Bootstrap server-audit docs/runbooks; passwordless SSH for .24/.25/.28/.26/.40; apply Jalur B for 25 geonet mailboxes with support@ verified to byprakoso@.master
@ -0,0 +1,42 @@
@@ -0,0 +1,42 @@
|
||||
# Apply Jalur B (hybrid cPanel transport) for all @geonet.co.id except support@ |
||||
# SSOT: Mailcow/docs/notes/hybrid-migration-cpanel-mailcow.md |
||||
# Usage: |
||||
# .\Mailcow\scripts\Apply-JalurB-LDAPUsers.ps1 -DryRun |
||||
# .\Mailcow\scripts\Apply-JalurB-LDAPUsers.ps1 |
||||
# .\Mailcow\scripts\Apply-JalurB-LDAPUsers.ps1 -Only "byprakoso@geonet.co.id,user2@geonet.co.id" |
||||
# |
||||
# Wajib PowerShell. SSH: ssh mailcow (key id_ed25519_mailcow). |
||||
|
||||
param( |
||||
[switch]$DryRun, |
||||
[string]$Only = "", |
||||
[string]$RemoteHost = "mailcow" |
||||
) |
||||
|
||||
$ErrorActionPreference = 'Stop' |
||||
$ScriptDir = $PSScriptRoot |
||||
$LocalSh = Join-Path $ScriptDir 'setup-jalur-b-batch.sh' |
||||
$RemoteSh = '/tmp/setup-jalur-b-batch.sh' |
||||
|
||||
if (-not (Test-Path $LocalSh)) { |
||||
throw "Script not found: $LocalSh" |
||||
} |
||||
|
||||
# LF-only for bash on Linux |
||||
$tempSh = Join-Path $env:TEMP 'setup-jalur-b-batch.sh' |
||||
$content = (Get-Content $LocalSh -Raw) -replace "`r", "" |
||||
[System.IO.File]::WriteAllText($tempSh, $content) |
||||
|
||||
Write-Host "Upload $LocalSh -> ${RemoteHost}:$RemoteSh" |
||||
scp $tempSh "${RemoteHost}:${RemoteSh}" |
||||
|
||||
$argsRemote = 'bash ' + $RemoteSh |
||||
if ($DryRun) { $argsRemote += ' --dry-run' } |
||||
if ($Only) { $argsRemote += " --only '$Only'" } |
||||
$argsRemote += '; rm -f ' + $RemoteSh |
||||
|
||||
Write-Host "Run: ssh $RemoteHost `"$argsRemote`"" |
||||
ssh $RemoteHost $argsRemote |
||||
|
||||
Remove-Item $tempSh -Force -ErrorAction SilentlyContinue |
||||
Write-Host "Finished." |
||||
@ -0,0 +1,160 @@
@@ -0,0 +1,160 @@
|
||||
#!/bin/bash |
||||
# Jalur B batch: semua mailbox @geonet.co.id kecuali Jalur A (support@) |
||||
# — inactive mailbox + transport map → cPanel :587 |
||||
# |
||||
# Prasyarat AD (manual): keluarkan user dari grup Mail-Users (kecuali support@) |
||||
# agar LDAP sync tidak mengaktifkan ulang mailbox. |
||||
# |
||||
# Usage (di server Mailcow / dalam stack): |
||||
# ./setup-jalur-b-batch.sh # apply semua kecuali support@ |
||||
# ./setup-jalur-b-batch.sh --dry-run # hanya list + cek |
||||
# ./setup-jalur-b-batch.sh --only byprakoso@geonet.co.id,user2@geonet.co.id |
||||
# KEEP_ACTIVE=support@geonet.co.id ./setup-jalur-b-batch.sh |
||||
# |
||||
# Single-user: setup-transport-cpanel-user.sh user@geonet.co.id |
||||
set -euo pipefail |
||||
|
||||
DRY_RUN=0 |
||||
ONLY_LIST="" |
||||
KEEP_ACTIVE="${KEEP_ACTIVE:-support@geonet.co.id}" |
||||
NEXTHOP="${TRANSPORT_NEXTHOP:-[sc138.idcloudhosting.cloud]:587}" |
||||
RELAYHOST_ID="${TRANSPORT_RELAYHOST_ID:-1}" |
||||
DOMAIN="${MAIL_DOMAIN:-geonet.co.id}" |
||||
|
||||
MYSQL_C='mailcowdockerized-mysql-mailcow-1' |
||||
POSTFIX_C='mailcowdockerized-postfix-mailcow-1' |
||||
PHP_C='mailcowdockerized-php-fpm-mailcow-1' |
||||
|
||||
while [ $# -gt 0 ]; do |
||||
case "$1" in |
||||
--dry-run) DRY_RUN=1; shift ;; |
||||
--only) ONLY_LIST="${2:-}"; shift 2 ;; |
||||
-h|--help) |
||||
sed -n '2,16p' "$0" |
||||
exit 0 |
||||
;; |
||||
*) |
||||
echo "Unknown arg: $1" |
||||
exit 1 |
||||
;; |
||||
esac |
||||
done |
||||
|
||||
mysql_q() { |
||||
docker exec "$MYSQL_C" bash -lc "mysql mailcow -uroot -p\"\$MYSQL_ROOT_PASSWORD\" -N -e \"$1\"" |
||||
} |
||||
|
||||
mysql_exec() { |
||||
docker exec "$MYSQL_C" bash -lc "mysql mailcow -uroot -p\"\$MYSQL_ROOT_PASSWORD\" -e \"$1\"" |
||||
} |
||||
|
||||
is_kept() { |
||||
local e="$1" |
||||
local k |
||||
IFS=',' read -ra _keep <<< "$KEEP_ACTIVE" |
||||
for k in "${_keep[@]}"; do |
||||
k="$(echo "$k" | tr -d '[:space:]')" |
||||
[ -z "$k" ] && continue |
||||
[ "$e" = "$k" ] && return 0 |
||||
done |
||||
return 1 |
||||
} |
||||
|
||||
in_only() { |
||||
local e="$1" |
||||
[ -z "$ONLY_LIST" ] && return 0 |
||||
local o |
||||
IFS=',' read -ra _only <<< "$ONLY_LIST" |
||||
for o in "${_only[@]}"; do |
||||
o="$(echo "$o" | tr -d '[:space:]')" |
||||
[ -z "$o" ] && continue |
||||
[ "$e" = "$o" ] && return 0 |
||||
done |
||||
return 1 |
||||
} |
||||
|
||||
apply_one() { |
||||
local EMAIL="$1" |
||||
echo "---- ${EMAIL} ----" |
||||
|
||||
if [ "$DRY_RUN" = "1" ]; then |
||||
MB=$(mysql_q "SELECT username, active, authsource FROM mailbox WHERE username='${EMAIL}';") |
||||
TR=$(mysql_q "SELECT COUNT(*) FROM transports WHERE destination='${EMAIL}';") |
||||
echo "mailbox: ${MB:-MISSING}" |
||||
echo "transport_rows: ${TR:-0}" |
||||
echo "dry-run: would set active=0 + transport -> ${NEXTHOP}" |
||||
return 0 |
||||
fi |
||||
|
||||
mysql_exec "UPDATE mailbox SET active=0 WHERE username='${EMAIL}';" |
||||
MB=$(mysql_q "SELECT username, active, authsource FROM mailbox WHERE username='${EMAIL}';") |
||||
echo "mailbox after: ${MB:-MISSING}" |
||||
|
||||
CNT=$(mysql_q "SELECT COUNT(*) FROM transports WHERE destination='${EMAIL}';") |
||||
if [ "${CNT}" = "0" ]; then |
||||
mysql_exec " |
||||
INSERT INTO transports (destination, nexthop, username, password, is_mx_based, active) |
||||
SELECT '${EMAIL}', '${NEXTHOP}', r.username, r.password, 0, 1 |
||||
FROM relayhosts r |
||||
WHERE r.id=${RELAYHOST_ID} AND r.active=1 |
||||
LIMIT 1; |
||||
" |
||||
echo "transport: INSERT" |
||||
else |
||||
mysql_exec " |
||||
UPDATE transports t |
||||
JOIN relayhosts r ON r.id=${RELAYHOST_ID} AND r.active=1 |
||||
SET t.nexthop='${NEXTHOP}', t.username=r.username, t.password=r.password, t.active=1 |
||||
WHERE t.destination='${EMAIL}'; |
||||
" |
||||
echo "transport: UPDATE" |
||||
fi |
||||
|
||||
ALIAS=$(mysql_q "SELECT COUNT(*) FROM alias WHERE address='${EMAIL}';") |
||||
if [ "${ALIAS}" != "0" ]; then |
||||
mysql_exec "UPDATE alias SET active=1 WHERE address='${EMAIL}';" |
||||
echo "alias: active=1" |
||||
else |
||||
echo "alias: none" |
||||
fi |
||||
|
||||
docker exec "$POSTFIX_C" postmap -q "${EMAIL}" mysql:/opt/postfix/conf/sql/mysql_transport_maps.cf || true |
||||
} |
||||
|
||||
echo "== Jalur B batch ==" |
||||
echo "KEEP_ACTIVE (Jalur A): ${KEEP_ACTIVE}" |
||||
echo "NEXTHOP: ${NEXTHOP}" |
||||
echo "DRY_RUN: ${DRY_RUN}" |
||||
[ -n "$ONLY_LIST" ] && echo "ONLY: ${ONLY_LIST}" |
||||
|
||||
echo "== LDAP sync ==" |
||||
docker exec "$PHP_C" php /crons/ldap-sync.php || true |
||||
|
||||
echo "== Candidates (@${DOMAIN}) ==" |
||||
mapfile -t ALL < <(mysql_q "SELECT username FROM mailbox WHERE username LIKE '%@${DOMAIN}' ORDER BY username;") |
||||
|
||||
APPLIED=0 |
||||
SKIPPED=0 |
||||
for EMAIL in "${ALL[@]}"; do |
||||
[ -z "$EMAIL" ] && continue |
||||
if is_kept "$EMAIL"; then |
||||
echo "SKIP (Jalur A): ${EMAIL}" |
||||
SKIPPED=$((SKIPPED + 1)) |
||||
continue |
||||
fi |
||||
if ! in_only "$EMAIL"; then |
||||
continue |
||||
fi |
||||
apply_one "$EMAIL" |
||||
APPLIED=$((APPLIED + 1)) |
||||
done |
||||
|
||||
if [ "$DRY_RUN" = "0" ] && [ "$APPLIED" -gt 0 ]; then |
||||
echo "== Reload postfix ==" |
||||
docker exec "$POSTFIX_C" postfix reload |
||||
fi |
||||
|
||||
echo "" |
||||
echo "DONE. applied=${APPLIED} skipped_jalur_a=${SKIPPED}" |
||||
echo "Manual AD: remove Jalur B users from Mail-Users (keep support@)." |
||||
echo "Test: support@ -> each user; verify inbox on cPanel." |
||||
@ -0,0 +1,33 @@
@@ -0,0 +1,33 @@
|
||||
# Setup SSH key — root@10.100.1.28 (Mailcow VM, Ubuntu) |
||||
# SSOT: server-audit/docs/guide/ssh-access.md |
||||
# Usage: .\Mailcow\scripts\setup-ssh-key-simple.ps1# Sekali jalan: minta password root 1x, lalu login key-only. |
||||
|
||||
$ErrorActionPreference = 'Stop' |
||||
$hostIp = '10.100.1.28' |
||||
$key = Join-Path $env:USERPROFILE '.ssh\id_ed25519_mailcow' |
||||
$pub = "$key.pub" |
||||
|
||||
if (-not (Test-Path $pub)) { |
||||
Write-Host "Generating key $key ..." |
||||
ssh-keygen -t ed25519 -f $key -C 'geonet-mailcow' -N '""' |
||||
} |
||||
|
||||
Write-Host "Fixing private key ACL..." |
||||
icacls $key /inheritance:r 2>$null | Out-Null |
||||
icacls $key /grant:r "${env:USERNAME}:(R)" 2>$null | Out-Null |
||||
|
||||
Write-Host "Upload public key ke root@${hostIp} (password 1x)..." |
||||
type $pub | ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no "root@${hostIp}" -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK" |
||||
|
||||
Write-Host "" |
||||
Write-Host "Test key-only..." |
||||
ssh -i $key -o BatchMode=yes -o IdentitiesOnly=yes -o PreferredAuthentications=publickey "root@${hostIp}" -p 22 "echo KEY_AUTH_OK" |
||||
|
||||
if ($LASTEXITCODE -ne 0) { |
||||
Write-Host "" |
||||
Write-Host "Masih gagal — cek auth log (password sekali):" |
||||
Write-Host " ssh root@${hostIp} -p 22 `"grep sshd /var/log/auth.log | tail -20`"" |
||||
exit 1 |
||||
} |
||||
|
||||
Write-Host "Success. Login: ssh mailcow" |
||||
@ -0,0 +1,43 @@
@@ -0,0 +1,43 @@
|
||||
# AGENTS.md - Cold Start |
||||
|
||||
<!-- STRATEGY: UPDATE JARANG | Baca PERTAMA saat buka project. Max ~40 baris. --> |
||||
|
||||
> Project: `me/` |
||||
> Sesi terakhir: [docs/ai-session-summary.md](./docs/ai-session-summary.md) |
||||
> Peta lengkap (on-demand): [docs/context-index.md](./docs/context-index.md) |
||||
|
||||
## Apa ini? |
||||
|
||||
Dokumen pribadi & company profile **PT. Multiatur Sistem Solusi** (CIO: Rian Budi Setiawan) — kapabilitas teknis, compro markdown, referensi PDF, dan desain Figma. |
||||
|
||||
## Aturan kritis |
||||
|
||||
- Ini **docs-only** — bukan aplikasi runtime; jangan hardcode secret perusahaan |
||||
- Company profile resmi + kapabilitas enterprise digabung di `company-profile-pt-multiatur.md` |
||||
- Desain Figma compro: lanjut dari file yang sudah ada (jangan buat file baru tanpa alasan) |
||||
- Figma MCP: Starter plan terbatas; untuk Cursor tulis desain butuh **Full seat** (Dev = baca/MCP, tanpa Design) |
||||
- No commit kecuali user minta eksplisit |
||||
- Pengetahuan penting wajib ke `docs/` — jangan hanya di chat |
||||
|
||||
## Lanjut kerja (urutan baca) |
||||
|
||||
``` |
||||
1. AGENTS.md <- Anda di sini |
||||
2. docs/ai-session-summary.md <- TL;DR + Lanjut + Jangan |
||||
3. STOP - mulai kerja |
||||
4. On-demand: docs/todo.md | docs/issues.md | docs/context-index.md |
||||
``` |
||||
|
||||
**Rolling session memory = hanya** `docs/ai-session-summary.md`. |
||||
|
||||
## Pointer cepat |
||||
|
||||
| Butuh | Buka | |
||||
|-------|------| |
||||
| Priority | [docs/todo.md](./docs/todo.md) | |
||||
| Compro markdown | [company-profile-pt-multiatur.md](./company-profile-pt-multiatur.md) | |
||||
| Kapabilitas teknis (sumber) | [me.md](./me.md) | |
||||
| Profil resmi OCR | [PT. MULTIATUR SISTEM SOLUSI.md](./PT.%20MULTIATUR%20SISTEM%20SOLUSI.md) | |
||||
| PDF contoh desain | `Compro PT Multiatur Sistem Solusi v13_*.pdf` | |
||||
| Preview halaman PDF | [compro-preview/](./compro-preview/) | |
||||
| Bug / blocker | [docs/issues.md](./docs/issues.md) | |
||||
@ -0,0 +1,124 @@
@@ -0,0 +1,124 @@
|
||||
PROFIL PERUSAHAAN |
||||
|
||||
PT. MULTIATUR SISTEM SOLUSI |
||||
|
||||
Website: |
||||
www.multiatur.com |
||||
|
||||
Tentang Kami |
||||
|
||||
PT. Multiatur Sistem Solusi adalah perusahaan yang bergerak dalam bidang perdagangan dan pengadaan peralatan dan perlengkapan komunikasi yang berdiri sejak tahun 2023. |
||||
|
||||
PT. Multiatur Sistem Solusi beralamat di: |
||||
|
||||
Ruko Tanjung Mas Raya B1/37, Jagakarsa, |
||||
Tanjung Barat, Jakarta Selatan 12530 |
||||
|
||||
PT. Multiatur Sistem Solusi senantiasa menyediakan produk dan layanan terbaik bagi para klien kami yang memiliki latar belakang beragam, baik swasta maupun lembaga pemerintahan. |
||||
|
||||
Kepercayaan klien kami merupakan kebanggaan tersendiri bagi segenap tim di Multiatur Sistem Solusi, juga menjadi motivasi untuk terus berkembang menjadi perusahaan penyedia peralatan dan perlengkapan komunikasi yang terdepan. |
||||
|
||||
Bidang Usaha |
||||
Software Development |
||||
|
||||
Membuat perangkat lunak atau implementasi produk yang dibuat khusus, Business Analytics, Social Analytics dan Business Intelligence. |
||||
|
||||
System Solution |
||||
|
||||
Memberikan solusi sistem untuk Anda, meliputi: |
||||
|
||||
Perangkat Keras |
||||
Perangkat Lunak |
||||
Jaringan |
||||
Manajemen Server |
||||
Sistem |
||||
Pusat Data (Data Center) |
||||
dan lainnya |
||||
Visi |
||||
|
||||
Menjadi perusahaan penyedia peralatan dan perlengkapan komunikasi yang terpercaya. |
||||
|
||||
Dalam mencapai tujuan tersebut, segenap tim di Multiatur Sistem Solusi terus memastikan layanan dan dukungan terbaik kepada setiap klien kami. |
||||
|
||||
Layanan Kami |
||||
Surveillance |
||||
IP PABX |
||||
Data Center & Storage |
||||
PA System |
||||
Biometric |
||||
Message Blast |
||||
AI System |
||||
Sistem Monitoring |
||||
Turnstiles |
||||
Warehouse Management |
||||
Energy Solution System |
||||
Teknologi / Vendor |
||||
|
||||
Beberapa vendor yang terlihat pada dokumen: |
||||
|
||||
QNAP |
||||
Hikvision |
||||
ZKTeco |
||||
|
||||
(Terdapat beberapa logo lain namun kualitas OCR tidak cukup baik untuk diidentifikasi secara akurat.) |
||||
|
||||
Beberapa Klien |
||||
|
||||
Logo yang terlihat antara lain: |
||||
|
||||
PT EMI (Persero) |
||||
Energy Management Indonesia |
||||
HERA |
||||
|
||||
(Dokumen hanya menampilkan logo sehingga daftar lengkap klien tidak dapat dipastikan dari OCR.) |
||||
|
||||
Management |
||||
Adiya Mugi Raharja |
||||
|
||||
CEO |
||||
|
||||
"Kita menilai diri kita dengan cara mengukur dari apa yang kita rasa mampu untuk kerjakan, sedangkan orang lain mengukur kita dengan mengukur dari apa yang telah kita lakukan." |
||||
|
||||
Muhamad Jejen |
||||
|
||||
CTO |
||||
|
||||
Rian Budi Setiawan |
||||
|
||||
CIO |
||||
|
||||
Muhamad Fahmi |
||||
|
||||
CSO |
||||
|
||||
Kontak |
||||
|
||||
PT. Multiatur Sistem Solusi |
||||
|
||||
Ruko Tanjung Mas Raya B1/37 |
||||
Jagakarsa, Tanjung Barat |
||||
Jakarta Selatan 12530 |
||||
|
||||
Telepon: |
||||
021-27873814 |
||||
|
||||
Email: |
||||
admin@multiatur.com |
||||
|
||||
Website: |
||||
www.multiatur.com |
||||
|
||||
Evaluasi Dokumen |
||||
|
||||
Setelah melihat isi company profile, saya memiliki beberapa saran agar tampil lebih modern dan lebih kuat secara bisnis: |
||||
|
||||
Aspek Kondisi Saat Ini Rekomendasi |
||||
Desain ⭐⭐⭐⭐☆ Sudah menarik, bisa dibuat lebih modern dengan layout yang lebih lega. |
||||
Isi ⭐⭐☆☆☆ Terlalu umum, belum menunjukkan kompetensi teknis perusahaan. |
||||
Pengalaman ⭐☆☆☆☆ Belum ada daftar pengalaman atau portofolio proyek. |
||||
Infrastruktur ❌ Belum menjelaskan kemampuan Data Center, Cloud, atau Enterprise Infrastructure. |
||||
Teknologi ⭐⭐☆☆☆ Hanya menampilkan logo vendor, belum menjelaskan keahlian pada masing-masing solusi. |
||||
Nilai Tambah ❌ Belum ada diferensiasi dibanding kompetitor. |
||||
Roadmap Layanan ❌ Belum menjelaskan layanan end-to-end dari konsultasi hingga managed service. |
||||
|
||||
Melihat diskusi kita selama ini, saya yakin company profile ini dapat ditingkatkan menjadi profil perusahaan kelas enterprise dengan fokus pada Data Center, Enterprise Infrastructure, GIS Solutions, Cyber Security, AI Integration, dan Managed IT Services, sehingga jauh lebih kuat saat dipresentasikan kepada perusahaan besar maupun instansi pemerintah. |
||||
@ -0,0 +1,299 @@
@@ -0,0 +1,299 @@
|
||||
# Company Profile |
||||
|
||||
# PT. Multiatur Sistem Solusi |
||||
|
||||
**Enterprise IT Infrastructure · Data Center · GIS Platform · System Solution · Managed Services** |
||||
|
||||
| | | |
||||
|---|---| |
||||
| **Website** | [www.multiatur.com](https://www.multiatur.com) | |
||||
| **Telepon** | 021-27873814 | |
||||
| **Email** | admin@multiatur.com | |
||||
| **Alamat** | Ruko Tanjung Mas Raya B1/37, Jagakarsa, Tanjung Barat, Jakarta Selatan 12530 | |
||||
| **Berdiri** | 2023 | |
||||
|
||||
--- |
||||
|
||||
## Tentang Kami |
||||
|
||||
**PT. Multiatur Sistem Solusi** adalah perusahaan yang bergerak dalam bidang perdagangan dan pengadaan peralatan serta perlengkapan komunikasi, sekaligus penyedia solusi sistem dan infrastruktur TI enterprise. Perusahaan berdiri sejak tahun **2023** dan berkantor di Jakarta Selatan. |
||||
|
||||
Kami senantiasa menyediakan produk dan layanan terbaik bagi klien dengan latar belakang beragam — baik swasta maupun lembaga pemerintahan. Kepercayaan klien merupakan kebanggaan sekaligus motivasi bagi segenap tim untuk terus berkembang menjadi perusahaan penyedia solusi komunikasi dan infrastruktur TI yang terdepan. |
||||
|
||||
Di samping pengadaan perangkat, kami juga menghadirkan layanan **Enterprise IT Infrastructure**, **Data Center**, **GIS Platform**, **Cloud**, dan **Managed Services**. Dengan pengalaman membangun dan mengelola lingkungan *hybrid infrastructure* berbasis Windows, Linux, virtualisasi, serta sistem geospasial enterprise, kami menghadirkan solusi yang **aman**, **terintegrasi**, dan **mudah dikembangkan**. |
||||
|
||||
Kami menempatkan diri sebagai mitra *end-to-end*: mulai dari perencanaan infrastruktur, implementasi, integrasi aplikasi, hingga operasional dan dukungan purna jual. |
||||
|
||||
--- |
||||
|
||||
## Visi |
||||
|
||||
Menjadi perusahaan penyedia peralatan, perlengkapan komunikasi, dan solusi Enterprise IT Infrastructure yang **terpercaya** — menghadirkan sistem yang **andal**, **aman**, dan **mudah dikembangkan** untuk mendukung transformasi digital organisasi. |
||||
|
||||
Dalam mencapai tujuan tersebut, segenap tim di Multiatur Sistem Solusi terus memastikan layanan dan dukungan terbaik kepada setiap klien. |
||||
|
||||
--- |
||||
|
||||
## Bidang Usaha |
||||
|
||||
### Software Development |
||||
Membuat perangkat lunak atau implementasi produk yang dibuat khusus, termasuk Business Analytics, Social Analytics, dan Business Intelligence. |
||||
|
||||
### System Solution |
||||
Memberikan solusi sistem menyeluruh, meliputi: |
||||
|
||||
- Perangkat Keras |
||||
- Perangkat Lunak |
||||
- Jaringan |
||||
- Manajemen Server |
||||
- Sistem |
||||
- Pusat Data (Data Center) |
||||
- dan layanan terkait lainnya |
||||
|
||||
--- |
||||
|
||||
## Positioning |
||||
|
||||
Kekuatan kami mencakup pengadaan perangkat komunikasi sekaligus kemampuan sebagai **Enterprise Infrastructure Architect** yang menggabungkan: |
||||
|
||||
- Infrastruktur fisik dan virtual |
||||
- Operasional Data Center |
||||
- GIS Enterprise |
||||
- Pengembangan aplikasi |
||||
|
||||
Kombinasi ini memungkinkan kami merancang dan mengelola solusi secara menyeluruh — dari pengadaan perangkat hingga arsitektur dan aplikasi. |
||||
|
||||
--- |
||||
|
||||
## Layanan Kami |
||||
|
||||
### Solusi Sistem & Komunikasi |
||||
|
||||
| Layanan | Deskripsi singkat | |
||||
|---------|-------------------| |
||||
| **Surveillance** | Sistem pengawasan berbasis IP / CCTV | |
||||
| **IP PABX** | Komunikasi telepon berbasis IP | |
||||
| **Data Center & Storage** | Infrastruktur pusat data dan penyimpanan | |
||||
| **PA System** | Public Address System | |
||||
| **Biometric** | Sistem biometrik & akses | |
||||
| **Message Blast** | Layanan pesan massal | |
||||
| **AI System** | Solusi berbasis kecerdasan buatan | |
||||
| **Sistem Monitoring** | Monitoring operasional & infrastruktur | |
||||
| **Turnstiles** | Sistem akses & kontrol pintu putar | |
||||
| **Warehouse Management** | Manajemen gudang | |
||||
| **Energy Solution System** | Solusi energi | |
||||
|
||||
### Layanan Enterprise IT Infrastructure |
||||
|
||||
| Kategori | Layanan | |
||||
|----------|---------| |
||||
| **Data Center** | Perencanaan, implementasi, migrasi, dan pengelolaan Data Center | |
||||
| **Server Infrastructure** | Windows Server, Linux Server, Virtual Machine, High Availability | |
||||
| **Enterprise Network** | MikroTik, VLAN, VPN, Firewall, Routing, Reverse Proxy | |
||||
| **Identity Management** | Active Directory, LDAP, Single Sign-On (SSO) | |
||||
| **Database** | PostgreSQL, SQL Server, Backup, Replication, Performance Tuning | |
||||
| **Storage** | NAS, SAN, QNAP, Object Storage (S3), Backup & Recovery | |
||||
| **Monitoring** | Zabbix, Uptime Kuma | |
||||
| **Web Platform** | NGINX Reverse Proxy, SSL, Multi Domain Hosting | |
||||
| **Mail Server** | Multi Domain Mail Server, LDAP Integration, API Integration | |
||||
| **GIS Infrastructure** | ArcGIS Enterprise, ArcGIS Server, Portal for ArcGIS, GeoServer | |
||||
| **Asset Management** | Inventarisasi perangkat, monitoring endpoint, lifecycle asset | |
||||
| **IT Service Management** | Helpdesk, Ticketing, SLA | |
||||
|
||||
--- |
||||
|
||||
## Pengalaman & Keahlian |
||||
|
||||
### Enterprise Data Center |
||||
- Perencanaan dan implementasi infrastruktur Data Center |
||||
- Pengelolaan server fisik dan virtual |
||||
- Standarisasi infrastruktur TI untuk lingkungan enterprise |
||||
- Capacity planning dan optimalisasi sumber daya |
||||
|
||||
### Infrastruktur Server |
||||
- Implementasi dan administrasi Windows Server & Linux Server |
||||
- Active Directory Domain Services (AD DS) |
||||
- LDAP Authentication dan Single Sign-On (SSO) |
||||
- Remote administration dan server hardening |
||||
|
||||
### Virtualisasi |
||||
- Proxmox Virtual Environment |
||||
- Manajemen Virtual Machine |
||||
|
||||
### Enterprise GIS Infrastructure |
||||
- ArcGIS Enterprise, ArcGIS Server, Portal for ArcGIS |
||||
- ArcGIS Online, ArcGIS Pro |
||||
- GeoServer |
||||
- Integrasi GIS dengan sistem enterprise |
||||
|
||||
### Database Management |
||||
- Microsoft SQL Server & PostgreSQL |
||||
- Backup & restore, performance tuning, monitoring |
||||
- High Availability dan Disaster Recovery |
||||
|
||||
### Storage & Backup |
||||
- QNAP NAS dan QuObjects (S3 Object Storage) |
||||
- Network Attached Storage (NAS) |
||||
- Backup repository, file sharing enterprise, sinkronisasi data |
||||
|
||||
### Enterprise Network |
||||
- MikroTik RouterOS, VLAN, VPN, routing, firewall, NAT |
||||
- Reverse Proxy (NGINX) |
||||
- Multi Domain Hosting |
||||
|
||||
### Monitoring & Observability |
||||
- Zabbix, Uptime Kuma |
||||
- Dashboard monitoring |
||||
- Alerting & notification |
||||
|
||||
### Enterprise Mail System |
||||
- Multi Domain Mail Server |
||||
- Integrasi LDAP / Active Directory |
||||
- SMTP, IMAP, POP3 |
||||
- SPF, DKIM, DMARC dan mail security |
||||
- API integration |
||||
|
||||
### Asset Management |
||||
- Inventarisasi perangkat TI |
||||
- Monitoring endpoint |
||||
- Hardware lifecycle management & software inventory |
||||
- Warranty tracking dan asset audit |
||||
|
||||
### Enterprise Service Management |
||||
- Helpdesk, Incident, Service Request, Problem, dan Change Management |
||||
- SLA Management |
||||
- Knowledge Base |
||||
|
||||
### Software Development |
||||
- Laravel, FastAPI, Next.js, React |
||||
- REST API, API Gateway |
||||
- Enterprise dashboard |
||||
- Business Analytics, Social Analytics, Business Intelligence |
||||
|
||||
--- |
||||
|
||||
## Teknologi & Vendor |
||||
|
||||
| Vendor / Platform | Produk / Fokus | |
||||
|-------------------|----------------| |
||||
| **QNAP** | NAS, QuObjects S3, Qsync, Data Center & Storage | |
||||
| **Hikvision** | Surveillance / CCTV | |
||||
| **ZKTeco** | Biometric & access control | |
||||
| **Esri** | ArcGIS Enterprise, ArcGIS Server, ArcGIS Pro, ArcGIS Online, Survey123, Field Maps, Experience Builder | |
||||
| **Blue Marble** | Global Mapper, Global Mapper Pro | |
||||
| **DataEast** | XTools Pro dan solusi terkait | |
||||
| **Microsoft** | Windows Server, Active Directory, SQL Server, Microsoft 365 | |
||||
| **PostgreSQL** | PostgreSQL Database | |
||||
| **MikroTik** | RouterOS, VPN, Firewall | |
||||
| **NGINX** | Reverse Proxy & Load Balancer | |
||||
| **Open Source** | GeoServer, Zabbix, Uptime Kuma | |
||||
|
||||
--- |
||||
|
||||
## Pengembangan Aplikasi Enterprise |
||||
|
||||
Kami mengembangkan solusi aplikasi enterprise, antara lain: |
||||
|
||||
| Platform / Modul | Fungsi | |
||||
|------------------|--------| |
||||
| GeoNet Console | Konsol manajemen enterprise | |
||||
| GeoNet Collector | Pengumpulan data & telemetry | |
||||
| GeoNet Agent | Agent endpoint | |
||||
| Asset Management | Inventaris & lifecycle aset | |
||||
| Enterprise Ticketing | Helpdesk & service management | |
||||
| Knowledge Base | Basis pengetahuan operasional | |
||||
| Monitoring Dashboard | Observability terpusat | |
||||
| Notification Service | Notifikasi & alerting | |
||||
| API Gateway | Gerbang API terpusat | |
||||
| Product Catalog | Katalog produk & layanan | |
||||
| License Management | Manajemen lisensi | |
||||
|
||||
--- |
||||
|
||||
## Nilai Tambah |
||||
|
||||
- Enterprise Architecture Design |
||||
- Multi Domain & Multi Tenant Infrastructure |
||||
- Hybrid Infrastructure (On-Premise & Cloud Ready) |
||||
- API First Architecture |
||||
- High Availability Design |
||||
- Disaster Recovery Planning |
||||
- Infrastruktur yang scalable dan mudah dikembangkan |
||||
- Integrasi antar sistem berbasis API |
||||
- Monitoring terpusat |
||||
- Dokumentasi teknis dan standarisasi implementasi |
||||
- Audit trail & logging |
||||
- Pengadaan perangkat + implementasi sistem dalam satu mitra |
||||
|
||||
--- |
||||
|
||||
## Keunggulan Kompetitif |
||||
|
||||
1. **End-to-end capability** — dari pengadaan perangkat, perencanaan infrastruktur, implementasi, integrasi aplikasi, hingga pemeliharaan dan dukungan operasional. |
||||
2. **Integrasi GIS + IT modern** — mampu menghubungkan solusi geospasial dengan infrastruktur TI enterprise. |
||||
3. **Open source & komersial** — menguasai solusi berbasis open source maupun produk vendor. |
||||
4. **Fokus operasional** — keamanan, performa, skalabilitas, dan kemudahan operasional menjadi prioritas desain. |
||||
5. **Arsitektur hybrid** — mendukung lingkungan on-premise, virtualisasi, dan cloud-ready. |
||||
6. **Solusi komunikasi & sistem** — mencakup surveillance, biometric, IP PABX, PA system, dan energy solution. |
||||
|
||||
--- |
||||
|
||||
## Model Layanan |
||||
|
||||
| Tahap | Lingkup | |
||||
|-------|---------| |
||||
| **Konsultasi & Perencanaan** | Assessment, arsitektur, capacity planning, roadmap | |
||||
| **Pengadaan** | Perangkat keras, perangkat lunak, dan perlengkapan komunikasi | |
||||
| **Implementasi** | Instalasi, konfigurasi, migrasi, hardening | |
||||
| **Integrasi** | API, LDAP/AD, GIS, aplikasi enterprise | |
||||
| **Operasional & Managed Services** | Monitoring, backup, patching, SLA, support | |
||||
| **Pengembangan** | Aplikasi enterprise, dashboard | |
||||
|
||||
--- |
||||
|
||||
## Management |
||||
|
||||
| Nama | Jabatan | |
||||
|------|---------| |
||||
| **Adiya Mugi Raharja** | CEO | |
||||
| **Muhamad Jejen** | CTO | |
||||
| **Rian Budi Setiawan** | CIO | |
||||
| **Muhamad Fahmi** | CSO | |
||||
|
||||
> *"Kita menilai diri kita dengan cara mengukur dari apa yang kita rasa mampu untuk kerjakan, sedangkan orang lain mengukur kita dengan mengukur dari apa yang telah kita lakukan."* |
||||
> — Adiya Mugi Raharja, CEO |
||||
|
||||
--- |
||||
|
||||
## Beberapa Klien |
||||
|
||||
- PT EMI (Persero) — Energy Management Indonesia |
||||
- HERA |
||||
|
||||
*(Daftar klien dapat dilengkapi sesuai portofolio resmi perusahaan.)* |
||||
|
||||
--- |
||||
|
||||
## Kontak |
||||
|
||||
**PT. Multiatur Sistem Solusi** |
||||
|
||||
Ruko Tanjung Mas Raya B1/37 |
||||
Jagakarsa, Tanjung Barat |
||||
Jakarta Selatan 12530 |
||||
|
||||
| | | |
||||
|---|---| |
||||
| **Telepon** | 021-27873814 | |
||||
| **Email** | admin@multiatur.com | |
||||
| **Website** | [www.multiatur.com](https://www.multiatur.com) | |
||||
|
||||
--- |
||||
|
||||
## Penutup |
||||
|
||||
PT. Multiatur Sistem Solusi berkomitmen menjadi mitra yang dapat diandalkan — menghadirkan produk komunikasi berkualitas, infrastruktur yang stabil, sistem yang terintegrasi, dan layanan berkelanjutan untuk mendukung pertumbuhan organisasi Anda. |
||||
|
||||
--- |
||||
|
||||
*Dokumen ini disusun sebagai company profile layanan (service-based) untuk keperluan presentasi, proposal teknis, dan penawaran jasa. Menggabungkan profil resmi perusahaan dengan kapabilitas Enterprise IT Infrastructure & Managed Services.* |
||||
|
After Width: | Height: | Size: 175 KiB |
|
After Width: | Height: | Size: 682 KiB |
|
After Width: | Height: | Size: 587 KiB |
|
After Width: | Height: | Size: 944 KiB |
|
After Width: | Height: | Size: 665 KiB |
|
After Width: | Height: | Size: 523 KiB |
|
After Width: | Height: | Size: 546 KiB |
|
After Width: | Height: | Size: 215 KiB |
|
After Width: | Height: | Size: 160 KiB |
@ -0,0 +1,81 @@
@@ -0,0 +1,81 @@
|
||||
# AI Session Summary |
||||
|
||||
```yaml |
||||
session: 2026-07-10-compro-multiatur-figma |
||||
project: me/ |
||||
version: 0.1.0 |
||||
status: blocked |
||||
next: Lanjut Figma halaman 06–09 setelah upgrade plan / kuota MCP |
||||
previous: N/A |
||||
agent: Cursor |
||||
branch: (local) |
||||
``` |
||||
|
||||
--- |
||||
|
||||
## TL;DR |
||||
|
||||
- Disusun **company profile markdown** gabungan profil resmi PT. Multiatur Sistem Solusi + kapabilitas Enterprise IT/GIS dari `me.md` |
||||
- User bekerja di **PT. Multiatur Sistem Solusi** sebagai **CIO** (Rian Budi Setiawan) |
||||
- Desain Figma compro dimulai (gaya PDF v13); **halaman 01–05 selesai**, 06–09 terhenti **rate limit Figma MCP Starter** |
||||
- Rekomendasi seat Cursor: **Full** (tulis desain) / **Dev** (MCP baca); **Collab tidak cukup** |
||||
|
||||
--- |
||||
|
||||
## Lanjut dari sini |
||||
|
||||
1. Upgrade Figma ke Professional **Full seat** (atau tunggu reset kuota), lalu lanjut halaman 06–09 di file yang sama |
||||
2. Opsional: ganti placeholder warna di Layanan dengan foto/asset dari PDF; unggah logo resmi |
||||
3. Export PDF dari Figma setelah 9 halaman lengkap |
||||
|
||||
> Backlog: [todo.md](./todo.md) |
||||
|
||||
--- |
||||
|
||||
## Jangan |
||||
|
||||
- Jangan buat file Figma compro baru — pakai file yang sudah ada |
||||
- Jangan pilih **Collab seat** untuk kolaborasi Cursor (kuota MCP ~6/bulan) |
||||
- Jangan klaim proyek klien spesifik yang belum ada di sumber resmi |
||||
- Jangan commit secret / kredensial Figma |
||||
|
||||
--- |
||||
|
||||
## Detail |
||||
|
||||
### Artefak penting |
||||
|
||||
| Artefak | Lokasi / URL | |
||||
|---------|----------------| |
||||
| Compro markdown | [../company-profile-pt-multiatur.md](../company-profile-pt-multiatur.md) | |
||||
| Figma file | https://www.figma.com/design/sf2KWo2Jgiuwf4AVHUG6fb | |
||||
| PDF referensi | `../Compro PT Multiatur Sistem Solusi v13_260710_121308.pdf` | |
||||
| Preview PNG | `../compro-preview/page-01.png` … `page-09.png` | |
||||
|
||||
### Figma — status halaman |
||||
|
||||
| # | Nama | Status | |
||||
|---|------|--------| |
||||
| 01 | Cover | Done | |
||||
| 02 | Tentang Kami | Done | |
||||
| 03 | Visi & Misi | Done | |
||||
| 04 | Layanan 1 | Done | |
||||
| 05 | Layanan 2 | Done | |
||||
| 06 | Enterprise IT | Pending (rate limit) | |
||||
| 07 | Partner & Klien | Pending | |
||||
| 08 | Management | Pending | |
||||
| 09 | Thank You / Kontak | Pending | |
||||
|
||||
### Brand (dari PDF) |
||||
|
||||
- Navy `#0A2540`, Orange `#F2A900`, A4 ~1240×1754, font Inter |
||||
- Kontak: 021-27873814 · admin@multiatur.com · www.multiatur.com |
||||
- Alamat: Ruko Tanjung Mas Raya B1/37, Jagakarsa, Tanjung Barat, Jakarta Selatan 12530 |
||||
|
||||
### Catatan AI berikutnya |
||||
|
||||
- `use_figma` + `create_new_file` butuh skill figma-use / figma-create-new-file |
||||
- PlanKey user: `team::1263886893605566811` (rianjawa93's team) |
||||
- Blocker: [ISS-001](./issues.md) |
||||
|
||||
**On-demand:** [context-index.md](./context-index.md) | [todo.md](./todo.md) | [issues.md](./issues.md) |
||||
@ -0,0 +1,23 @@
@@ -0,0 +1,23 @@
|
||||
# Changelog |
||||
|
||||
Format: [Keep a Changelog](https://keepachangelog.com/). |
||||
|
||||
--- |
||||
|
||||
## [Unreleased] |
||||
|
||||
### Added |
||||
- |
||||
|
||||
### Changed |
||||
- |
||||
|
||||
--- |
||||
|
||||
## [0.1.0] - 2026-07-10 |
||||
|
||||
### Added |
||||
- Company profile markdown gabungan: profil resmi PT. Multiatur Sistem Solusi + kapabilitas Enterprise IT / GIS / Managed Services |
||||
- File Figma Company Profile (halaman 01–05); kerangka 06–09 |
||||
- Preview PNG 9 halaman dari PDF compro v13 |
||||
- Struktur docs standar (`AGENTS.md`, session summary, todo, issues, context-index) |
||||
@ -0,0 +1,66 @@
@@ -0,0 +1,66 @@
|
||||
# Context Index |
||||
|
||||
> Cold start: [../AGENTS.md](../AGENTS.md) → [ai-session-summary.md](./ai-session-summary.md) → **STOP**. |
||||
|
||||
--- |
||||
|
||||
## Zona A - Always-read pointers |
||||
|
||||
| Item | Value | |
||||
|------|-------| |
||||
| Nama | me (Company Profile & Personal Notes) | |
||||
| Path monorepo | `me/` | |
||||
| Cold start | [../AGENTS.md](../AGENTS.md) | |
||||
| Sesi terakhir | [ai-session-summary.md](./ai-session-summary.md) | |
||||
| Priority aktif | [todo.md](./todo.md) | |
||||
| Versi | 0.1.0 - [version.md](./version.md) | |
||||
| Tipe | docs-only | |
||||
| Last updated | 2026-07-10 | |
||||
|
||||
--- |
||||
|
||||
## Zona B - On-demand map |
||||
|
||||
### Dokumentasi inti |
||||
|
||||
| Dokumen | Isi | Kapan baca | |
||||
|---------|-----|------------| |
||||
| [ai-session-summary.md](./ai-session-summary.md) | Narasi sesi | Setelah AGENTS | |
||||
| [todo.md](./todo.md) | Priority | Ambil task | |
||||
| [issues.md](./issues.md) | Blocker Figma MCP | Lanjut desain | |
||||
| [changelog.md](./changelog.md) | Riwayat | Audit | |
||||
| [version.md](./version.md) | Poin versi | Cek rilis | |
||||
|
||||
### Sumber konten compro |
||||
|
||||
| File | Peran | |
||||
|------|-------| |
||||
| [../company-profile-pt-multiatur.md](../company-profile-pt-multiatur.md) | **SSOT compro markdown** (gabungan) | |
||||
| [../me.md](../me.md) | Kapabilitas teknis / Enterprise IT (sumber) | |
||||
| [../PT. MULTIATUR SISTEM SOLUSI.md](../PT.%20MULTIATUR%20SISTEM%20SOLUSI.md) | Profil resmi OCR (alamat, management, layanan komunikasi) | |
||||
| `../Compro PT Multiatur Sistem Solusi v13_*.pdf` | Referensi desain visual | |
||||
| [../compro-preview/](../compro-preview/) | PNG per halaman PDF | |
||||
|
||||
### Desain Figma |
||||
|
||||
| Item | Value | |
||||
|------|-------| |
||||
| File | https://www.figma.com/design/sf2KWo2Jgiuwf4AVHUG6fb | |
||||
| Nama | Company Profile - PT Multiatur Sistem Solusi | |
||||
| Plan team | `team::1263886893605566811` | |
||||
| Halaman selesai | 01–05 | |
||||
| Pending | 06–09 — lihat [ISS-001](./issues.md) | |
||||
|
||||
### Perusahaan (fakta kunci) |
||||
|
||||
| Field | Value | |
||||
|-------|-------| |
||||
| Nama | PT. Multiatur Sistem Solusi | |
||||
| Berdiri | 2023 | |
||||
| Website | www.multiatur.com | |
||||
| Telepon | 021-27873814 | |
||||
| Email | admin@multiatur.com | |
||||
| CIO | Rian Budi Setiawan | |
||||
| CEO | Adiya Mugi Raharja | |
||||
| CTO | Muhamad Jejen | |
||||
| CSO | Muhamad Fahmi | |
||||
@ -0,0 +1,26 @@
@@ -0,0 +1,26 @@
|
||||
# Issues |
||||
|
||||
--- |
||||
|
||||
## ISS-001 — Figma MCP rate limit (Starter) |
||||
|
||||
| Field | Value | |
||||
|-------|-------| |
||||
| **Status** | open | |
||||
| **Severity** | blocker (lanjut desain via Cursor) | |
||||
| **Date** | 2026-07-10 | |
||||
|
||||
### Gejala |
||||
`use_figma` gagal dengan: *You've reached the Figma MCP tool call limit on the Starter plan.* |
||||
|
||||
### Root cause |
||||
Akun pada plan **Starter**; kuota MCP untuk seat terbatas. Collab/View ≈ 6 panggilan/bulan. Full/Dev pada plan berbayar ≈ 200/hari. |
||||
|
||||
### Workaround / Fix |
||||
1. Upgrade ke **Professional Full seat** ($20/mo) — direkomendasikan jika Cursor harus **buat/edit** desain |
||||
2. Atau **Dev seat** ($15/mo) — cukup untuk MCP baca/Dev Mode, **tanpa** Figma Design |
||||
3. **Jangan** Collab seat untuk kolaborasi Cursor |
||||
|
||||
### Ref |
||||
- File: https://www.figma.com/design/sf2KWo2Jgiuwf4AVHUG6fb |
||||
- Docs Figma: rate-limits-access (MCP) |
||||
@ -0,0 +1,11 @@
@@ -0,0 +1,11 @@
|
||||
# Project Status |
||||
|
||||
> Last updated: 2026-07-10 |
||||
|
||||
| Area | Status | Catatan | |
||||
|------|--------|---------| |
||||
| Compro markdown | ✅ ready | `company-profile-pt-multiatur.md` | |
||||
| Sumber resmi + teknis | ✅ | `PT. MULTIATUR…md` + `me.md` | |
||||
| Figma desain | ⏸ blocked | 5/9 halaman; ISS-001 MCP Starter | |
||||
| Export PDF final | ❌ | Setelah 9 halaman selesai | |
||||
| Docs handover | ✅ | AGENTS + Tier 1 | |
||||
@ -0,0 +1,43 @@
@@ -0,0 +1,43 @@
|
||||
# TODO |
||||
|
||||
> Last updated: 2026-07-10 |
||||
> Sesi terakhir: [ai-session-summary.md](./ai-session-summary.md) |
||||
|
||||
--- |
||||
|
||||
## High Priority |
||||
|
||||
- [ ] Selesaikan Figma compro halaman **06–09** (Enterprise IT, Partner & Klien, Management, Thank You) di file yang sama |
||||
- [ ] Upgrade Figma Professional **Full seat** (atau tunggu kuota MCP) agar Cursor bisa lanjut `use_figma` |
||||
|
||||
--- |
||||
|
||||
## Medium Priority |
||||
|
||||
- [ ] Ganti placeholder visual layanan dengan foto/asset dari PDF / brand kit |
||||
- [ ] Unggah logo resmi Multiatur ke Figma (bukan SVG placeholder) |
||||
- [ ] Export PDF final dari Figma setelah 9 halaman lengkap |
||||
- [ ] Lengkapi daftar klien resmi di compro markdown (jika ada portofolio) |
||||
|
||||
--- |
||||
|
||||
## Low Priority |
||||
|
||||
- [ ] Versi ringkas 1–2 halaman (pitch deck) dari compro |
||||
- [ ] Versi bilingual (EN) jika dibutuhkan proposal |
||||
|
||||
--- |
||||
|
||||
## Technical Debt |
||||
|
||||
- [ ] Preview PNG di `compro-preview/` besar — pertimbangkan gitignore jika tidak perlu di repo |
||||
|
||||
--- |
||||
|
||||
## Selesai (Sesi Ini) |
||||
|
||||
- [x] Company profile markdown gabungan (resmi + Enterprise IT) - 2026-07-10 |
||||
- [x] Bootstrap docs `me/` (AGENTS + Tier 1 handover) - 2026-07-10 |
||||
- [x] Figma file dibuat; halaman 01–05 selesai - 2026-07-10 |
||||
- [x] Konversi PDF referensi → PNG preview - 2026-07-10 |
||||
- [x] Catatan seat Figma untuk Cursor (Collab vs Dev vs Full) - 2026-07-10 |
||||
@ -0,0 +1,9 @@
@@ -0,0 +1,9 @@
|
||||
# Version History |
||||
|
||||
--- |
||||
|
||||
## [0.1.0] - 2026-07-10 |
||||
|
||||
- Inisialisasi project docs `me/` (company profile & personal capability notes) |
||||
- Compro markdown v1 (service-based, gabungan sumber resmi + `me.md`) |
||||
- Desain Figma compro dimulai (5/9 halaman); blocker MCP Starter |
||||
@ -0,0 +1,275 @@
@@ -0,0 +1,275 @@
|
||||
# dokumen ini mendeskripsikan siapa saya: |
||||
Berdasarkan seluruh percakapan kita selama ini, saya melihat pengalaman saya bukan hanya sebagai IT Infrastructure, tetapi juga mencakup: |
||||
|
||||
Enterprise GIS Infrastructure |
||||
Data Center & Server Management |
||||
Active Directory & LDAP |
||||
Windows & Linux Server |
||||
Virtualisasi (Proxmox/VM) |
||||
Docker & Microservices |
||||
Reverse Proxy (NGINX) |
||||
PostgreSQL & SQL Server |
||||
Storage (QNAP, S3) |
||||
Monitoring (Grafana, Loki, Zabbix, Uptime Kuma) |
||||
Automation (n8n, Node-RED) |
||||
Asset Management |
||||
Enterprise Ticketing |
||||
AI Integration |
||||
Network (MikroTik, VPN, Firewall) |
||||
IT Support Internal & External Client |
||||
Enterprise Application Development |
||||
|
||||
Saya menyarankan company profile dibuat lebih profesional dan berorientasi pada layanan (service-based), bukan sekadar daftar keahlian. |
||||
|
||||
Company Profile – Data Center & Enterprise IT Services |
||||
Tentang Kami |
||||
|
||||
Kami menyediakan layanan Enterprise IT Infrastructure, Data Center, GIS Platform, Cloud, dan Managed Services untuk mendukung operasional bisnis, instansi pemerintah, maupun perusahaan swasta. |
||||
|
||||
Dengan pengalaman dalam membangun dan mengelola lingkungan hybrid infrastructure berbasis Windows, Linux, virtualisasi, container, serta sistem geospasial enterprise, kami menghadirkan solusi yang aman, terintegrasi, dan mudah dikembangkan. |
||||
|
||||
Layanan Utama |
||||
Kategori Layanan |
||||
Data Center Perencanaan, implementasi, migrasi, dan pengelolaan Data Center |
||||
Server Infrastructure Windows Server, Linux Server, Virtual Machine, High Availability |
||||
Enterprise Network MikroTik, VLAN, VPN, Firewall, Routing, Reverse Proxy |
||||
Identity Management Active Directory, LDAP, Single Sign-On (SSO), RBAC |
||||
Database PostgreSQL, SQL Server, Backup, Replication, Performance Tuning |
||||
Storage NAS, SAN, QNAP, Object Storage (S3), Backup & Recovery |
||||
Monitoring Grafana, Loki, Promtail, Zabbix, Uptime Kuma |
||||
Automation Node-RED, n8n, Workflow Automation |
||||
Container Platform Docker, Docker Compose, Dockge |
||||
Web Platform NGINX Reverse Proxy, SSL, Multi Domain Hosting |
||||
Mail Server Multi Domain Mail Server, LDAP Integration, API Integration |
||||
GIS Infrastructure ArcGIS Enterprise, ArcGIS Server, Portal for ArcGIS, GeoServer |
||||
Asset Management Inventarisasi perangkat, monitoring endpoint, lifecycle asset |
||||
IT Service Management Helpdesk, Ticketing, SLA, CMDB |
||||
AI Integration Integrasi AI untuk monitoring, automation, dan knowledge management |
||||
Produk & Platform yang Didukung |
||||
Vendor Produk |
||||
Esri ArcGIS Enterprise, ArcGIS Server, ArcGIS Pro, ArcGIS Online, Survey123, Field Maps, Experience Builder |
||||
Blue Marble Global Mapper, Global Mapper Pro |
||||
DataEast XTools Pro dan solusi terkait |
||||
Microsoft Windows Server, Active Directory, SQL Server, Microsoft 365 |
||||
PostgreSQL PostgreSQL Database |
||||
QNAP NAS, QuObjects S3, Qsync |
||||
MikroTik RouterOS, VPN, Firewall |
||||
Docker Docker Engine, Docker Compose |
||||
Grafana Grafana Stack |
||||
NGINX Reverse Proxy & Load Balancer |
||||
Keahlian Infrastruktur |
||||
Enterprise Data Center |
||||
Hybrid Infrastructure |
||||
High Availability |
||||
Disaster Recovery |
||||
Backup & Restore |
||||
Multi Domain Hosting |
||||
Multi Domain Mail Server |
||||
Reverse Proxy |
||||
Object Storage (S3) |
||||
Container Platform |
||||
Enterprise Monitoring |
||||
Centralized Logging |
||||
Endpoint Monitoring |
||||
Remote Device Management |
||||
Automation Platform |
||||
Pengembangan Aplikasi Enterprise |
||||
|
||||
Kami juga mengembangkan solusi internal berbasis microservices, antara lain: |
||||
|
||||
GeoNet Console |
||||
GeoNet Collector |
||||
GeoNet Agent |
||||
Asset Management |
||||
Enterprise Ticketing |
||||
Knowledge Base |
||||
Monitoring Dashboard |
||||
Notification Service |
||||
API Gateway |
||||
Product Catalog |
||||
License Management |
||||
CMDB |
||||
Workflow Automation |
||||
Nilai Tambah |
||||
Arsitektur berbasis Microservices |
||||
API First Architecture |
||||
Integrasi dengan Active Directory / LDAP |
||||
Multi Domain & Multi Tenant Ready |
||||
Dukungan REST API |
||||
Audit Trail & Logging |
||||
Monitoring Terpusat |
||||
Skalabel untuk pengembangan jangka panjang |
||||
Siap diintegrasikan dengan AI dan otomatisasi |
||||
Visi |
||||
|
||||
Menjadi penyedia solusi Enterprise IT Infrastructure, Data Center, GIS Platform, dan Managed Services yang mampu menghadirkan sistem yang sayal, aman, dan mudah dikembangkan untuk mendukung transformasi digital organisasi. |
||||
|
||||
Nilai yang Saya Lihat dari Pengalaman saya |
||||
|
||||
Dari diskusi kita selama ini, kekuatan utama saya bukan hanya sebagai IT Support, tetapi sebagai Enterprise Infrastructure Architect. saya mampu menggabungkan: |
||||
|
||||
Infrastruktur fisik dan virtual. |
||||
Operasional Data Center. |
||||
GIS Enterprise. |
||||
Pengembangan aplikasi. |
||||
Integrasi AI. |
||||
Otomatisasi proses bisnis. |
||||
|
||||
Ini merupakan kombinasi yang cukup jarang dimiliki dalam satu peran. Karena itu, jika company profile ini digunakan untuk penawaran jasa atau presentasi ke calon klien, saya menyarankan menonjolkan kemampuan end-to-end, yaitu mulai dari perencanaan infrastruktur, implementasi, integrasi aplikasi, hingga operasional dan dukungan purna jual, bukan hanya layanan teknis per komponen. |
||||
|
||||
Berikut contoh daftar pengalaman (Experience & Expertise) yang profesional untuk dimasukkan ke company profile (compro). Saya menyusunnya berdasarkan topik-topik yang sering saya kerjakan, sehingga mencerminkan kemampuan perusahaan secara menyeluruh tanpa mengklaim proyek tertentu yang belum disebutkan. |
||||
|
||||
Pengalaman & Keahlian |
||||
Enterprise Data Center |
||||
Perencanaan dan implementasi infrastruktur Data Center. |
||||
Pengelolaan server fisik dan virtual. |
||||
Stsayarisasi infrastruktur TI untuk lingkungan enterprise. |
||||
Perencanaan kapasitas (Capacity Planning) dan optimalisasi sumber daya. |
||||
Infrastruktur Server |
||||
Implementasi dan administrasi Windows Server. |
||||
Implementasi dan administrasi Linux Server. |
||||
Active Directory Domain Services (AD DS). |
||||
LDAP Authentication dan Single Sign-On (SSO). |
||||
Remote Administration dan Server Hardening. |
||||
Virtualisasi & Container |
||||
Implementasi Proxmox Virtual Environment. |
||||
Manajemen Virtual Machine. |
||||
Docker & Docker Compose. |
||||
Dockge untuk pengelolaan Docker Stack. |
||||
Arsitektur Microservices. |
||||
Enterprise GIS Infrastructure |
||||
ArcGIS Enterprise. |
||||
ArcGIS Server. |
||||
Portal for ArcGIS. |
||||
ArcGIS Online. |
||||
ArcGIS Pro. |
||||
GeoServer. |
||||
Integrasi GIS dengan sistem enterprise. |
||||
Database Management |
||||
Microsoft SQL Server. |
||||
PostgreSQL. |
||||
Backup & Restore. |
||||
Database Performance Tuning. |
||||
Database Monitoring. |
||||
High Availability dan Disaster Recovery. |
||||
Storage & Backup |
||||
QNAP NAS. |
||||
QNAP QuObjects (S3 Object Storage). |
||||
Network Attached Storage (NAS). |
||||
Backup Repository. |
||||
File Sharing Enterprise. |
||||
Sinkronisasi Data. |
||||
Enterprise Network |
||||
MikroTik RouterOS. |
||||
VLAN. |
||||
VPN. |
||||
Routing. |
||||
Firewall. |
||||
NAT. |
||||
Reverse Proxy (NGINX). |
||||
Multi Domain Hosting. |
||||
Monitoring & Observability |
||||
Grafana. |
||||
Loki. |
||||
Promtail. |
||||
Zabbix. |
||||
Uptime Kuma. |
||||
Dashboard Monitoring. |
||||
Centralized Logging. |
||||
Alerting & Notification. |
||||
Enterprise Mail System |
||||
Multi Domain Mail Server. |
||||
Integrasi LDAP / Active Directory. |
||||
SMTP, IMAP, POP3. |
||||
SPF, DKIM, DMARC. |
||||
API Integration. |
||||
Mail Security. |
||||
Automation Platform |
||||
Node-RED. |
||||
n8n. |
||||
Workflow Automation. |
||||
Scheduled Task. |
||||
Integrasi API antar sistem. |
||||
Asset Management |
||||
Inventarisasi perangkat TI. |
||||
Monitoring endpoint. |
||||
Hardware Lifecycle Management. |
||||
Software Inventory. |
||||
Warranty Tracking. |
||||
Asset Audit. |
||||
Enterprise Service Management |
||||
Helpdesk. |
||||
Incident Management. |
||||
Service Request Management. |
||||
Problem Management. |
||||
Change Management. |
||||
SLA Management. |
||||
Knowledge Base. |
||||
CMDB. |
||||
Software Development |
||||
Laravel. |
||||
FastAPI. |
||||
REST API. |
||||
Next.js. |
||||
React. |
||||
PostgreSQL. |
||||
Microservices Architecture. |
||||
API Gateway. |
||||
Enterprise Dashboard. |
||||
Integrasi AI |
||||
AI-assisted Development. |
||||
AI Documentation. |
||||
AI Knowledge Base. |
||||
AI Workflow Automation. |
||||
AI Monitoring. |
||||
AI Agent Integration. |
||||
Vendor & Product Support |
||||
Esri |
||||
ArcGIS Enterprise |
||||
ArcGIS Server |
||||
ArcGIS Pro |
||||
ArcGIS Online |
||||
Survey123 |
||||
Field Maps |
||||
Experience Builder |
||||
Blue Marble |
||||
Global Mapper |
||||
Global Mapper Pro |
||||
DataEast |
||||
XTools Pro |
||||
Solusi GIS pendukung |
||||
Microsoft |
||||
Windows Server |
||||
Active Directory |
||||
SQL Server |
||||
Microsoft 365 |
||||
Open Source Platform |
||||
PostgreSQL |
||||
GeoServer |
||||
Docker |
||||
NGINX |
||||
Grafana |
||||
Loki |
||||
Node-RED |
||||
n8n |
||||
Nilai Tambah |
||||
Enterprise Architecture Design. |
||||
Multi Domain & Multi Tenant Infrastructure. |
||||
Hybrid Infrastructure (On-Premise & Cloud Ready). |
||||
API First Architecture. |
||||
High Availability Design. |
||||
Disaster Recovery Planning. |
||||
Infrastruktur yang mudah dikembangkan (Scalable). |
||||
Integrasi antar sistem berbasis API. |
||||
Monitoring dan Logging Terpusat. |
||||
Otomatisasi operasional TI. |
||||
Dokumentasi teknis dan stsayarisasi implementasi. |
||||
Keunggulan Kompetitif |
||||
Pengalaman mengelola infrastruktur enterprise dari sisi jaringan, server, database, storage, hingga aplikasi. |
||||
Mampu mengintegrasikan solusi GIS dengan infrastruktur TI modern. |
||||
Berpengalaman membangun platform berbasis microservices yang siap dikembangkan. |
||||
Menguasai solusi berbasis open source maupun komersial. |
||||
Fokus pada keamanan, performa, skalabilitas, dan kemudahan operasional. |
||||
Mampu merancang solusi end-to-end mulai dari perencanaan, implementasi, integrasi, hingga pemeliharaan sistem. |
||||
|
||||
Daftar ini cocok digunakan pada company profile, proposal teknis, maupun dokumen penawaran layanan karena menampilkan kapabilitas secara profesional tanpa berlebihan atau mengklaim pengalaman spesifik yang belum didukung informasi. |
||||
@ -0,0 +1,22 @@
@@ -0,0 +1,22 @@
|
||||
# .env.example — server-audit (AMAN di-commit) |
||||
# Copy ke .env lokal jika skrip butuh konfigurasi (JANGAN commit .env) |
||||
|
||||
# --- SSH defaults (laptop developer) --- |
||||
SSH_USER_LINUX=root |
||||
SSH_PORT_LINUX=22 |
||||
SSH_MAC_LEGACY=hmac-sha1 |
||||
|
||||
# --- Host references (baca dari docs/server.md; jangan hardcode di skrip baru) --- |
||||
SSH_HOST_REVERSE_PROXY=10.100.1.24 |
||||
SSH_HOST_MAIN_DB=10.100.1.25 |
||||
SSH_HOST_OLLAMA=10.100.1.26 |
||||
SSH_HOST_MAILCOW=10.100.1.28 |
||||
SSH_HOST_MIKROTIK=10.100.1.1 |
||||
SSH_PORT_MIKROTIK=255 |
||||
|
||||
# --- Key paths (laptop, bukan di repo) --- |
||||
# SSH_KEY_GEONET_LAPTOP=%USERPROFILE%\.ssh\id_rsa_geonet_laptop |
||||
# SSH_KEY_MAILCOW=%USERPROFILE%\.ssh\id_ed25519_mailcow |
||||
# SSH_KEY_MIKROTIK=%USERPROFILE%\.ssh\id_rsa_mikrotik |
||||
|
||||
# Dokumentasi: docs/guide/ssh-access.md | docs/server.md |
||||
@ -0,0 +1,41 @@
@@ -0,0 +1,41 @@
|
||||
# AGENTS.md — Cold Start |
||||
|
||||
> Project: `server-audit/` |
||||
> Sesi terakhir: [docs/ai-session-summary.md](./docs/ai-session-summary.md) |
||||
> Peta lengkap: [docs/context-index.md](./docs/context-index.md) |
||||
> Env template: [.env.example](./.env.example) |
||||
|
||||
## Apa ini? |
||||
|
||||
SSOT inventori server GeoNet, audit infrastruktur, dan **runbook SSH key-based access** dari laptop Windows ke seluruh host di LAN `10.100.1.x`. |
||||
|
||||
## Aturan kritis |
||||
|
||||
- **SSOT SSH:** [docs/guide/ssh-access.md](./docs/guide/ssh-access.md) — jangan duplikasi detail key di chat |
||||
- **No hardcoded IP di skrip baru** — gunakan variabel / parameter; referensi host di [docs/server.md](./docs/server.md) |
||||
- Jangan commit private key, password, atau isi `~/.ssh/` ke repo |
||||
- Wajib **PowerShell** (bukan CMD) untuk `$env:USERPROFILE` dan pipe SSH |
||||
- Server RHEL/CentOS: `-m hmac-sha1` (alias `-o MACs=hmac-sha1`); log auth di `/var/log/secure` |
||||
- Server Ubuntu/Debian: log auth di `/var/log/auth.log`; biasanya tanpa `-m` |
||||
- No commit kecuali user minta eksplisit |
||||
- **Perubahan material:** append [docs/version.md](./docs/version.md) + update [host.md](./host.md) ringkas |
||||
|
||||
## Lanjut kerja |
||||
|
||||
``` |
||||
1. AGENTS.md |
||||
2. docs/ai-session-summary.md |
||||
3. STOP |
||||
4. On-demand: docs/guide/ssh-access.md, docs/server.md, host.md, docs/todo.md |
||||
``` |
||||
|
||||
## Pointer cepat |
||||
|
||||
| Butuh | Buka | |
||||
|-------|------| |
||||
| SSH setup / status key | [docs/guide/ssh-access.md](./docs/guide/ssh-access.md) | |
||||
| Quick SSH commands | [host.md](./host.md) | |
||||
| Inventori host | [docs/server.md](./docs/server.md) | |
||||
| Setup scripts | [scripts/](./scripts/) | |
||||
| Versi / riwayat | [docs/version.md](./docs/version.md) | |
||||
| Reverse proxy detail | [.cursor/infra-reverse-proxy.md](./.cursor/infra-reverse-proxy.md) | |
||||
@ -0,0 +1,7 @@
@@ -0,0 +1,7 @@
|
||||
# ADR Template |
||||
|
||||
Gunakan format `ADR-NNN-judul-kebab-case.md` di folder ini untuk keputusan arsitektur infra. |
||||
|
||||
Lihat `AI-Agent-Standards/templates/repo/adr-template.md` untuk template lengkap. |
||||
|
||||
Existing ADR legacy: [../.cursor/adr/](../.cursor/adr/) |
||||
@ -0,0 +1,28 @@
@@ -0,0 +1,28 @@
|
||||
# AI Session Summary |
||||
|
||||
```yaml |
||||
session: 2026-07-10-ssh-and-ad-ldap |
||||
project: server-audit/ |
||||
version: 0.1.8 |
||||
status: ready |
||||
next: Setup key Zabbix (.42) dan Main Webserver (.41) |
||||
agent: Cursor |
||||
``` |
||||
|
||||
## TL;DR |
||||
|
||||
- Bootstrap `server-audit/` docs standar + SSOT SSH [guide/ssh-access.md](./guide/ssh-access.md) |
||||
- Key laptop: `id_rsa_geonet_laptop` + `id_ed25519_mailcow`; alias di `~/.ssh/config` |
||||
- Key-only ✅: `.24` reverse-proxy, `.25` main-db, `.28` mailcow, `.26` ollama (`geonet`), `.40` ad-ldap (Win2012 R2) |
||||
- AD `.40`: UTF-8 no BOM + `administrators_authorized_keys` + `PubkeyAcceptedAlgorithms +ssh-rsa` |
||||
|
||||
## Lanjut dari sini |
||||
|
||||
1. `scripts/setup-ssh-*` untuk Zabbix `.42` / Webserver `.41` jika perlu |
||||
2. Runbook: [guide/ssh-access.md](./guide/ssh-access.md) | Quick: [host.md](../host.md) |
||||
|
||||
## Jangan |
||||
|
||||
- Jangan commit private key / password |
||||
- RHEL log: `/var/log/secure` (bukan `auth.log`) |
||||
- Wajib PowerShell (`$env:USERPROFILE`); Win admin key di ProgramData bukan `~\.ssh\authorized_keys` |
||||
@ -0,0 +1,33 @@
@@ -0,0 +1,33 @@
|
||||
# Changelog |
||||
|
||||
Format berdasarkan [Keep a Changelog](https://keepachangelog.com/). |
||||
|
||||
--- |
||||
|
||||
## [0.1.1] - 2026-07-10 |
||||
|
||||
### Added |
||||
|
||||
- `docs/guide/ssh-access.md` — SSOT runbook SSH key-based access |
||||
- `scripts/setup-ssh-reverse-proxy.ps1`, `setup-ssh-main-db.ps1`, `setup-ssh-mailcow.ps1` |
||||
- `scripts/ssh-config.example` — template `~/.ssh/config` |
||||
- `AGENTS.md`, `docs/context-index.md`, `docs/server.md`, `docs/system-requirements.md` |
||||
- `.env.example` dengan referensi host SSH |
||||
|
||||
### Changed |
||||
|
||||
- `host.md` — status key-only per host, link ke runbook |
||||
- `.cursor/server.md` — sinkron status SSH reverse-proxy |
||||
|
||||
### Documented |
||||
|
||||
- Sesi setup SSH laptop 2026-07-10 (reverse-proxy verified, Mailcow/DB pending) |
||||
- Perbedaan auth log RHEL (`/var/log/secure`) vs Ubuntu (`/var/log/auth.log`) |
||||
|
||||
--- |
||||
|
||||
## [0.1.0] - 2026-07-10 |
||||
|
||||
### Added |
||||
|
||||
- Struktur dokumentasi standar AI-Agent-Standards untuk `server-audit/` |
||||
@ -0,0 +1,50 @@
@@ -0,0 +1,50 @@
|
||||
# Context Index |
||||
|
||||
## Zona A — Always-read pointers |
||||
|
||||
| Item | Value | |
||||
|------|-------| |
||||
| Nama | server-audit | |
||||
| Path monorepo | `server-audit/` | |
||||
| Cold start | [../AGENTS.md](../AGENTS.md) | |
||||
| Sesi terakhir | [ai-session-summary.md](./ai-session-summary.md) | |
||||
| Priority aktif | [todo.md](./todo.md) | |
||||
| Server / infra | [server.md](./server.md) | |
||||
| SSH runbook (SSOT) | [guide/ssh-access.md](./guide/ssh-access.md) | |
||||
| Quick commands | [../host.md](../host.md) | |
||||
| System requirements | [system-requirements.md](./system-requirements.md) | |
||||
| Env template | [../.env.example](../.env.example) | |
||||
| Versi | 0.1.1 — [version.md](./version.md) | |
||||
| Stack | Markdown docs, PowerShell scripts, `.cursor/` legacy | |
||||
| Tipe | infra / docs-only | |
||||
| Last updated | 2026-07-10 | |
||||
|
||||
## Zona B — On-demand map |
||||
|
||||
### Dokumentasi inti |
||||
|
||||
| Dokumen | Isi | Kapan baca | |
||||
|---------|-----|------------| |
||||
| [guide/ssh-access.md](./guide/ssh-access.md) | Key-based SSH, alias, setup per host | Setup laptop baru / debug auth | |
||||
| [server.md](./server.md) | Inventori host/IP/role | Deploy / audit | |
||||
| [../host.md](../host.md) | Cheat sheet SSH cepat | Login harian | |
||||
| [../.cursor/infra-reverse-proxy.md](../.cursor/infra-reverse-proxy.md) | DNS, nginx, SSL `.24` | Troubleshoot domain | |
||||
| [../.cursor/server.md](../.cursor/server.md) | Mirror host.md (legacy `.cursor`) | Kompatibilitas agent lama | |
||||
|
||||
### Scripts |
||||
|
||||
| Script | Host | Kapan | |
||||
|--------|------|-------| |
||||
| [../scripts/setup-ssh-reverse-proxy.ps1](../scripts/setup-ssh-reverse-proxy.ps1) | `.24` | Laptop baru | |
||||
| [../scripts/setup-ssh-main-db.ps1](../scripts/setup-ssh-main-db.ps1) | `.25` | Laptop baru | |
||||
| [../scripts/setup-ssh-mailcow.ps1](../scripts/setup-ssh-mailcow.ps1) | `.28` | Laptop baru | |
||||
| [../scripts/setup-ssh-key-multimedia.ps1](../scripts/setup-ssh-key-multimedia.ps1) | `.14` | Di PC MULTIMEDIA | |
||||
|
||||
### Parent / sibling |
||||
|
||||
| Dokumen | Path | Kapan baca | |
||||
|---------|------|------------| |
||||
| Workspace registry | `Workspace-Context.md` | Navigasi monorepo | |
||||
| nginx detail | `nginx/docs/server.md` | Vhost `.24` | |
||||
| Mailcow detail | `Mailcow/docs/server.md` | VM `.28` | |
||||
| server-connection SSH | `server-connection/scripts/ssh-*.ps1` | Deploy app | |
||||
@ -0,0 +1,8 @@
@@ -0,0 +1,8 @@
|
||||
# Guide — server-audit |
||||
|
||||
| Dokumen | Isi | |
||||
|---------|-----| |
||||
| [ssh-access.md](./ssh-access.md) | **SSOT** SSH key-based access laptop → server | |
||||
| [migration.md](./migration.md) | Migrasi server/domain (checklist) | |
||||
|
||||
Quick SSH commands: [../host.md](../host.md) |
||||
@ -0,0 +1,29 @@
@@ -0,0 +1,29 @@
|
||||
# Migration Guide — Server & Domain |
||||
|
||||
**Owner:** `server-audit/` |
||||
Inventori host: [../server.md](../server.md) |
||||
SSH re-setup setelah migrasi laptop: [ssh-access.md](./ssh-access.md) |
||||
|
||||
--- |
||||
|
||||
## Migrasi laptop developer (SSH key) |
||||
|
||||
Saat pindah ke laptop/PC baru: |
||||
|
||||
1. Generate key sesuai [ssh-access.md](./ssh-access.md) (atau salin key dari backup aman — **bukan** via git) |
||||
2. Upload public key ke setiap host (one-liner per host) |
||||
3. Salin `~/.ssh/config` dari [scripts/ssh-config.example](../../scripts/ssh-config.example) |
||||
4. Verifikasi `KEY_AUTH_OK` per host |
||||
5. Update status di [host.md](../../host.md) dan [ssh-access.md](./ssh-access.md) |
||||
|
||||
--- |
||||
|
||||
## Inventori migrasi infra (TODO) |
||||
|
||||
| Item | Nilai saat ini | Nilai target | File update | |
||||
|------|----------------|--------------|-------------| |
||||
| Reverse proxy | `10.100.1.24` | — | `docs/server.md`, `host.md` | |
||||
| Main DB | `10.100.1.25` | — | `docs/server.md` | |
||||
| Mailcow | `10.100.1.28` | — | `Mailcow/docs/server.md` | |
||||
|
||||
> Isi detail saat migrasi pertama terjadi. |
||||
@ -0,0 +1,299 @@
@@ -0,0 +1,299 @@
|
||||
# SSH Key-Based Access — Runbook (SSOT) |
||||
|
||||
> **Last updated:** 2026-07-10 |
||||
> **Owner:** `server-audit/` |
||||
> Quick ref: [host.md](../../host.md) | Inventori: [server.md](../server.md) |
||||
|
||||
Dokumen ini adalah **Single Source of Truth** untuk setup SSH passwordless dari laptop Windows (OpenSSH) ke infrastruktur GeoNet. |
||||
|
||||
--- |
||||
|
||||
## Prasyarat |
||||
|
||||
| Item | Nilai | |
||||
|------|-------| |
||||
| Shell | **PowerShell** (bukan CMD) | |
||||
| Client | Windows OpenSSH (`ssh`, `scp`) | |
||||
| Network | Terhubung ke LAN `10.100.1.x` | |
||||
| Key storage | `%USERPROFILE%\.ssh\` (tidak di-commit ke git) | |
||||
|
||||
--- |
||||
|
||||
## Key inventory (laptop) |
||||
|
||||
| Key file | Algoritma | Dipakai untuk | Alias config | |
||||
|----------|-----------|---------------|--------------| |
||||
| `id_rsa_geonet_laptop` | RSA 4096 | `.24`, `.25`, `.26` (Linux root) | `reverse-proxy`, `main-db`, `ollama` | |
||||
| `id_ed25519_mailcow` | ed25519 | `.28` Mailcow | `mailcow` | |
||||
| `id_rsa_mikrotik` | RSA | MikroTik `.1` port 255 | — | |
||||
| `id_ed25519_geonet_proxmox` | ed25519 | Windows Server `.14`, `.51`, `.52` | `multimedia`, `dev51-base` | |
||||
| `id_ed25519` | ed25519 | QNAP `.10` | — | |
||||
|
||||
**Dibuat sesi 2026-07-10:** `id_rsa_geonet_laptop`, `id_ed25519_mailcow`, `~/.ssh/config` |
||||
|
||||
--- |
||||
|
||||
## `~/.ssh/config` (template) |
||||
|
||||
Salin ke `%USERPROFILE%\.ssh\config` di laptop: |
||||
|
||||
``` |
||||
Host reverse-proxy |
||||
HostName 10.100.1.24 |
||||
User root |
||||
Port 22 |
||||
IdentityFile ~/.ssh/id_rsa_geonet_laptop |
||||
IdentitiesOnly yes |
||||
MACs hmac-sha1 |
||||
|
||||
Host main-db |
||||
HostName 10.100.1.25 |
||||
User root |
||||
Port 22 |
||||
IdentityFile ~/.ssh/id_rsa_geonet_laptop |
||||
IdentitiesOnly yes |
||||
MACs hmac-sha1 |
||||
|
||||
Host ollama |
||||
HostName 10.100.1.26 |
||||
User root |
||||
Port 22 |
||||
IdentityFile ~/.ssh/id_rsa_geonet_laptop |
||||
IdentitiesOnly yes |
||||
MACs hmac-sha1 |
||||
|
||||
Host mailcow |
||||
HostName 10.100.1.28 |
||||
User root |
||||
Port 22 |
||||
IdentityFile ~/.ssh/id_ed25519_mailcow |
||||
IdentitiesOnly yes |
||||
``` |
||||
|
||||
Template file: [scripts/ssh-config.example](../../scripts/ssh-config.example) |
||||
|
||||
--- |
||||
|
||||
## Aturan MAC `hmac-sha1` |
||||
|
||||
Server **RHEL/CentOS** (reverse-proxy `.24`, main-db `.25`) membutuhkan: |
||||
|
||||
```powershell |
||||
-m hmac-sha1 |
||||
# setara: -o MACs=hmac-sha1 |
||||
``` |
||||
|
||||
Server **Ubuntu** (Ollama `.26`, Mailcow `.28`) biasanya **tanpa** flag `-m`. |
||||
|
||||
**SCP** ke server lama: gunakan `-o MACs=hmac-sha1` (bukan `-m`). |
||||
|
||||
--- |
||||
|
||||
## Setup per host |
||||
|
||||
### 1. Reverse proxy — `10.100.1.24` ✅ |
||||
|
||||
| Item | Nilai | |
||||
|------|-------| |
||||
| OS | RHEL/CentOS (`proxy`) | |
||||
| Key | `id_rsa_geonet_laptop` | |
||||
| Alias | `ssh reverse-proxy` | |
||||
| Status | **Key-only verified** 2026-07-10 | |
||||
|
||||
**Script (sekali):** |
||||
|
||||
```powershell |
||||
.\server-audit\scripts\setup-ssh-reverse-proxy.ps1 |
||||
``` |
||||
|
||||
**Manual one-liner:** |
||||
|
||||
```powershell |
||||
type $env:USERPROFILE\.ssh\id_rsa_geonet_laptop.pub | ssh -m hmac-sha1 root@10.100.1.24 -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK" |
||||
``` |
||||
|
||||
**Verifikasi:** |
||||
|
||||
```powershell |
||||
ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -m hmac-sha1 root@10.100.1.24 -p 22 "echo KEY_AUTH_OK" |
||||
# atau: ssh reverse-proxy "echo KEY_AUTH_OK" |
||||
``` |
||||
|
||||
**Debug auth (RHEL):** |
||||
|
||||
```powershell |
||||
ssh -m hmac-sha1 root@10.100.1.24 -p 22 "grep sshd /var/log/secure | tail -20" |
||||
``` |
||||
|
||||
--- |
||||
|
||||
### 2. Main Database — `10.100.1.25` ✅ |
||||
|
||||
| Item | Nilai | |
||||
|------|-------| |
||||
| OS | RHEL/CentOS | |
||||
| Key | `id_rsa_geonet_laptop` (sama dengan `.24`) | |
||||
| Alias | `ssh main-db` | |
||||
| Status | **Key-only verified** 2026-07-10 | |
||||
|
||||
**Script:** |
||||
|
||||
```powershell |
||||
.\server-audit\scripts\setup-ssh-main-db.ps1 |
||||
``` |
||||
|
||||
**Manual:** |
||||
|
||||
```powershell |
||||
type $env:USERPROFILE\.ssh\id_rsa_geonet_laptop.pub | ssh -m hmac-sha1 root@10.100.1.25 -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK" |
||||
``` |
||||
|
||||
--- |
||||
|
||||
### 3. Mailcow — `10.100.1.28` ✅ |
||||
|
||||
| Item | Nilai | |
||||
|------|-------| |
||||
| OS | Ubuntu (`mailserver`) | |
||||
| Key | `id_ed25519_mailcow` (dedicated) | |
||||
| Alias | `ssh mailcow` | |
||||
| Status | **Key-only verified** 2026-07-10 | |
||||
|
||||
**Script:** |
||||
|
||||
```powershell |
||||
.\server-audit\scripts\setup-ssh-mailcow.ps1 |
||||
``` |
||||
|
||||
**Manual (tanpa `-m`):** |
||||
|
||||
```powershell |
||||
type $env:USERPROFILE\.ssh\id_ed25519_mailcow.pub | ssh root@10.100.1.28 -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK" |
||||
``` |
||||
|
||||
**Debug auth (Ubuntu):** |
||||
|
||||
```powershell |
||||
ssh root@10.100.1.28 -p 22 "grep sshd /var/log/auth.log | tail -20" |
||||
``` |
||||
|
||||
--- |
||||
|
||||
### 4. Ollama — `10.100.1.26` ✅ |
||||
|
||||
Key: `id_rsa_geonet_laptop` | User: **`geonet`** (bukan root) | Alias: `ssh ollama` |
||||
Status: **Key-only verified** 2026-07-10 |
||||
|
||||
```powershell |
||||
ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -o BatchMode=yes -m hmac-sha1 geonet@10.100.1.26 -p 22 "echo KEY_AUTH_OK" |
||||
# atau: ssh ollama "echo KEY_AUTH_OK" |
||||
``` |
||||
|
||||
> `root@10.100.1.26` belum di-setup key — gunakan `geonet` untuk operasional. |
||||
|
||||
--- |
||||
|
||||
### 5. MikroTik — `10.100.1.1` port 255 |
||||
|
||||
Key: `id_rsa_mikrotik` (RSA wajib — RouterOS 7.5) |
||||
|
||||
```powershell |
||||
ssh -i "$env:USERPROFILE\.ssh\id_rsa_mikrotik" -o IdentitiesOnly=yes -m hmac-sha1 -p 255 admin@10.100.1.1 |
||||
``` |
||||
|
||||
Setup: `server-connection/scripts/setup-ssh-mikrotik.ps1` |
||||
|
||||
--- |
||||
|
||||
### 6. AD-LDAP — `10.100.1.40` (Windows Server 2012 R2) ✅ |
||||
|
||||
| Item | Nilai | |
||||
|------|-------| |
||||
| OS | Windows Server 2012 R2 (`ad-server`) | |
||||
| User | `Administrator` | |
||||
| Key (laptop ini) | `id_rsa_geonet_laptop` | |
||||
| Alias | `ssh ad-ldap` | |
||||
| Authorized keys file | `C:\ProgramData\ssh\administrators_authorized_keys` | |
||||
| Status | **Key-only verified** 2026-07-10 | |
||||
|
||||
**Penting Win2012 R2 / OpenSSH Windows:** |
||||
|
||||
- Akun Administrator **tidak** memakai `C:\Users\...\.ssh\authorized_keys` |
||||
- Wajib file: `C:\ProgramData\ssh\administrators_authorized_keys` |
||||
- ACL: hanya `SYSTEM` + `Administrators` (inheritance off) |
||||
- `sshd_config` harus punya: |
||||
|
||||
``` |
||||
Match Group administrators |
||||
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys |
||||
``` |
||||
|
||||
- MAC: `-m hmac-sha1` / `MACs hmac-sha1` |
||||
- Host key pertama kali: `StrictHostKeyChecking=accept-new` (script sudah set) |
||||
|
||||
**Script (PowerShell):** |
||||
|
||||
```powershell |
||||
.\server-audit\scripts\setup-ssh-ad-ldap.ps1 |
||||
``` |
||||
|
||||
**Verifikasi:** |
||||
|
||||
```powershell |
||||
ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -o BatchMode=yes -m hmac-sha1 Administrator@10.100.1.40 -p 22 "echo KEY_AUTH_OK" |
||||
# atau: ssh ad-ldap "echo KEY_AUTH_OK" |
||||
``` |
||||
|
||||
> Laptop lain / ArcGIS / MULTIMEDIA masih boleh pakai `id_ed25519_geonet_proxmox` — key berbeda, boleh keduanya di `administrators_authorized_keys`. |
||||
|
||||
### 7. Windows lain (Webserver, ArcGIS, MULTIMEDIA) |
||||
|
||||
Key legacy: `id_ed25519_geonet_proxmox` → `administrators_authorized_keys` |
||||
MULTIMEDIA `.14`: `scripts/setup-ssh-key-multimedia.ps1` |
||||
ArcGIS `.51`/`.52`: lihat [host.md](../../host.md) |
||||
|
||||
--- |
||||
|
||||
## Windows private key ACL |
||||
|
||||
Setelah generate key, perketat ACL (hindari error "permissions too open"): |
||||
|
||||
```powershell |
||||
icacls $env:USERPROFILE\.ssh\id_rsa_geonet_laptop /inheritance:r |
||||
icacls $env:USERPROFILE\.ssh\id_rsa_geonet_laptop /grant:r "${env:USERNAME}:(R)" |
||||
``` |
||||
|
||||
--- |
||||
|
||||
## Troubleshooting |
||||
|
||||
| Gejala | Penyebab | Solusi | |
||||
|--------|----------|--------| |
||||
| Masih minta password | Pubkey belum di `authorized_keys` | Jalankan setup script / one-liner upload | |
||||
| `grep: auth.log: No such file` | Server RHEL, bukan Debian | Pakai `/var/log/secure` | |
||||
| `no matching MAC` | Server SSH lama | Tambah `-m hmac-sha1` | |
||||
| `Permissions too open` | ACL Windows key | Jalankan `icacls` di atas | |
||||
| `$env:USERPROFILE` kosong / key not found | Pakai **CMD** bukan PowerShell | Buka PowerShell; di CMD pakai `%USERPROFILE%` | |
||||
| `Host key verification failed` | Host belum di `known_hosts` | Script pakai `accept-new`; atau `ssh-keygen -R 10.100.1.40` lalu connect ulang | |
||||
| Pubkey gagal di Administrator Windows | Key di `~\.ssh\authorized_keys` | Pindah ke `C:\ProgramData\ssh\administrators_authorized_keys` + ACL | |
||||
| `KEY_INSTALLED_OK` tapi `Permission denied (publickey)` | File UTF-16 (Add-Content WinPS) | Tulis ulang UTF-8 no BOM; jalankan ulang `setup-ssh-ad-ldap.ps1` | |
||||
|
||||
--- |
||||
|
||||
## Riwayat sesi 2026-07-10 |
||||
|
||||
1. Laptop baru: tidak ada `~/.ssh/config` dan private key |
||||
2. Generate `id_rsa_geonet_laptop` (RSA 4096, comment `geonet-laptop`) |
||||
3. Buat `~/.ssh/config` dengan alias `reverse-proxy`, `main-db`, `ollama`, `mailcow` |
||||
4. Upload pub key ke `.24` → `KEY_INSTALLED_OK` → `KEY_AUTH_OK` ✅ |
||||
5. Generate `id_ed25519_mailcow` untuk Mailcow `.28` |
||||
6. Buat script setup: `setup-ssh-reverse-proxy.ps1`, `setup-ssh-main-db.ps1`, `setup-ssh-mailcow.ps1` |
||||
7. Temuan: `.24` hostname `proxy`, OS RHEL — log di `/var/log/secure` |
||||
|
||||
**Duplikat script (backward compat):** |
||||
|
||||
| SSOT (server-audit) | Legacy | |
||||
|---------------------|--------| |
||||
| `server-audit/scripts/setup-ssh-reverse-proxy.ps1` | `server-connection/scripts/setup-ssh-reverse-proxy.ps1` | |
||||
| `server-audit/scripts/setup-ssh-main-db.ps1` | `server-connection/scripts/setup-ssh-main-db.ps1` | |
||||
| `server-audit/scripts/setup-ssh-mailcow.ps1` | `Mailcow/scripts/setup-ssh-key-simple.ps1` | |
||||
@ -0,0 +1,26 @@
@@ -0,0 +1,26 @@
|
||||
# Issues |
||||
|
||||
> Last updated: 2026-07-10 |
||||
|
||||
--- |
||||
|
||||
## Open |
||||
|
||||
*(belum ada issue terbuka)* |
||||
|
||||
--- |
||||
|
||||
## Known / Documented |
||||
|
||||
| ID | Ringkasan | Workaround | Ref | |
||||
|----|-----------|------------|-----| |
||||
| DOC-001 | `grep auth.log` gagal di RHEL `.24` | Pakai `/var/log/secure` | [ssh-access.md](./guide/ssh-access.md) | |
||||
| DOC-002 | Windows OpenSSH `$env:USERPROFILE` kosong di CMD | Wajib PowerShell | [ssh-access.md](./guide/ssh-access.md) | |
||||
|
||||
--- |
||||
|
||||
## Fixed |
||||
|
||||
| ID | Ringkasan | Fix | Tanggal | |
||||
|----|-----------|-----|---------| |
||||
| — | — | — | — | |
||||
@ -0,0 +1,22 @@
@@ -0,0 +1,22 @@
|
||||
# Project Status |
||||
|
||||
> Last updated: 2026-07-10 |
||||
|
||||
## Ringkasan |
||||
|
||||
`server-audit/` adalah SSOT inventori server GeoNet dan runbook SSH untuk laptop developer IT. |
||||
|
||||
## Progress |
||||
|
||||
| Area | Status | |
||||
|------|--------| |
||||
| Dokumentasi standar | ✅ Done (bootstrap 2026-07-10) | |
||||
| SSH runbook SSOT | ✅ Done | |
||||
| reverse-proxy `.24` key-only | ✅ Verified | |
||||
| Main DB `.25` key-only | ✅ Verified 2026-07-10 | |
||||
| Mailcow `.28` key-only | ✅ Verified 2026-07-10 | |
||||
| Ollama `.26` key-only (`geonet`) | ✅ Verified 2026-07-10 | |
||||
|
||||
## Next priority |
||||
|
||||
[Lihat todo.md](./todo.md) — Zabbix, AD, Webserver. |
||||
@ -0,0 +1,87 @@
@@ -0,0 +1,87 @@
|
||||
# Server Inventory — GeoNet LAN |
||||
|
||||
**Owner:** `server-audit/` |
||||
**Last updated:** 2026-07-10 |
||||
**Credential location:** Private key di `~/.ssh/` laptop; password server tidak didokumentasikan di repo. |
||||
|
||||
Cold start SSH: [guide/ssh-access.md](./guide/ssh-access.md) | Quick ref: [../host.md](../host.md) |
||||
|
||||
--- |
||||
|
||||
## Ringkasan |
||||
|
||||
| Field | Value | |
||||
|-------|-------| |
||||
| Project | `server-audit/` | |
||||
| Network | LAN `10.100.1.0/24` (+ `192.168.0.x` MikroTik) | |
||||
| Gateway | MikroTik `10.100.1.1` port 255 | |
||||
| Publik NAT | `117.102.73.x` → reverse-proxy `.24` | |
||||
|
||||
--- |
||||
|
||||
## Host / Server |
||||
|
||||
| Host / IP | Hostname | Env | Role | OS | SSH alias | Key laptop | MAC hmac-sha1 | |
||||
|-----------|----------|-----|------|-----|-----------|------------|---------------| |
||||
| `10.100.1.1` | — | prod | Gateway NAT/firewall | RouterOS | — | `id_rsa_mikrotik` | ✅ port 255 | |
||||
| `10.100.1.14` | MULTIMEDIA | dev | Workstation GIS | Windows 10 | `multimedia` | `id_ed25519_geonet_proxmox` | — | |
||||
| `10.100.1.24` | proxy | prod | Reverse proxy, Docker stacks | RHEL/CentOS | `reverse-proxy` | `id_rsa_geonet_laptop` | ✅ | |
||||
| `10.100.1.25` | — | prod | PostgreSQL + SQL Server | RHEL/CentOS | `main-db` | `id_rsa_geonet_laptop` | ✅ | |
||||
| `10.100.1.26` | aiopr | prod | Ollama inference CPU | Ubuntu 22.04 | `ollama` | `id_rsa_geonet_laptop` | ✅ | |
||||
| `10.100.1.28` | mailserver | prod | Mailcow dockerized | Ubuntu | `mailcow` | `id_ed25519_mailcow` | — | |
||||
| `10.100.1.40` | — | prod | Active Directory LDAP | Windows Server 2012 R2 | `ad-ldap` | `id_rsa_geonet_laptop` | ✅ | |
||||
| `10.100.1.41` | — | prod | Main webserver | Windows Server | — | TBD | ✅ | |
||||
| `10.100.1.42` | — | prod | Zabbix monitoring | Linux | — | TBD | ✅ | |
||||
| `10.100.1.51`–`.53` | — | dev | ArcGIS Enterprise | Windows Server | `dev51-base` | `id_ed25519_geonet_proxmox` | — | |
||||
| `10.100.1.10` | — | prod | QNAP NAS TS-932X | QTS | — | `id_ed25519` | opsional | |
||||
| `10.100.1.101` | — | dev | Proxmox Dev | Proxmox | — | — | — | |
||||
| `10.100.1.102` | — | prod | Proxmox Opr | Proxmox | — | — | — | |
||||
|
||||
**Status key-only (2026-07-10):** `.24`, `.25`, `.28`, `.26` (geonet) verified ✅ |
||||
|
||||
--- |
||||
|
||||
## Aplikasi & Runtime per Host |
||||
|
||||
| Host | Aplikasi | Jenis | Port | Path / Catatan | |
||||
|------|----------|-------|------|----------------| |
||||
| `.24` | nginx | reverse proxy | 443 | `/etc/nginx/conf.d/` | |
||||
| `.24` | Docker stacks | Docker Compose | — | `/opt/stacks/` (Dockge) | |
||||
| `.24` | GeoNet collector | Docker | 8000 | `geonetagent-collector` | |
||||
| `.25` | PostgreSQL 12 | DB | 5432 | `geonetagent_dev` | |
||||
| `.25` | SQL Server | DB | 1433 | — | |
||||
| `.26` | Ollama | systemd | 11434 | CPU inference | |
||||
| `.28` | Mailcow | Docker | 443 | `/opt/stacks/mailcow` | |
||||
| `.42` | Zabbix | monitoring | — | — | |
||||
|
||||
--- |
||||
|
||||
## Auth log per OS |
||||
|
||||
| OS family | Log path | |
||||
|-----------|----------| |
||||
| RHEL/CentOS (`.24`, `.25`) | `/var/log/secure` | |
||||
| Ubuntu/Debian (`.26`, `.28`) | `/var/log/auth.log` | |
||||
| journald (semua Linux) | `journalctl -u sshd -n 20` | |
||||
|
||||
--- |
||||
|
||||
## Mapping ke monorepo |
||||
|
||||
| Komponen | Path monorepo | |
||||
|----------|---------------| |
||||
| SSH SSOT | `server-audit/docs/guide/ssh-access.md` | |
||||
| nginx config docs | `nginx/` | |
||||
| Mailcow | `Mailcow/` | |
||||
| GeoNetAgent collector | `GeoNetAgent/` | |
||||
| Deploy scripts | `server-connection/scripts/` | |
||||
|
||||
--- |
||||
|
||||
## Catatan operasional |
||||
|
||||
- Laptop developer harus di jaringan `10.100.1.x` untuk SSH langsung |
||||
- SCP dari Windows ke Linux lama: `-o MACs=hmac-sha1` |
||||
- Windows Server SSH: public key ke `C:\ProgramData\ssh\administrators_authorized_keys` |
||||
|
||||
**Jangan:** password, private key, API token di file ini. |
||||
@ -0,0 +1,33 @@
@@ -0,0 +1,33 @@
|
||||
# System Requirements — server-audit |
||||
|
||||
> Last updated: 2026-07-10 |
||||
|
||||
## Tipe project |
||||
|
||||
Dokumentasi infra + PowerShell scripts — tidak ada runtime aplikasi. |
||||
|
||||
## Laptop developer (SSH client) |
||||
|
||||
| Tool | Versi minimum | Catatan | |
||||
|------|---------------|---------| |
||||
| Windows | 10/11 | OpenSSH Client terinstall | |
||||
| PowerShell | 5.1+ | Wajib untuk skrip SSH | |
||||
| OpenSSH | bawaan Windows | `ssh`, `scp`, `ssh-keygen` | |
||||
|
||||
## Server target |
||||
|
||||
| OS | Host contoh | SSH notes | |
||||
|----|-------------|-----------| |
||||
| RHEL/CentOS | `.24`, `.25` | `-m hmac-sha1`, log `/var/log/secure` | |
||||
| Ubuntu 22.04 | `.26`, `.28` | Tanpa `-m`, log `/var/log/auth.log` | |
||||
| Windows Server | `.40`, `.41`, `.51` | `administrators_authorized_keys` | |
||||
| RouterOS 7.5 | `.1` | RSA key, port 255 | |
||||
|
||||
## Variabel konfigurasi |
||||
|
||||
Lihat [.env.example](../.env.example) — referensi host IP untuk skrip (bukan secret). |
||||
|
||||
## Aturan |
||||
|
||||
- No hardcode IP di skrip baru — gunakan parameter atau baca `.env` |
||||
- Private key hanya di `~/.ssh/`, tidak di repo |
||||
@ -0,0 +1,26 @@
@@ -0,0 +1,26 @@
|
||||
# TODO |
||||
|
||||
> Last updated: 2026-07-10 |
||||
> Sesi terakhir: [ai-session-summary.md](./ai-session-summary.md) |
||||
|
||||
--- |
||||
|
||||
## High Priority |
||||
|
||||
- [ ] Setup key Zabbix `10.100.1.42` |
||||
- [ ] Setup key Main Webserver `10.100.1.41` (Windows) |
||||
|
||||
--- |
||||
|
||||
## Low Priority |
||||
|
||||
- [ ] Dokumentasi alias `~/.ssh/config` untuk MikroTik dan QNAP |
||||
- [ ] Sinkron `Workspace-Context.md` path lokal laptop (`F:\geonetinfomedia`) |
||||
|
||||
--- |
||||
|
||||
## Selesai (Sesi Ini) |
||||
|
||||
- [x] Bootstrap docs + SSOT SSH runbook |
||||
- [x] Key-only: `.24` `.25` `.28` `.26`(geonet) `.40`(ad-ldap) |
||||
- [x] Script setup SSH + `setup-ssh-ad-ldap.ps1` (UTF-8 / Win2012) |
||||
@ -0,0 +1,74 @@
@@ -0,0 +1,74 @@
|
||||
# Version History |
||||
|
||||
**Owner:** riwayat versi `server-audit/` — **APPEND** setiap perubahan material. |
||||
|
||||
--- |
||||
|
||||
## [0.1.8] - 2026-07-10 |
||||
|
||||
- AD-LDAP `10.100.1.40` (`ad-server`): key-only verified (`KEY_AUTH_OK`) |
||||
- Login: `ssh ad-ldap` |
||||
|
||||
--- |
||||
|
||||
## [0.1.7] - 2026-07-10 |
||||
|
||||
- AD `.40`: force overwrite authorized_keys; dual write ProgramData + profile; enable `ssh-rsa`; uncomment Match Group |
||||
- Client: `PubkeyAcceptedAlgorithms +ssh-rsa` di alias `ad-ldap` |
||||
|
||||
--- |
||||
|
||||
## [0.1.6] - 2026-07-10 |
||||
|
||||
- Fix AD `.40` setup: tulis `administrators_authorized_keys` sebagai **UTF-8 no BOM** (bukan UTF-16 dari Add-Content) |
||||
- ACL ketat SYSTEM + Administrators only |
||||
|
||||
--- |
||||
|
||||
## [0.1.5] - 2026-07-10 |
||||
|
||||
- Script SSH key-only AD-LDAP `.40` (Win2012 R2): `scripts/setup-ssh-ad-ldap.ps1` |
||||
- Alias `ad-ldap` di `~/.ssh/config` + `ssh-config.example` |
||||
- Key: `id_rsa_geonet_laptop` → `administrators_authorized_keys` (bukan user profile authorized_keys) |
||||
|
||||
--- |
||||
|
||||
## [0.1.4] - 2026-07-10 |
||||
|
||||
- Ollama `10.100.1.26`: key-only verified untuk user `geonet` (`KEY_AUTH_OK`) |
||||
- Alias `ssh ollama` diupdate ke `User geonet` di `~/.ssh/config` |
||||
|
||||
--- |
||||
|
||||
## [0.1.3] - 2026-07-10 |
||||
|
||||
- Mailcow `10.100.1.28`: key-only verified (`KEY_AUTH_OK`) via PowerShell |
||||
- Login: `ssh mailcow` |
||||
- Catatan: perintah dengan `$env:USERPROFILE` gagal di CMD — wajib PowerShell |
||||
|
||||
--- |
||||
|
||||
## [0.1.2] - 2026-07-10 |
||||
|
||||
- Main DB `10.100.1.25`: key-only verified (`KEY_AUTH_OK`) |
||||
- Login: `ssh main-db` |
||||
|
||||
--- |
||||
|
||||
## [0.1.1] - 2026-07-10 |
||||
|
||||
- Dokumentasi SSOT SSH key-based access: `docs/guide/ssh-access.md` |
||||
- Bootstrap struktur docs standar AI-Agent-Standards (`AGENTS.md`, `docs/*`) |
||||
- Setup laptop: `id_rsa_geonet_laptop` + `id_ed25519_mailcow` + `~/.ssh/config` |
||||
- reverse-proxy `.24`: key-only verified (`KEY_AUTH_OK`) |
||||
- Script setup: `setup-ssh-reverse-proxy.ps1`, `setup-ssh-main-db.ps1`, `setup-ssh-mailcow.ps1` |
||||
- Temuan operasional: RHEL `.24` log auth di `/var/log/secure` (bukan `auth.log`) |
||||
- Update `host.md` dengan status key dan link ke runbook |
||||
|
||||
--- |
||||
|
||||
## [0.1.0] - 2026-07-10 |
||||
|
||||
- Bootstrap dokumentasi standar (AGENTS.md + docs/) |
||||
- Inisialisasi project `server-audit` sebagai SSOT inventori server GeoNet |
||||
- Migrasi referensi dari `host.md` dan `.cursor/server.md` ke struktur `docs/` |
||||
@ -0,0 +1,169 @@
@@ -0,0 +1,169 @@
|
||||
# Setup SSH key — Administrator@10.100.1.40 (AD LDAP, Windows Server 2012 R2) |
||||
# SSOT: server-audit/docs/guide/ssh-access.md |
||||
# Usage: .\server-audit\scripts\setup-ssh-ad-ldap.ps1 |
||||
# Sekali jalan: password Administrator 1–2x (scp + ssh), lalu key-only. |
||||
# Wajib PowerShell (bukan CMD). |
||||
|
||||
$ErrorActionPreference = 'Stop' |
||||
$hostIp = '10.100.1.40' |
||||
$SshUser = 'Administrator' |
||||
$key = Join-Path $env:USERPROFILE '.ssh\id_rsa_geonet_laptop' |
||||
$pub = "$key.pub" |
||||
$aliasName = 'ad-ldap' |
||||
|
||||
if (-not (Test-Path $pub)) { |
||||
Write-Host "Generating key $key ..." |
||||
ssh-keygen -t rsa -b 4096 -f $key -C 'geonet-laptop' -N '""' |
||||
} |
||||
|
||||
Write-Host "Fixing private key ACL..." |
||||
icacls $key /inheritance:r 2>$null | Out-Null |
||||
icacls $key /grant:r "${env:USERNAME}:(R)" 2>$null | Out-Null |
||||
|
||||
# Pub key LF-only |
||||
$tempPub = Join-Path $env:TEMP 'geonet_ad_ldap_key.pub' |
||||
$keyLine = (Get-Content $pub -Raw).Trim() -replace "`r", "" |
||||
[System.IO.File]::WriteAllText($tempPub, $keyLine + "`n") |
||||
|
||||
# Remote installer (Windows OpenSSH — Administrator) |
||||
# FORCE overwrite UTF-8 no BOM; tulis ke administrators_authorized_keys + profile fallback |
||||
$remotePs = @' |
||||
$ErrorActionPreference = "Stop" |
||||
$authFile = "C:\ProgramData\ssh\administrators_authorized_keys" |
||||
$userAuthDir = "C:\Users\Administrator\.ssh" |
||||
$userAuthFile = Join-Path $userAuthDir "authorized_keys" |
||||
$sshDir = "C:\ProgramData\ssh" |
||||
$sshdConfig = "C:\ProgramData\ssh\sshd_config" |
||||
$pubPath = Join-Path $env:TEMP "geonet_ad_ldap_key.pub" |
||||
if (-not (Test-Path $pubPath)) { throw "Missing $pubPath — scp failed?" } |
||||
$keyLine = [System.IO.File]::ReadAllText($pubPath).Trim() -replace "`r","" -replace "`0","" |
||||
if ($keyLine -notmatch "^ssh-") { throw "Invalid pubkey content" } |
||||
if (-not (Test-Path $sshDir)) { New-Item -ItemType Directory -Path $sshDir | Out-Null } |
||||
|
||||
$utf8 = New-Object System.Text.UTF8Encoding $false |
||||
# FORCE overwrite — jangan merge file korup UTF-16 lama |
||||
[System.IO.File]::WriteAllText($authFile, $keyLine + "`n", $utf8) |
||||
Write-Host "FORCE wrote administrators_authorized_keys (UTF-8 no BOM)" |
||||
|
||||
function Fix-AclAdminOnly([string]$path) { |
||||
$acl = Get-Acl $path |
||||
$acl.SetAccessRuleProtection($true, $false) |
||||
@($acl.Access) | ForEach-Object { [void]$acl.RemoveAccessRule($_) } |
||||
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl","Allow"))) |
||||
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl","Allow"))) |
||||
Set-Acl -Path $path -AclObject $acl |
||||
} |
||||
Fix-AclAdminOnly $authFile |
||||
Write-Host "ACL ProgramData OK" |
||||
|
||||
# Fallback: profile authorized_keys (jika Match Group di-comment) |
||||
if (-not (Test-Path $userAuthDir)) { New-Item -ItemType Directory -Path $userAuthDir | Out-Null } |
||||
[System.IO.File]::WriteAllText($userAuthFile, $keyLine + "`n", $utf8) |
||||
$uacl = Get-Acl $userAuthFile |
||||
$uacl.SetAccessRuleProtection($true, $false) |
||||
@($uacl.Access) | ForEach-Object { [void]$uacl.RemoveAccessRule($_) } |
||||
$uacl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl","Allow"))) |
||||
$uacl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl","Allow"))) |
||||
$uacl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrator","FullControl","Allow"))) |
||||
Set-Acl -Path $userAuthFile -AclObject $uacl |
||||
Write-Host "Wrote profile authorized_keys fallback" |
||||
|
||||
if (Test-Path $sshdConfig) { |
||||
$cfg = Get-Content $sshdConfig -Raw |
||||
# Uncomment Match Group administrators if commented |
||||
$cfg = $cfg -replace "(?m)^#\s*Match Group administrators","Match Group administrators" |
||||
$cfg = $cfg -replace "(?m)^#\s*AuthorizedKeysFile\s+__PROGRAMDATA__/ssh/administrators_authorized_keys"," AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys" |
||||
if ($cfg -match "(?m)^#?\s*PubkeyAuthentication\s+no") { |
||||
$cfg = $cfg -replace "(?m)^#?\s*PubkeyAuthentication\s+no","PubkeyAuthentication yes" |
||||
Write-Host "Enabled PubkeyAuthentication" |
||||
} |
||||
if ($cfg -notmatch "(?m)^\s*PubkeyAuthentication\s+yes") { |
||||
$cfg = "PubkeyAuthentication yes`r`n" + $cfg |
||||
Write-Host "Inserted PubkeyAuthentication yes" |
||||
} |
||||
# Allow ssh-rsa for older Win32-OpenSSH / mixed client |
||||
if ($cfg -notmatch "(?m)^\s*PubkeyAccepted") { |
||||
$cfg = $cfg.TrimEnd() + "`r`nPubkeyAcceptedKeyTypes ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa`r`n" |
||||
Write-Host "Added PubkeyAcceptedKeyTypes (+ssh-rsa)" |
||||
} |
||||
if ($cfg -notmatch "(?m)^\s*Match Group administrators") { |
||||
$cfg = $cfg.TrimEnd() + "`r`n`r`nMatch Group administrators`r`n AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys`r`n" |
||||
Write-Host "Added Match Group administrators block" |
||||
} |
||||
[System.IO.File]::WriteAllText($sshdConfig, $cfg, $utf8) |
||||
Write-Host "sshd_config updated" |
||||
} |
||||
|
||||
Write-Host "--- diagnostics ---" |
||||
Write-Host ("auth bytes: " + (Get-Item $authFile).Length) |
||||
$bytes = [System.IO.File]::ReadAllBytes($authFile) |
||||
Write-Host ("first3: " + $bytes[0] + "," + $bytes[1] + "," + $bytes[2] + " (expect 115,115,104 = ssh)") |
||||
Select-String -Path $sshdConfig -Pattern "Match Group|AuthorizedKeysFile|PubkeyAuth|PubkeyAccepted" | ForEach-Object { $_.Line } |
||||
Get-Service sshd | Format-List Status, Name |
||||
Restart-Service sshd -Force |
||||
Start-Sleep -Seconds 2 |
||||
Write-Host "KEY_INSTALLED_OK" |
||||
'@ |
||||
|
||||
$tempRemote = Join-Path $env:TEMP 'setup-ad-ldap-authorized-keys.ps1' |
||||
# Remote script must be CRLF-friendly for Windows PowerShell; keep as-is |
||||
[System.IO.File]::WriteAllText($tempRemote, $remotePs) |
||||
|
||||
$commonOpts = @( |
||||
'-o', 'PreferredAuthentications=password', |
||||
'-o', 'PubkeyAuthentication=no', |
||||
'-o', 'StrictHostKeyChecking=accept-new', |
||||
'-o', 'MACs=hmac-sha1' |
||||
) |
||||
# scp: -P (port). ssh: -p (port) + -m hmac-sha1 |
||||
$scpOpts = $commonOpts + @('-P', '22') |
||||
$sshOpts = $commonOpts + @('-m', 'hmac-sha1', '-p', '22') |
||||
|
||||
Write-Host "Upload pub + installer ke ${SshUser}@${hostIp} (password)..." |
||||
scp @scpOpts $tempPub "${SshUser}@${hostIp}:C:/Users/Administrator/AppData/Local/Temp/geonet_ad_ldap_key.pub" |
||||
scp @scpOpts $tempRemote "${SshUser}@${hostIp}:C:/Users/Administrator/AppData/Local/Temp/setup-ad-ldap-authorized-keys.ps1" |
||||
|
||||
Write-Host "Run installer on server..." |
||||
ssh @sshOpts "${SshUser}@${hostIp}" "powershell -NoProfile -ExecutionPolicy Bypass -File C:\Users\Administrator\AppData\Local\Temp\setup-ad-ldap-authorized-keys.ps1" |
||||
|
||||
Remove-Item $tempPub, $tempRemote -Force -ErrorAction SilentlyContinue |
||||
|
||||
# Ensure local ssh config alias |
||||
$configPath = Join-Path $env:USERPROFILE '.ssh\config' |
||||
$block = @" |
||||
|
||||
Host $aliasName |
||||
HostName $hostIp |
||||
User $SshUser |
||||
Port 22 |
||||
IdentityFile ~/.ssh/id_rsa_geonet_laptop |
||||
IdentitiesOnly yes |
||||
MACs hmac-sha1 |
||||
PubkeyAcceptedAlgorithms +ssh-rsa |
||||
"@ |
||||
|
||||
if (-not (Test-Path $configPath)) { |
||||
Set-Content -Path $configPath -Value $block.TrimStart() -Encoding UTF8 |
||||
Write-Host "Created ~/.ssh/config with Host $aliasName" |
||||
} elseif (-not (Select-String -Path $configPath -Pattern "Host\s+$aliasName" -Quiet)) { |
||||
Add-Content -Path $configPath -Value $block |
||||
Write-Host "Appended Host $aliasName to ~/.ssh/config" |
||||
} else { |
||||
Write-Host "Host $aliasName already in ~/.ssh/config" |
||||
} |
||||
|
||||
Write-Host "" |
||||
Write-Host "Test key-only..." |
||||
# Win2012 OpenSSH sering butuh ssh-rsa eksplisit dari client baru |
||||
ssh -i $key -o BatchMode=yes -o IdentitiesOnly=yes -o PreferredAuthentications=publickey -o PubkeyAcceptedAlgorithms=+ssh-rsa -m hmac-sha1 "${SshUser}@${hostIp}" -p 22 "echo KEY_AUTH_OK & hostname" |
||||
|
||||
if ($LASTEXITCODE -ne 0) { |
||||
Write-Host "" |
||||
Write-Host "Masih gagal. Cek di server (password sekali):" |
||||
Write-Host " ssh -m hmac-sha1 ${SshUser}@${hostIp} -p 22 `"powershell -Command Get-Content C:\ProgramData\ssh\administrators_authorized_keys`"" |
||||
Write-Host " Pastikan OpenSSH Server terpasang & sshd running." |
||||
Write-Host " Win2012 R2: Match Group administrators -> administrators_authorized_keys" |
||||
exit 1 |
||||
} |
||||
|
||||
Write-Host "Success. Login: ssh $aliasName" |
||||
@ -0,0 +1,33 @@
@@ -0,0 +1,33 @@
|
||||
# Setup SSH key — root@10.100.1.28 (Mailcow VM, Ubuntu) |
||||
# SSOT: server-audit/docs/guide/ssh-access.md |
||||
# Usage: .\server-audit\scripts\setup-ssh-mailcow.ps1 |
||||
|
||||
$ErrorActionPreference = 'Stop' |
||||
$hostIp = '10.100.1.28' |
||||
$key = Join-Path $env:USERPROFILE '.ssh\id_ed25519_mailcow' |
||||
$pub = "$key.pub" |
||||
|
||||
if (-not (Test-Path $pub)) { |
||||
Write-Host "Generating key $key ..." |
||||
ssh-keygen -t ed25519 -f $key -C 'geonet-mailcow' -N '""' |
||||
} |
||||
|
||||
Write-Host "Fixing private key ACL..." |
||||
icacls $key /inheritance:r 2>$null | Out-Null |
||||
icacls $key /grant:r "${env:USERNAME}:(R)" 2>$null | Out-Null |
||||
|
||||
Write-Host "Upload public key ke root@${hostIp} (password 1x)..." |
||||
type $pub | ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no "root@${hostIp}" -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK" |
||||
|
||||
Write-Host "" |
||||
Write-Host "Test key-only..." |
||||
ssh -i $key -o BatchMode=yes -o IdentitiesOnly=yes -o PreferredAuthentications=publickey "root@${hostIp}" -p 22 "echo KEY_AUTH_OK" |
||||
|
||||
if ($LASTEXITCODE -ne 0) { |
||||
Write-Host "" |
||||
Write-Host "Masih gagal — cek auth log (password sekali):" |
||||
Write-Host " ssh root@${hostIp} -p 22 `"grep sshd /var/log/auth.log | tail -20`"" |
||||
exit 1 |
||||
} |
||||
|
||||
Write-Host "Success. Login: ssh mailcow" |
||||
@ -0,0 +1,33 @@
@@ -0,0 +1,33 @@
|
||||
# Setup SSH key — root@10.100.1.25 (main-db / PostgreSQL + SQL Server) |
||||
# SSOT: server-audit/docs/guide/ssh-access.md |
||||
# Usage: .\server-audit\scripts\setup-ssh-main-db.ps1 |
||||
|
||||
$ErrorActionPreference = 'Stop' |
||||
$hostIp = '10.100.1.25' |
||||
$key = Join-Path $env:USERPROFILE '.ssh\id_rsa_geonet_laptop' |
||||
$pub = "$key.pub" |
||||
|
||||
if (-not (Test-Path $pub)) { |
||||
Write-Host "Generating key $key ..." |
||||
ssh-keygen -t rsa -b 4096 -f $key -C 'geonet-laptop' -N '""' |
||||
} |
||||
|
||||
Write-Host "Fixing private key ACL..." |
||||
icacls $key /inheritance:r 2>$null | Out-Null |
||||
icacls $key /grant:r "${env:USERNAME}:(R)" 2>$null | Out-Null |
||||
|
||||
Write-Host "Upload public key ke root@${hostIp} (password 1x)..." |
||||
type $pub | ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no -m hmac-sha1 "root@${hostIp}" -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK" |
||||
|
||||
Write-Host "" |
||||
Write-Host "Test key-only..." |
||||
ssh -i $key -o BatchMode=yes -o IdentitiesOnly=yes -o PreferredAuthentications=publickey -m hmac-sha1 "root@${hostIp}" -p 22 "echo KEY_AUTH_OK" |
||||
|
||||
if ($LASTEXITCODE -ne 0) { |
||||
Write-Host "" |
||||
Write-Host "Masih gagal — cek auth log (password sekali):" |
||||
Write-Host " ssh -m hmac-sha1 root@${hostIp} -p 22 `"grep sshd /var/log/secure | tail -20`"" |
||||
exit 1 |
||||
} |
||||
|
||||
Write-Host "Success. Login: ssh main-db" |
||||
@ -0,0 +1,33 @@
@@ -0,0 +1,33 @@
|
||||
# Setup SSH key — root@10.100.1.24 (reverse-proxy / nginx + Docker) |
||||
# SSOT: server-audit/docs/guide/ssh-access.md |
||||
# Usage: .\server-audit\scripts\setup-ssh-reverse-proxy.ps1 |
||||
|
||||
$ErrorActionPreference = 'Stop' |
||||
$hostIp = '10.100.1.24' |
||||
$key = Join-Path $env:USERPROFILE '.ssh\id_rsa_geonet_laptop' |
||||
$pub = "$key.pub" |
||||
|
||||
if (-not (Test-Path $pub)) { |
||||
Write-Host "Generating key $key ..." |
||||
ssh-keygen -t rsa -b 4096 -f $key -C 'geonet-laptop' -N '""' |
||||
} |
||||
|
||||
Write-Host "Fixing private key ACL..." |
||||
icacls $key /inheritance:r 2>$null | Out-Null |
||||
icacls $key /grant:r "${env:USERNAME}:(R)" 2>$null | Out-Null |
||||
|
||||
Write-Host "Upload public key ke root@${hostIp} (password 1x)..." |
||||
type $pub | ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no -m hmac-sha1 "root@${hostIp}" -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK" |
||||
|
||||
Write-Host "" |
||||
Write-Host "Test key-only..." |
||||
ssh -i $key -o BatchMode=yes -o IdentitiesOnly=yes -o PreferredAuthentications=publickey -m hmac-sha1 "root@${hostIp}" -p 22 "echo KEY_AUTH_OK" |
||||
|
||||
if ($LASTEXITCODE -ne 0) { |
||||
Write-Host "" |
||||
Write-Host "Masih gagal — cek auth log (password sekali):" |
||||
Write-Host " ssh -m hmac-sha1 root@${hostIp} -p 22 `"grep sshd /var/log/secure | tail -20`"" |
||||
exit 1 |
||||
} |
||||
|
||||
Write-Host "Success. Login: ssh reverse-proxy" |
||||
@ -0,0 +1,43 @@
@@ -0,0 +1,43 @@
|
||||
# GeoNet infra — salin ke %USERPROFILE%\.ssh\config |
||||
# SSOT: server-audit/docs/guide/ssh-access.md |
||||
# Wajib PowerShell. MAC hmac-sha1 untuk RHEL/CentOS. |
||||
|
||||
Host reverse-proxy |
||||
HostName 10.100.1.24 |
||||
User root |
||||
Port 22 |
||||
IdentityFile ~/.ssh/id_rsa_geonet_laptop |
||||
IdentitiesOnly yes |
||||
MACs hmac-sha1 |
||||
|
||||
Host main-db |
||||
HostName 10.100.1.25 |
||||
User root |
||||
Port 22 |
||||
IdentityFile ~/.ssh/id_rsa_geonet_laptop |
||||
IdentitiesOnly yes |
||||
MACs hmac-sha1 |
||||
|
||||
Host ollama |
||||
HostName 10.100.1.26 |
||||
User geonet |
||||
Port 22 |
||||
IdentityFile ~/.ssh/id_rsa_geonet_laptop |
||||
IdentitiesOnly yes |
||||
MACs hmac-sha1 |
||||
|
||||
Host mailcow |
||||
HostName 10.100.1.28 |
||||
User root |
||||
Port 22 |
||||
IdentityFile ~/.ssh/id_ed25519_mailcow |
||||
IdentitiesOnly yes |
||||
|
||||
Host ad-ldap |
||||
HostName 10.100.1.40 |
||||
User Administrator |
||||
Port 22 |
||||
IdentityFile ~/.ssh/id_rsa_geonet_laptop |
||||
IdentitiesOnly yes |
||||
MACs hmac-sha1 |
||||
PubkeyAcceptedAlgorithms +ssh-rsa |
||||
@ -0,0 +1,33 @@
@@ -0,0 +1,33 @@
|
||||
# Setup SSH key — root@10.100.1.25 (main-db / PostgreSQL + SQL Server) |
||||
# SSOT: server-audit/docs/guide/ssh-access.md |
||||
# Usage: .\server-connection\scripts\setup-ssh-main-db.ps1# Sekali jalan: minta password root 1x, lalu login key-only. |
||||
|
||||
$ErrorActionPreference = 'Stop' |
||||
$hostIp = '10.100.1.25' |
||||
$key = Join-Path $env:USERPROFILE '.ssh\id_rsa_geonet_laptop' |
||||
$pub = "$key.pub" |
||||
|
||||
if (-not (Test-Path $pub)) { |
||||
Write-Host "Generating key $key ..." |
||||
ssh-keygen -t rsa -b 4096 -f $key -C 'geonet-laptop' -N '""' |
||||
} |
||||
|
||||
Write-Host "Fixing private key ACL..." |
||||
icacls $key /inheritance:r 2>$null | Out-Null |
||||
icacls $key /grant:r "${env:USERNAME}:(R)" 2>$null | Out-Null |
||||
|
||||
Write-Host "Upload public key ke root@${hostIp} (password 1x)..." |
||||
type $pub | ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no -m hmac-sha1 "root@${hostIp}" -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK" |
||||
|
||||
Write-Host "" |
||||
Write-Host "Test key-only..." |
||||
ssh -i $key -o BatchMode=yes -o IdentitiesOnly=yes -o PreferredAuthentications=publickey -m hmac-sha1 "root@${hostIp}" -p 22 "echo KEY_AUTH_OK" |
||||
|
||||
if ($LASTEXITCODE -ne 0) { |
||||
Write-Host "" |
||||
Write-Host "Masih gagal — cek auth log (password sekali):" |
||||
Write-Host " ssh -m hmac-sha1 root@${hostIp} -p 22 `"grep sshd /var/log/secure | tail -20`"" |
||||
exit 1 |
||||
} |
||||
|
||||
Write-Host "Success. Login: ssh main-db" |
||||
@ -0,0 +1,33 @@
@@ -0,0 +1,33 @@
|
||||
# Setup SSH key — root@10.100.1.24 (reverse-proxy / nginx + Docker) |
||||
# SSOT: server-audit/docs/guide/ssh-access.md |
||||
# Usage: .\server-connection\scripts\setup-ssh-reverse-proxy.ps1# Sekali jalan: minta password root 1x, lalu login key-only. |
||||
|
||||
$ErrorActionPreference = 'Stop' |
||||
$hostIp = '10.100.1.24' |
||||
$key = Join-Path $env:USERPROFILE '.ssh\id_rsa_geonet_laptop' |
||||
$pub = "$key.pub" |
||||
|
||||
if (-not (Test-Path $pub)) { |
||||
Write-Host "Generating key $key ..." |
||||
ssh-keygen -t rsa -b 4096 -f $key -C 'geonet-laptop' -N '""' |
||||
} |
||||
|
||||
Write-Host "Fixing private key ACL..." |
||||
icacls $key /inheritance:r 2>$null | Out-Null |
||||
icacls $key /grant:r "${env:USERNAME}:(R)" 2>$null | Out-Null |
||||
|
||||
Write-Host "Upload public key ke root@${hostIp} (password 1x)..." |
||||
type $pub | ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no -m hmac-sha1 "root@${hostIp}" -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK" |
||||
|
||||
Write-Host "" |
||||
Write-Host "Test key-only..." |
||||
ssh -i $key -o BatchMode=yes -o IdentitiesOnly=yes -o PreferredAuthentications=publickey -m hmac-sha1 "root@${hostIp}" -p 22 "echo KEY_AUTH_OK" |
||||
|
||||
if ($LASTEXITCODE -ne 0) { |
||||
Write-Host "" |
||||
Write-Host "Masih gagal — cek auth log (password sekali):" |
||||
Write-Host " ssh -m hmac-sha1 root@${hostIp} -p 22 `"grep sshd /var/log/secure | tail -20`"" |
||||
exit 1 |
||||
} |
||||
|
||||
Write-Host "Success. Login: ssh reverse-proxy" |
||||