this warning, you may set an environment variable; Windows and PowerShell commands follow: \nSET OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=True\n$Env:OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=\"True\"\n\nWARNING: Permissions on C:\\Users\\TiagoRibeiro\\.oci\\api_key.pem are too open. \nThe following users / groups have permissions to the file and should not: DESKTOP-SG4DDTN\\CodexSandboxUsers. \nTo fix this please try executing the following command: \noci setup repair-file-permissions --file C:\\Users\\TiagoRibeiro\\.oci\\api_key.pem \nAlternatively to hide this warning, you may set an environment variable; Windows and PowerShell commands follow: \nSET OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=True\n$Env:OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=\"True\"\n\n{\n \"data\": \"grbb7qzeuoag\"\n}"
},
"kubernetes": {
"status": "OK",
"cluster": "Kubernetes control plane is running at https://136.248.124.22:6443"
"status": "ERROR",
"cluster": ""
},
"object_storage": {
"civo": {