chore(prod): ajustar stack convex/traefik e registrar alteracoes

2025-12-18 21:22:06 -03:00 · 2025-12-18 21:22:06 -03:00 · 9c6e724128
commit 9c6e724128
parent c030a3ac09
2 changed files with 88 additions and 1 deletions
--- a/docs/alteracoes-producao-2025-12-19.md
+++ b/docs/alteracoes-producao-2025-12-19.md
@ -0,0 +1,32 @@
+# Alteracoes de producao - 2025-12-19
+
+Registro das correcoes aplicadas na VPS para reduzir erros em logs e estabilizar certificados e Convex.
+
+## Traefik / TLS
+- ACME alterado de HTTP-01 para TLS-ALPN no servico `traefik_traefik`.
+- Reinicio do servico Traefik para aplicar a nova configuracao.
+
+## Certificados ACME
+- Remocao de certificados obsoletos no `acme.json`:
+  - `pgadmin.rever.com.br`
+  - `supa.rever.com.br`
+  - `compressor.esdrasrenan.com.br`
+- Backups gerados:
+  - `/var/lib/docker/volumes/certificados/_data/acme.json.backup-20251219011425`
+  - `/var/lib/docker/volumes/certificados/_data/acme.json.backup-` (gerado sem timestamp por comando anterior)
+
+## Convex
+- Adicionado `convex_proxy` (tinyproxy) e configurado `--convex-http-proxy` para remover warning de proxy ausente.
+- Adicionado `convex_block` (http-echo) para bloquear `POST /api/*` com `Content-Type` nao JSON (415).
+- Prioridades de roteamento ajustadas:
+  - `sistema_convex_api_json` (priority 100)
+  - `sistema_convex_api_block` (priority 50)
+  - `sistema_convex` (priority 1)
+- `RUST_LOG` ajustado para `info,common::errors=error` a fim de reduzir ruido de warnings nao criticos.
+
+## Stack / Rede
+- Criada rede `convex_internal` (overlay, internal) para trafego interno do Convex com o proxy.
+- Arquivo atualizado: `/srv/apps/sistema/stack.yml` (stack `sistema`).
+
+## Observacoes
+- A alteracao do ACME foi feita via `docker service update --args` no Traefik (nao ha stack file versionado).
--- a/stack.yml
+++ b/stack.yml
@ -95,10 +95,13 @@ services:
    image: ghcr.io/get-convex/convex-backend:6690a911bced1e5e516eafc0409a7239fb6541bb
    stop_grace_period: 10s
    stop_signal: SIGINT
+    command:
+      - --convex-http-proxy
+      - http://convex_proxy:8888
    volumes:
      - convex_data:/convex/data
    environment:
-      - RUST_LOG=info
+      - RUST_LOG=info,common::errors=error
      - CONVEX_CLOUD_ORIGIN=https://convex.esdrasrenan.com.br
      - CONVEX_SITE_ORIGIN=https://convex.esdrasrenan.com.br
      # Provisionamento de máquinas (usado pelas functions do Convex)
@ -136,9 +139,17 @@ services:
        - traefik.http.routers.sistema_convex.entrypoints=websecure
        - traefik.http.routers.sistema_convex.tls=true
        - traefik.http.routers.sistema_convex.tls.certresolver=le
+        - traefik.http.routers.sistema_convex.priority=1
+        - traefik.http.routers.sistema_convex_api_json.rule=Host(`convex.esdrasrenan.com.br`) && PathPrefix(`/api/`) && Method(`POST`) && HeadersRegexp(`Content-Type`, `(?i)^application/json(\\s*;.*)?$$`)
+        - traefik.http.routers.sistema_convex_api_json.entrypoints=websecure
+        - traefik.http.routers.sistema_convex_api_json.tls=true
+        - traefik.http.routers.sistema_convex_api_json.tls.certresolver=le
+        - traefik.http.routers.sistema_convex_api_json.priority=100
+        - traefik.http.routers.sistema_convex_api_json.service=sistema_convex
        - traefik.http.services.sistema_convex.loadbalancer.server.port=3210
    networks:
      - traefik_public
+      - convex_internal
    healthcheck:
      test: ["CMD-SHELL", "curl -sf http://localhost:3210/version >/dev/null || exit 1"]
      interval: 15s
@ -146,6 +157,47 @@ services:
      retries: 3
      start_period: 60s

+  convex_proxy:
+    image: monokal/tinyproxy:latest
+    command:
+      - ANY
+    deploy:
+      mode: replicated
+      replicas: 1
+      resources:
+        limits:
+          memory: "256M"
+      placement:
+        constraints:
+          - node.role == manager
+    networks:
+      - convex_internal
+
+  convex_block:
+    image: hashicorp/http-echo:1.0.0
+    command:
+      - -listen=:8080
+      - -status-code=415
+      - -text=unsupported content type
+    deploy:
+      mode: replicated
+      replicas: 1
+      placement:
+        constraints:
+          - node.role == manager
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=traefik_public
+        - traefik.http.routers.sistema_convex_api_block.rule=Host(`convex.esdrasrenan.com.br`) && PathPrefix(`/api/`) && Method(`POST`)
+        - traefik.http.routers.sistema_convex_api_block.entrypoints=websecure
+        - traefik.http.routers.sistema_convex_api_block.tls=true
+        - traefik.http.routers.sistema_convex_api_block.tls.certresolver=le
+        - traefik.http.routers.sistema_convex_api_block.priority=50
+        - traefik.http.routers.sistema_convex_api_block.service=sistema_convex_block
+        - traefik.http.services.sistema_convex_block.loadbalancer.server.port=8080
+    networks:
+      - traefik_public
+
  convex_dashboard:
    image: ghcr.io/get-convex/convex-dashboard:latest
    environment:
@ -173,3 +225,6 @@ volumes:
 networks:
  traefik_public:
    external: true
+  convex_internal:
+    driver: overlay
+    internal: true