From 9c6e724128b051681113acaf2ff2ca7d344cf73a Mon Sep 17 00:00:00 2001
From: rever-tecnologia <revertecnologia@gmail.com>
Date: Thu, 18 Dec 2025 21:22:06 -0300
Subject: [PATCH] chore(prod): ajustar stack convex/traefik e registrar
 alteracoes

---
 docs/alteracoes-producao-2025-12-19.md | 32 +++++++++++++++
 stack.yml                              | 57 +++++++++++++++++++++++++-
 2 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100644 docs/alteracoes-producao-2025-12-19.md

diff --git a/docs/alteracoes-producao-2025-12-19.md b/docs/alteracoes-producao-2025-12-19.md
new file mode 100644
index 0000000..7e135aa
--- /dev/null
+++ b/docs/alteracoes-producao-2025-12-19.md
@@ -0,0 +1,32 @@
+# Alteracoes de producao - 2025-12-19
+
+Registro das correcoes aplicadas na VPS para reduzir erros em logs e estabilizar certificados e Convex.
+
+## Traefik / TLS
+- ACME alterado de HTTP-01 para TLS-ALPN no servico `traefik_traefik`.
+- Reinicio do servico Traefik para aplicar a nova configuracao.
+
+## Certificados ACME
+- Remocao de certificados obsoletos no `acme.json`:
+  - `pgadmin.rever.com.br`
+  - `supa.rever.com.br`
+  - `compressor.esdrasrenan.com.br`
+- Backups gerados:
+  - `/var/lib/docker/volumes/certificados/_data/acme.json.backup-20251219011425`
+  - `/var/lib/docker/volumes/certificados/_data/acme.json.backup-` (gerado sem timestamp por comando anterior)
+
+## Convex
+- Adicionado `convex_proxy` (tinyproxy) e configurado `--convex-http-proxy` para remover warning de proxy ausente.
+- Adicionado `convex_block` (http-echo) para bloquear `POST /api/*` com `Content-Type` nao JSON (415).
+- Prioridades de roteamento ajustadas:
+  - `sistema_convex_api_json` (priority 100)
+  - `sistema_convex_api_block` (priority 50)
+  - `sistema_convex` (priority 1)
+- `RUST_LOG` ajustado para `info,common::errors=error` a fim de reduzir ruido de warnings nao criticos.
+
+## Stack / Rede
+- Criada rede `convex_internal` (overlay, internal) para trafego interno do Convex com o proxy.
+- Arquivo atualizado: `/srv/apps/sistema/stack.yml` (stack `sistema`).
+
+## Observacoes
+- A alteracao do ACME foi feita via `docker service update --args` no Traefik (nao ha stack file versionado).
diff --git a/stack.yml b/stack.yml
index 019b141..2270f61 100644
--- a/stack.yml
+++ b/stack.yml
@@ -95,10 +95,13 @@ services:
     image: ghcr.io/get-convex/convex-backend:6690a911bced1e5e516eafc0409a7239fb6541bb
     stop_grace_period: 10s
     stop_signal: SIGINT
+    command:
+      - --convex-http-proxy
+      - http://convex_proxy:8888
     volumes:
       - convex_data:/convex/data
     environment:
-      - RUST_LOG=info
+      - RUST_LOG=info,common::errors=error
       - CONVEX_CLOUD_ORIGIN=https://convex.esdrasrenan.com.br
       - CONVEX_SITE_ORIGIN=https://convex.esdrasrenan.com.br
       # Provisionamento de máquinas (usado pelas functions do Convex)
@@ -136,9 +139,17 @@ services:
         - traefik.http.routers.sistema_convex.entrypoints=websecure
         - traefik.http.routers.sistema_convex.tls=true
         - traefik.http.routers.sistema_convex.tls.certresolver=le
+        - traefik.http.routers.sistema_convex.priority=1
+        - traefik.http.routers.sistema_convex_api_json.rule=Host(`convex.esdrasrenan.com.br`) && PathPrefix(`/api/`) && Method(`POST`) && HeadersRegexp(`Content-Type`, `(?i)^application/json(\\s*;.*)?$$`)
+        - traefik.http.routers.sistema_convex_api_json.entrypoints=websecure
+        - traefik.http.routers.sistema_convex_api_json.tls=true
+        - traefik.http.routers.sistema_convex_api_json.tls.certresolver=le
+        - traefik.http.routers.sistema_convex_api_json.priority=100
+        - traefik.http.routers.sistema_convex_api_json.service=sistema_convex
         - traefik.http.services.sistema_convex.loadbalancer.server.port=3210
     networks:
       - traefik_public
+      - convex_internal
     healthcheck:
       test: ["CMD-SHELL", "curl -sf http://localhost:3210/version >/dev/null || exit 1"]
       interval: 15s
@@ -146,6 +157,47 @@ services:
       retries: 3
       start_period: 60s
 
+  convex_proxy:
+    image: monokal/tinyproxy:latest
+    command:
+      - ANY
+    deploy:
+      mode: replicated
+      replicas: 1
+      resources:
+        limits:
+          memory: "256M"
+      placement:
+        constraints:
+          - node.role == manager
+    networks:
+      - convex_internal
+
+  convex_block:
+    image: hashicorp/http-echo:1.0.0
+    command:
+      - -listen=:8080
+      - -status-code=415
+      - -text=unsupported content type
+    deploy:
+      mode: replicated
+      replicas: 1
+      placement:
+        constraints:
+          - node.role == manager
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=traefik_public
+        - traefik.http.routers.sistema_convex_api_block.rule=Host(`convex.esdrasrenan.com.br`) && PathPrefix(`/api/`) && Method(`POST`)
+        - traefik.http.routers.sistema_convex_api_block.entrypoints=websecure
+        - traefik.http.routers.sistema_convex_api_block.tls=true
+        - traefik.http.routers.sistema_convex_api_block.tls.certresolver=le
+        - traefik.http.routers.sistema_convex_api_block.priority=50
+        - traefik.http.routers.sistema_convex_api_block.service=sistema_convex_block
+        - traefik.http.services.sistema_convex_block.loadbalancer.server.port=8080
+    networks:
+      - traefik_public
+
   convex_dashboard:
     image: ghcr.io/get-convex/convex-dashboard:latest
     environment:
@@ -173,3 +225,6 @@ volumes:
 networks:
   traefik_public:
     external: true
+  convex_internal:
+    driver: overlay
+    internal: true