Browse Source

docs: handover SSH key-only SSOT and Mailcow Jalur B E2E

Bootstrap server-audit docs/runbooks; passwordless SSH for .24/.25/.28/.26/.40;
apply Jalur B for 25 geonet mailboxes with support@ verified to byprakoso@.
master
Budi Setiawan 7 days ago
parent
commit
c958b343ed
  1. BIN
      Mailcow/docs/ai-session-summary.md
  2. 31
      Mailcow/docs/changelog.md
  3. 1
      Mailcow/docs/issues.md
  4. 55
      Mailcow/docs/notes/hybrid-migration-cpanel-mailcow.md
  5. 11
      Mailcow/docs/todo.md
  6. 23
      Mailcow/docs/version.md
  7. 42
      Mailcow/scripts/Apply-JalurB-LDAPUsers.ps1
  8. 160
      Mailcow/scripts/setup-jalur-b-batch.sh
  9. 33
      Mailcow/scripts/setup-ssh-key-simple.ps1
  10. 2
      Workspace-Context.md
  11. 37
      Workspace-Session.md
  12. 43
      me/AGENTS.md
  13. 124
      me/PT. MULTIATUR SISTEM SOLUSI.md
  14. 299
      me/company-profile-pt-multiatur.md
  15. BIN
      me/compro-preview/page-01.png
  16. BIN
      me/compro-preview/page-02.png
  17. BIN
      me/compro-preview/page-03.png
  18. BIN
      me/compro-preview/page-04.png
  19. BIN
      me/compro-preview/page-05.png
  20. BIN
      me/compro-preview/page-06.png
  21. BIN
      me/compro-preview/page-07.png
  22. BIN
      me/compro-preview/page-08.png
  23. BIN
      me/compro-preview/page-09.png
  24. 81
      me/docs/ai-session-summary.md
  25. 23
      me/docs/changelog.md
  26. 66
      me/docs/context-index.md
  27. 26
      me/docs/issues.md
  28. 11
      me/docs/project-status.md
  29. 43
      me/docs/todo.md
  30. 9
      me/docs/version.md
  31. 275
      me/me.md
  32. 13
      server-audit/.cursor/server.md
  33. 22
      server-audit/.env.example
  34. 41
      server-audit/AGENTS.md
  35. 7
      server-audit/docs/adr/000-template.md
  36. 28
      server-audit/docs/ai-session-summary.md
  37. 33
      server-audit/docs/changelog.md
  38. 50
      server-audit/docs/context-index.md
  39. 8
      server-audit/docs/guide/README.md
  40. 29
      server-audit/docs/guide/migration.md
  41. 299
      server-audit/docs/guide/ssh-access.md
  42. 26
      server-audit/docs/issues.md
  43. 22
      server-audit/docs/project-status.md
  44. 87
      server-audit/docs/server.md
  45. 33
      server-audit/docs/system-requirements.md
  46. 26
      server-audit/docs/todo.md
  47. 74
      server-audit/docs/version.md
  48. 38
      server-audit/host.md
  49. 7
      server-audit/perintah.md
  50. 169
      server-audit/scripts/setup-ssh-ad-ldap.ps1
  51. 33
      server-audit/scripts/setup-ssh-mailcow.ps1
  52. 33
      server-audit/scripts/setup-ssh-main-db.ps1
  53. 33
      server-audit/scripts/setup-ssh-reverse-proxy.ps1
  54. 43
      server-audit/scripts/ssh-config.example
  55. 33
      server-connection/scripts/setup-ssh-main-db.ps1
  56. 33
      server-connection/scripts/setup-ssh-reverse-proxy.ps1
  57. 19
      server-connection/scripts/ssh-remote.ps1

BIN
Mailcow/docs/ai-session-summary.md

Binary file not shown.

31
Mailcow/docs/changelog.md

@ -4,6 +4,37 @@ Format [Keep a Changelog](https://keepachangelog.com/). Ringkasan: [version.md]( @@ -4,6 +4,37 @@ Format [Keep a Changelog](https://keepachangelog.com/). Ringkasan: [version.md](
---
## [1.2.8] - 2026-07-10
### Verified
- `support@geonet.co.id``byprakoso@geonet.co.id` sampai inbox **cPanel** (Jalur B E2E)
---
## [1.2.7] - 2026-07-10
### Changed
- Applied Jalur B untuk 25 mailbox `@geonet.co.id` (kecuali `support@`)
- AD `Mail-Users` confirmed: hanya `support`
### Verified
- `postmap` `byprakoso@` → transport cPanel `:587`
- `support@` tanpa transport map (delivery lokal Mailcow)
---
## [1.2.6] - 2026-07-10
### Added
- `scripts/setup-jalur-b-batch.sh` — Jalur B massal (inactive + transport map), skip `support@`
- `scripts/Apply-JalurB-LDAPUsers.ps1` — upload + jalankan via `ssh mailcow`
- Prosedur batch di `docs/notes/hybrid-migration-cpanel-mailcow.md`
### Changed
- Kebijakan hybrid: LDAP user selain `support@` → Jalur B agar terima mail dari `support@` di cPanel
---
## [1.2.5] - 2026-07-06
### Changed

1
Mailcow/docs/issues.md

@ -12,6 +12,7 @@ @@ -12,6 +12,7 @@
## Resolved
- ISS-009 support@ → cPanel users tanpa transport — Jalur B batch 25 users (2026-07-10)
- ISS-006 Internal mail cPanel user — transport Jalur B `rbsetiawan@` (2026-07-06)
- ISS-003 SOGo Unauthorized (2026-07-03)
- ISS-004 Gmail 550 relay (2026-07-03)

55
Mailcow/docs/notes/hybrid-migration-cpanel-mailcow.md

@ -75,6 +75,61 @@ Verifikasi Postfix: `postmap -q rbsetiawan@geonet.co.id mysql:/opt/postfix/conf/ @@ -75,6 +75,61 @@ Verifikasi Postfix: `postmap -q rbsetiawan@geonet.co.id mysql:/opt/postfix/conf/
---
## Batch Jalur B — semua LDAP kecuali `support@` (2026-07-10) ✅ applied
**Status:** Applied 2026-07-10 — `applied=25`, `skipped_jalur_a=1` (`support@`)
**Tujuan:** `support@` (Jalur A) bisa mengirim ke user `@geonet.co.id` lain yang masih baca di cPanel.
| Role | Email | Jalur |
|------|-------|-------|
| Tetap Mailcow | `support@geonet.co.id` | **A** (jangan diubah) |
| Hybrid cPanel | 25 mailbox `@geonet.co.id` lain | **B** ✅ |
### AD Mail-Users (verified 2026-07-10)
```
net group Mail-Users /domain
Members: support (hanya)
```
Dicek via `ssh ad-ldap` — tidak perlu perubahan AD tambahan.
### Jalankan dari laptop (PowerShell)
```powershell
# 1) Dry-run — list kandidat, tidak ubah DB
.\Mailcow\scripts\Apply-JalurB-LDAPUsers.ps1 -DryRun
# 2) Apply semua kecuali support@
.\Mailcow\scripts\Apply-JalurB-LDAPUsers.ps1
# 3) Hanya user tertentu
.\Mailcow\scripts\Apply-JalurB-LDAPUsers.ps1 -Only "byprakoso@geonet.co.id,rianjawa93@geonet.co.id"
```
Script server: `scripts/setup-jalur-b-batch.sh`
Per user: `scripts/setup-transport-cpanel-user.sh user@geonet.co.id`
### Yang dilakukan script (per user, kecuali KEEP_ACTIVE)
1. `mailbox.active = 0`
2. Insert/update **transport map**`[sc138.idcloudhosting.cloud]:587` (kredensial dari relayhost id=1)
3. Aktifkan alias jika ada
4. `postfix reload`
### Verifikasi
```powershell
ssh mailcow "docker exec mailcowdockerized-postfix-mailcow-1 postmap -q byprakoso@geonet.co.id mysql:/opt/postfix/conf/sql/mysql_transport_maps.cf"
```
Tes: kirim dari `support@` → user Jalur B → cek **inbox cPanel**.
**E2E verified 2026-07-10:** `support@``byprakoso@geonet.co.id` ✅ (inbox cPanel)
---
## Kebijakan tim (rekomendasi)
| Fase user | Grup `Mail-Users` | Mailbox Mailcow | Baca email via |

11
Mailcow/docs/todo.md

@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
# TODO — Mailcow
> Last updated: 2026-07-06
> Last updated: 2026-07-10
---
@ -32,8 +32,7 @@ @@ -32,8 +32,7 @@
## Selesai (Sesi Ini)
- [x] Jalur B `rbsetiawan@`: transport map + verified `support@` → cPanel
- [x] Domain `gisportal.id` + mailbox `admin@gisportal.id` + SOGo
- [x] Forwarding hosts whitelist inbound gisportal
- [x] SPF `gisportal.id`: `v=spf1 ip4:117.102.73.102 -all` (Master Web, propagasi OK)
- [x] Scripts + docs dual-domain (`gisportal-id-mail.md`, hybrid migration)
- [x] Verifikasi `support@``byprakoso@` inbox cPanel ✅ (v1.2.8)
- [x] AD `Mail-Users` = hanya `support`; Jalur B batch 25 mailbox applied
- [x] Scripts Jalur B + docs hybrid / ISS-009 resolved
- [x] Domain `gisportal.id` + SPF OK (DKIM masih open)

23
Mailcow/docs/version.md

@ -7,6 +7,29 @@ Sinkron dengan [changelog.md](./changelog.md). @@ -7,6 +7,29 @@ Sinkron dengan [changelog.md](./changelog.md).
---
## [1.2.8] - 2026-07-10
- Verified: `support@geonet.co.id``byprakoso@geonet.co.id` (inbox cPanel) OK — Jalur B end-to-end
---
## [1.2.7] - 2026-07-10
- Jalur B batch **applied** di Mailcow: 25 mailbox `@geonet.co.id` → inactive + transport cPanel `:587`
- AD `Mail-Users` verified: hanya `support` (via `ssh ad-ldap`)
- `support@` tetap Jalur A; Postfix `byprakoso@` transport OK
---
## [1.2.6] - 2026-07-10
- Jalur B batch: semua mailbox `@geonet.co.id` kecuali `support@` (Jalur A tetap)
- Script: `setup-jalur-b-batch.sh`, `Apply-JalurB-LDAPUsers.ps1`
- Doc: prosedur batch di `notes/hybrid-migration-cpanel-mailcow.md`
- Prasyarat: keluarkan user dari AD `Mail-Users` kecuali `support`
---
## [1.2.5] - 2026-07-06
- SPF `gisportal.id` dipublish di Master Web: `v=spf1 ip4:117.102.73.102 -all`

42
Mailcow/scripts/Apply-JalurB-LDAPUsers.ps1

@ -0,0 +1,42 @@ @@ -0,0 +1,42 @@
# Apply Jalur B (hybrid cPanel transport) for all @geonet.co.id except support@
# SSOT: Mailcow/docs/notes/hybrid-migration-cpanel-mailcow.md
# Usage:
# .\Mailcow\scripts\Apply-JalurB-LDAPUsers.ps1 -DryRun
# .\Mailcow\scripts\Apply-JalurB-LDAPUsers.ps1
# .\Mailcow\scripts\Apply-JalurB-LDAPUsers.ps1 -Only "byprakoso@geonet.co.id,user2@geonet.co.id"
#
# Wajib PowerShell. SSH: ssh mailcow (key id_ed25519_mailcow).
param(
[switch]$DryRun,
[string]$Only = "",
[string]$RemoteHost = "mailcow"
)
$ErrorActionPreference = 'Stop'
$ScriptDir = $PSScriptRoot
$LocalSh = Join-Path $ScriptDir 'setup-jalur-b-batch.sh'
$RemoteSh = '/tmp/setup-jalur-b-batch.sh'
if (-not (Test-Path $LocalSh)) {
throw "Script not found: $LocalSh"
}
# LF-only for bash on Linux
$tempSh = Join-Path $env:TEMP 'setup-jalur-b-batch.sh'
$content = (Get-Content $LocalSh -Raw) -replace "`r", ""
[System.IO.File]::WriteAllText($tempSh, $content)
Write-Host "Upload $LocalSh -> ${RemoteHost}:$RemoteSh"
scp $tempSh "${RemoteHost}:${RemoteSh}"
$argsRemote = 'bash ' + $RemoteSh
if ($DryRun) { $argsRemote += ' --dry-run' }
if ($Only) { $argsRemote += " --only '$Only'" }
$argsRemote += '; rm -f ' + $RemoteSh
Write-Host "Run: ssh $RemoteHost `"$argsRemote`""
ssh $RemoteHost $argsRemote
Remove-Item $tempSh -Force -ErrorAction SilentlyContinue
Write-Host "Finished."

160
Mailcow/scripts/setup-jalur-b-batch.sh

@ -0,0 +1,160 @@ @@ -0,0 +1,160 @@
#!/bin/bash
# Jalur B batch: semua mailbox @geonet.co.id kecuali Jalur A (support@)
# — inactive mailbox + transport map → cPanel :587
#
# Prasyarat AD (manual): keluarkan user dari grup Mail-Users (kecuali support@)
# agar LDAP sync tidak mengaktifkan ulang mailbox.
#
# Usage (di server Mailcow / dalam stack):
# ./setup-jalur-b-batch.sh # apply semua kecuali support@
# ./setup-jalur-b-batch.sh --dry-run # hanya list + cek
# ./setup-jalur-b-batch.sh --only byprakoso@geonet.co.id,user2@geonet.co.id
# KEEP_ACTIVE=support@geonet.co.id ./setup-jalur-b-batch.sh
#
# Single-user: setup-transport-cpanel-user.sh user@geonet.co.id
set -euo pipefail
DRY_RUN=0
ONLY_LIST=""
KEEP_ACTIVE="${KEEP_ACTIVE:-support@geonet.co.id}"
NEXTHOP="${TRANSPORT_NEXTHOP:-[sc138.idcloudhosting.cloud]:587}"
RELAYHOST_ID="${TRANSPORT_RELAYHOST_ID:-1}"
DOMAIN="${MAIL_DOMAIN:-geonet.co.id}"
MYSQL_C='mailcowdockerized-mysql-mailcow-1'
POSTFIX_C='mailcowdockerized-postfix-mailcow-1'
PHP_C='mailcowdockerized-php-fpm-mailcow-1'
while [ $# -gt 0 ]; do
case "$1" in
--dry-run) DRY_RUN=1; shift ;;
--only) ONLY_LIST="${2:-}"; shift 2 ;;
-h|--help)
sed -n '2,16p' "$0"
exit 0
;;
*)
echo "Unknown arg: $1"
exit 1
;;
esac
done
mysql_q() {
docker exec "$MYSQL_C" bash -lc "mysql mailcow -uroot -p\"\$MYSQL_ROOT_PASSWORD\" -N -e \"$1\""
}
mysql_exec() {
docker exec "$MYSQL_C" bash -lc "mysql mailcow -uroot -p\"\$MYSQL_ROOT_PASSWORD\" -e \"$1\""
}
is_kept() {
local e="$1"
local k
IFS=',' read -ra _keep <<< "$KEEP_ACTIVE"
for k in "${_keep[@]}"; do
k="$(echo "$k" | tr -d '[:space:]')"
[ -z "$k" ] && continue
[ "$e" = "$k" ] && return 0
done
return 1
}
in_only() {
local e="$1"
[ -z "$ONLY_LIST" ] && return 0
local o
IFS=',' read -ra _only <<< "$ONLY_LIST"
for o in "${_only[@]}"; do
o="$(echo "$o" | tr -d '[:space:]')"
[ -z "$o" ] && continue
[ "$e" = "$o" ] && return 0
done
return 1
}
apply_one() {
local EMAIL="$1"
echo "---- ${EMAIL} ----"
if [ "$DRY_RUN" = "1" ]; then
MB=$(mysql_q "SELECT username, active, authsource FROM mailbox WHERE username='${EMAIL}';")
TR=$(mysql_q "SELECT COUNT(*) FROM transports WHERE destination='${EMAIL}';")
echo "mailbox: ${MB:-MISSING}"
echo "transport_rows: ${TR:-0}"
echo "dry-run: would set active=0 + transport -> ${NEXTHOP}"
return 0
fi
mysql_exec "UPDATE mailbox SET active=0 WHERE username='${EMAIL}';"
MB=$(mysql_q "SELECT username, active, authsource FROM mailbox WHERE username='${EMAIL}';")
echo "mailbox after: ${MB:-MISSING}"
CNT=$(mysql_q "SELECT COUNT(*) FROM transports WHERE destination='${EMAIL}';")
if [ "${CNT}" = "0" ]; then
mysql_exec "
INSERT INTO transports (destination, nexthop, username, password, is_mx_based, active)
SELECT '${EMAIL}', '${NEXTHOP}', r.username, r.password, 0, 1
FROM relayhosts r
WHERE r.id=${RELAYHOST_ID} AND r.active=1
LIMIT 1;
"
echo "transport: INSERT"
else
mysql_exec "
UPDATE transports t
JOIN relayhosts r ON r.id=${RELAYHOST_ID} AND r.active=1
SET t.nexthop='${NEXTHOP}', t.username=r.username, t.password=r.password, t.active=1
WHERE t.destination='${EMAIL}';
"
echo "transport: UPDATE"
fi
ALIAS=$(mysql_q "SELECT COUNT(*) FROM alias WHERE address='${EMAIL}';")
if [ "${ALIAS}" != "0" ]; then
mysql_exec "UPDATE alias SET active=1 WHERE address='${EMAIL}';"
echo "alias: active=1"
else
echo "alias: none"
fi
docker exec "$POSTFIX_C" postmap -q "${EMAIL}" mysql:/opt/postfix/conf/sql/mysql_transport_maps.cf || true
}
echo "== Jalur B batch =="
echo "KEEP_ACTIVE (Jalur A): ${KEEP_ACTIVE}"
echo "NEXTHOP: ${NEXTHOP}"
echo "DRY_RUN: ${DRY_RUN}"
[ -n "$ONLY_LIST" ] && echo "ONLY: ${ONLY_LIST}"
echo "== LDAP sync =="
docker exec "$PHP_C" php /crons/ldap-sync.php || true
echo "== Candidates (@${DOMAIN}) =="
mapfile -t ALL < <(mysql_q "SELECT username FROM mailbox WHERE username LIKE '%@${DOMAIN}' ORDER BY username;")
APPLIED=0
SKIPPED=0
for EMAIL in "${ALL[@]}"; do
[ -z "$EMAIL" ] && continue
if is_kept "$EMAIL"; then
echo "SKIP (Jalur A): ${EMAIL}"
SKIPPED=$((SKIPPED + 1))
continue
fi
if ! in_only "$EMAIL"; then
continue
fi
apply_one "$EMAIL"
APPLIED=$((APPLIED + 1))
done
if [ "$DRY_RUN" = "0" ] && [ "$APPLIED" -gt 0 ]; then
echo "== Reload postfix =="
docker exec "$POSTFIX_C" postfix reload
fi
echo ""
echo "DONE. applied=${APPLIED} skipped_jalur_a=${SKIPPED}"
echo "Manual AD: remove Jalur B users from Mail-Users (keep support@)."
echo "Test: support@ -> each user; verify inbox on cPanel."

33
Mailcow/scripts/setup-ssh-key-simple.ps1

@ -0,0 +1,33 @@ @@ -0,0 +1,33 @@
# Setup SSH key — root@10.100.1.28 (Mailcow VM, Ubuntu)
# SSOT: server-audit/docs/guide/ssh-access.md
# Usage: .\Mailcow\scripts\setup-ssh-key-simple.ps1# Sekali jalan: minta password root 1x, lalu login key-only.
$ErrorActionPreference = 'Stop'
$hostIp = '10.100.1.28'
$key = Join-Path $env:USERPROFILE '.ssh\id_ed25519_mailcow'
$pub = "$key.pub"
if (-not (Test-Path $pub)) {
Write-Host "Generating key $key ..."
ssh-keygen -t ed25519 -f $key -C 'geonet-mailcow' -N '""'
}
Write-Host "Fixing private key ACL..."
icacls $key /inheritance:r 2>$null | Out-Null
icacls $key /grant:r "${env:USERNAME}:(R)" 2>$null | Out-Null
Write-Host "Upload public key ke root@${hostIp} (password 1x)..."
type $pub | ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no "root@${hostIp}" -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK"
Write-Host ""
Write-Host "Test key-only..."
ssh -i $key -o BatchMode=yes -o IdentitiesOnly=yes -o PreferredAuthentications=publickey "root@${hostIp}" -p 22 "echo KEY_AUTH_OK"
if ($LASTEXITCODE -ne 0) {
Write-Host ""
Write-Host "Masih gagal — cek auth log (password sekali):"
Write-Host " ssh root@${hostIp} -p 22 `"grep sshd /var/log/auth.log | tail -20`""
exit 1
}
Write-Host "Success. Login: ssh mailcow"

2
Workspace-Context.md

@ -43,6 +43,8 @@ Workspace ini berisi beberapa repository. **Jangan analisis semuanya sekaligus** @@ -43,6 +43,8 @@ Workspace ini berisi beberapa repository. **Jangan analisis semuanya sekaligus**
| **PC-Multimedia** | `PC-Multimedia/` | (monorepo) | [`PC-Multimedia/AGENTS.md`](PC-Multimedia/AGENTS.md) | Workstation MULTIMEDIA `10.100.1.14` |
| **mysupperapps_FE_PWA** | `mysupperapps_FE_PWA/` *(gitignored)* | `git.gisportal.id/rbsetiawan/mysupperapps-fe-pwa` | [`mysupperapps_FE_PWA/AGENTS.md`](mysupperapps_FE_PWA/AGENTS.md) | FE PWA `my.gisportal.id` |
| **AI-Agent-Standards** | `AI-Agent-Standards/` | (monorepo) | [`AI-Agent-Standards/README.md`](AI-Agent-Standards/README.md) | **SSOT** template docs & handover |
| **server-audit** | `server-audit/` | (monorepo) | [`server-audit/AGENTS.md`](server-audit/AGENTS.md) | SSOT inventori server + SSH runbook |
| **me** | `me/` | (monorepo) | [`me/AGENTS.md`](me/AGENTS.md) | Company profile PT. Multiatur + catatan kapabilitas (docs-only) |
**Catatan `mysupperapps_FE_PWA`:**
- Repo Git **terpisah** — folder lokal di-ignore di monorepo.

37
Workspace-Session.md

@ -1,26 +1,22 @@ @@ -1,26 +1,22 @@
# Workspace Session
> Last updated: 2026-07-09 — overwrite per handover
> Last updated: 2026-07-10 — overwrite per handover
---
## Active focus
### GeoNetAgent (`GeoNetAgent/`)
### Mailcow (`Mailcow/`)
**IT Support + PWA ✅:** migrations 009/010, API kasus+lampiran, global stats/list, asset ticket counts. PWA `/support`, profil device riwayat tiket, asset-mgmt owner fix. Next: QNAP S3 lampiran prod; migration 005 procurement.
**Jalur B E2E ✅ v1.2.8:** AD `Mail-Users` = hanya `support`; 25 mailbox inactive + transport cPanel. Verified `support@``byprakoso@` inbox cPanel. Next: DKIM `gisportal.id` (Master Web); SPF/DKIM `geonet.co.id`; Zammad IMAP/SMTP.
### mysupperapps_FE_PWA (`mysupperapps_FE_PWA/` — repo terpisah)
### server-audit (`server-audit/`)
**v1.6.0 deployed ✅:** IT Support tab, profil Device Saya + riwayat tiket, asset-mgmt tiket count + owner LDAP display_name. SW v8. Next: `/ticketing` Zammad; cleanup `scripts/patch_*`.
**SSH laptop SSOT ✅ v0.1.8:** key-only `.24`/`.25`/`.28`/`.26`(geonet)/`.40`(ad-ldap). Runbook: `docs/guide/ssh-access.md`. Next: Zabbix `.42`, Webserver `.41`.
### nginx (`nginx/`)
### me (`me/`) — Company Profile Multiatur
**SSL geonet SSOT ✅:** cert di `.24`; renewal ~Agustus 2026. Next: jangan commit cert private ke git.
### Ollama / AI Onprem (`Ollama/`)
NAS indexing WIP (uncommitted). Next: handover terpisah jika di-commit.
**Compro markdown ✅ + Figma 5/9 ⏸:** SSOT `company-profile-pt-multiatur.md`. Figma blocked MCP Starter. Cold start: [me/AGENTS.md](me/AGENTS.md).
---
@ -28,11 +24,11 @@ NAS indexing WIP (uncommitted). Next: handover terpisah jika di-commit. @@ -28,11 +24,11 @@ NAS indexing WIP (uncommitted). Next: handover terpisah jika di-commit.
| Project | Version | Session summary | Status |
|---------|---------|-----------------|--------|
| **Mailcow** | 1.2.8 | [Mailcow/docs/ai-session-summary.md](Mailcow/docs/ai-session-summary.md) | Jalur B E2E OK |
| **server-audit** | 0.1.8 | [server-audit/docs/ai-session-summary.md](server-audit/docs/ai-session-summary.md) | SSH key-only multi-host |
| **me** | 0.1.0 | [me/docs/ai-session-summary.md](me/docs/ai-session-summary.md) | Compro Figma blocked |
| **GeoNetAgent** | 0.1.19-collector-support-pwa | [GeoNetAgent/docs/ai-session-summary.md](GeoNetAgent/docs/ai-session-summary.md) | Support API+deploy |
| **mysupperapps_FE_PWA** | 1.6.0 | [mysupperapps_FE_PWA/docs/ai-session-summary.md](mysupperapps_FE_PWA/docs/ai-session-summary.md) | IT Support PWA live |
| **nginx** | 1.1.0 | [nginx/docs/ai-session-summary.md](nginx/docs/ai-session-summary.md) | SSL — uncommitted certs |
| **Ollama** | 0.4.0 | [Ollama/docs/ai-session-summary.md](Ollama/docs/ai-session-summary.md) | NAS WIP |
| **geonet-console** | ai-fase3.1 | [server-connection/geonet-console/docs/ai-session-summary.md](server-connection/geonet-console/docs/ai-session-summary.md) | — |
---
@ -40,14 +36,15 @@ NAS indexing WIP (uncommitted). Next: handover terpisah jika di-commit. @@ -40,14 +36,15 @@ NAS indexing WIP (uncommitted). Next: handover terpisah jika di-commit.
| Area | Impact |
|------|--------|
| `collector.gisportal.id` | Support API + asset ticket counts — PWA pakai `NEXT_PUBLIC_COLLECTOR_TOKEN` |
| `my.gisportal.id` | `/support`, profil, asset-management — repo PWA terpisah |
| PostgreSQL `.25` | `asset_support_*`, `document_attachments`, `asset_change_events` |
| `ssh ad-ldap` / `ssh mailcow` | Key-only — kelola `Mail-Users` + Jalur B tanpa password |
| `support@``@geonet.co.id` Jalur B | Relay transport cPanel `:587`; inbox canonical cPanel |
| `gisportal.id` | SPF OK; **DKIM belum** publish Master Web |
| `me/` ↔ Figma MCP | Compro lanjut butuh Full seat / kuota |
---
## Next agent
1. [GeoNetAgent/AGENTS.md](GeoNetAgent/AGENTS.md) + [ai-session-summary](GeoNetAgent/docs/ai-session-summary.md)
2. [mysupperapps_FE_PWA/docs/ai-session-summary.md](mysupperapps_FE_PWA/docs/ai-session-summary.md) — repo sendiri
3. Guide: `GeoNetAgent/docs/guide/asset-support-troubleshooting.md`
1. Mailcow DKIM: [Mailcow/AGENTS.md](Mailcow/AGENTS.md) → [ai-session-summary](Mailcow/docs/ai-session-summary.md) → [notes/gisportal-id-mail.md](Mailcow/docs/notes/gisportal-id-mail.md)
2. Atau SSH host lain: [server-audit/AGENTS.md](server-audit/AGENTS.md) → [guide/ssh-access.md](server-audit/docs/guide/ssh-access.md)
3. Compro: [me/AGENTS.md](me/AGENTS.md) jika lanjut Figma

43
me/AGENTS.md

@ -0,0 +1,43 @@ @@ -0,0 +1,43 @@
# AGENTS.md - Cold Start
<!-- STRATEGY: UPDATE JARANG | Baca PERTAMA saat buka project. Max ~40 baris. -->
> Project: `me/`
> Sesi terakhir: [docs/ai-session-summary.md](./docs/ai-session-summary.md)
> Peta lengkap (on-demand): [docs/context-index.md](./docs/context-index.md)
## Apa ini?
Dokumen pribadi & company profile **PT. Multiatur Sistem Solusi** (CIO: Rian Budi Setiawan) — kapabilitas teknis, compro markdown, referensi PDF, dan desain Figma.
## Aturan kritis
- Ini **docs-only** — bukan aplikasi runtime; jangan hardcode secret perusahaan
- Company profile resmi + kapabilitas enterprise digabung di `company-profile-pt-multiatur.md`
- Desain Figma compro: lanjut dari file yang sudah ada (jangan buat file baru tanpa alasan)
- Figma MCP: Starter plan terbatas; untuk Cursor tulis desain butuh **Full seat** (Dev = baca/MCP, tanpa Design)
- No commit kecuali user minta eksplisit
- Pengetahuan penting wajib ke `docs/` — jangan hanya di chat
## Lanjut kerja (urutan baca)
```
1. AGENTS.md <- Anda di sini
2. docs/ai-session-summary.md <- TL;DR + Lanjut + Jangan
3. STOP - mulai kerja
4. On-demand: docs/todo.md | docs/issues.md | docs/context-index.md
```
**Rolling session memory = hanya** `docs/ai-session-summary.md`.
## Pointer cepat
| Butuh | Buka |
|-------|------|
| Priority | [docs/todo.md](./docs/todo.md) |
| Compro markdown | [company-profile-pt-multiatur.md](./company-profile-pt-multiatur.md) |
| Kapabilitas teknis (sumber) | [me.md](./me.md) |
| Profil resmi OCR | [PT. MULTIATUR SISTEM SOLUSI.md](./PT.%20MULTIATUR%20SISTEM%20SOLUSI.md) |
| PDF contoh desain | `Compro PT Multiatur Sistem Solusi v13_*.pdf` |
| Preview halaman PDF | [compro-preview/](./compro-preview/) |
| Bug / blocker | [docs/issues.md](./docs/issues.md) |

124
me/PT. MULTIATUR SISTEM SOLUSI.md

@ -0,0 +1,124 @@ @@ -0,0 +1,124 @@
PROFIL PERUSAHAAN
PT. MULTIATUR SISTEM SOLUSI
Website:
www.multiatur.com
Tentang Kami
PT. Multiatur Sistem Solusi adalah perusahaan yang bergerak dalam bidang perdagangan dan pengadaan peralatan dan perlengkapan komunikasi yang berdiri sejak tahun 2023.
PT. Multiatur Sistem Solusi beralamat di:
Ruko Tanjung Mas Raya B1/37, Jagakarsa,
Tanjung Barat, Jakarta Selatan 12530
PT. Multiatur Sistem Solusi senantiasa menyediakan produk dan layanan terbaik bagi para klien kami yang memiliki latar belakang beragam, baik swasta maupun lembaga pemerintahan.
Kepercayaan klien kami merupakan kebanggaan tersendiri bagi segenap tim di Multiatur Sistem Solusi, juga menjadi motivasi untuk terus berkembang menjadi perusahaan penyedia peralatan dan perlengkapan komunikasi yang terdepan.
Bidang Usaha
Software Development
Membuat perangkat lunak atau implementasi produk yang dibuat khusus, Business Analytics, Social Analytics dan Business Intelligence.
System Solution
Memberikan solusi sistem untuk Anda, meliputi:
Perangkat Keras
Perangkat Lunak
Jaringan
Manajemen Server
Sistem
Pusat Data (Data Center)
dan lainnya
Visi
Menjadi perusahaan penyedia peralatan dan perlengkapan komunikasi yang terpercaya.
Dalam mencapai tujuan tersebut, segenap tim di Multiatur Sistem Solusi terus memastikan layanan dan dukungan terbaik kepada setiap klien kami.
Layanan Kami
Surveillance
IP PABX
Data Center & Storage
PA System
Biometric
Message Blast
AI System
Sistem Monitoring
Turnstiles
Warehouse Management
Energy Solution System
Teknologi / Vendor
Beberapa vendor yang terlihat pada dokumen:
QNAP
Hikvision
ZKTeco
(Terdapat beberapa logo lain namun kualitas OCR tidak cukup baik untuk diidentifikasi secara akurat.)
Beberapa Klien
Logo yang terlihat antara lain:
PT EMI (Persero)
Energy Management Indonesia
HERA
(Dokumen hanya menampilkan logo sehingga daftar lengkap klien tidak dapat dipastikan dari OCR.)
Management
Adiya Mugi Raharja
CEO
"Kita menilai diri kita dengan cara mengukur dari apa yang kita rasa mampu untuk kerjakan, sedangkan orang lain mengukur kita dengan mengukur dari apa yang telah kita lakukan."
Muhamad Jejen
CTO
Rian Budi Setiawan
CIO
Muhamad Fahmi
CSO
Kontak
PT. Multiatur Sistem Solusi
Ruko Tanjung Mas Raya B1/37
Jagakarsa, Tanjung Barat
Jakarta Selatan 12530
Telepon:
021-27873814
Email:
admin@multiatur.com
Website:
www.multiatur.com
Evaluasi Dokumen
Setelah melihat isi company profile, saya memiliki beberapa saran agar tampil lebih modern dan lebih kuat secara bisnis:
Aspek Kondisi Saat Ini Rekomendasi
Desain ⭐⭐⭐⭐☆ Sudah menarik, bisa dibuat lebih modern dengan layout yang lebih lega.
Isi ⭐⭐☆☆☆ Terlalu umum, belum menunjukkan kompetensi teknis perusahaan.
Pengalaman ⭐☆☆☆☆ Belum ada daftar pengalaman atau portofolio proyek.
Infrastruktur ❌ Belum menjelaskan kemampuan Data Center, Cloud, atau Enterprise Infrastructure.
Teknologi ⭐⭐☆☆☆ Hanya menampilkan logo vendor, belum menjelaskan keahlian pada masing-masing solusi.
Nilai Tambah ❌ Belum ada diferensiasi dibanding kompetitor.
Roadmap Layanan ❌ Belum menjelaskan layanan end-to-end dari konsultasi hingga managed service.
Melihat diskusi kita selama ini, saya yakin company profile ini dapat ditingkatkan menjadi profil perusahaan kelas enterprise dengan fokus pada Data Center, Enterprise Infrastructure, GIS Solutions, Cyber Security, AI Integration, dan Managed IT Services, sehingga jauh lebih kuat saat dipresentasikan kepada perusahaan besar maupun instansi pemerintah.

299
me/company-profile-pt-multiatur.md

@ -0,0 +1,299 @@ @@ -0,0 +1,299 @@
# Company Profile
# PT. Multiatur Sistem Solusi
**Enterprise IT Infrastructure · Data Center · GIS Platform · System Solution · Managed Services**
| | |
|---|---|
| **Website** | [www.multiatur.com](https://www.multiatur.com) |
| **Telepon** | 021-27873814 |
| **Email** | admin@multiatur.com |
| **Alamat** | Ruko Tanjung Mas Raya B1/37, Jagakarsa, Tanjung Barat, Jakarta Selatan 12530 |
| **Berdiri** | 2023 |
---
## Tentang Kami
**PT. Multiatur Sistem Solusi** adalah perusahaan yang bergerak dalam bidang perdagangan dan pengadaan peralatan serta perlengkapan komunikasi, sekaligus penyedia solusi sistem dan infrastruktur TI enterprise. Perusahaan berdiri sejak tahun **2023** dan berkantor di Jakarta Selatan.
Kami senantiasa menyediakan produk dan layanan terbaik bagi klien dengan latar belakang beragam — baik swasta maupun lembaga pemerintahan. Kepercayaan klien merupakan kebanggaan sekaligus motivasi bagi segenap tim untuk terus berkembang menjadi perusahaan penyedia solusi komunikasi dan infrastruktur TI yang terdepan.
Di samping pengadaan perangkat, kami juga menghadirkan layanan **Enterprise IT Infrastructure**, **Data Center**, **GIS Platform**, **Cloud**, dan **Managed Services**. Dengan pengalaman membangun dan mengelola lingkungan *hybrid infrastructure* berbasis Windows, Linux, virtualisasi, serta sistem geospasial enterprise, kami menghadirkan solusi yang **aman**, **terintegrasi**, dan **mudah dikembangkan**.
Kami menempatkan diri sebagai mitra *end-to-end*: mulai dari perencanaan infrastruktur, implementasi, integrasi aplikasi, hingga operasional dan dukungan purna jual.
---
## Visi
Menjadi perusahaan penyedia peralatan, perlengkapan komunikasi, dan solusi Enterprise IT Infrastructure yang **terpercaya** — menghadirkan sistem yang **andal**, **aman**, dan **mudah dikembangkan** untuk mendukung transformasi digital organisasi.
Dalam mencapai tujuan tersebut, segenap tim di Multiatur Sistem Solusi terus memastikan layanan dan dukungan terbaik kepada setiap klien.
---
## Bidang Usaha
### Software Development
Membuat perangkat lunak atau implementasi produk yang dibuat khusus, termasuk Business Analytics, Social Analytics, dan Business Intelligence.
### System Solution
Memberikan solusi sistem menyeluruh, meliputi:
- Perangkat Keras
- Perangkat Lunak
- Jaringan
- Manajemen Server
- Sistem
- Pusat Data (Data Center)
- dan layanan terkait lainnya
---
## Positioning
Kekuatan kami mencakup pengadaan perangkat komunikasi sekaligus kemampuan sebagai **Enterprise Infrastructure Architect** yang menggabungkan:
- Infrastruktur fisik dan virtual
- Operasional Data Center
- GIS Enterprise
- Pengembangan aplikasi
Kombinasi ini memungkinkan kami merancang dan mengelola solusi secara menyeluruh — dari pengadaan perangkat hingga arsitektur dan aplikasi.
---
## Layanan Kami
### Solusi Sistem & Komunikasi
| Layanan | Deskripsi singkat |
|---------|-------------------|
| **Surveillance** | Sistem pengawasan berbasis IP / CCTV |
| **IP PABX** | Komunikasi telepon berbasis IP |
| **Data Center & Storage** | Infrastruktur pusat data dan penyimpanan |
| **PA System** | Public Address System |
| **Biometric** | Sistem biometrik & akses |
| **Message Blast** | Layanan pesan massal |
| **AI System** | Solusi berbasis kecerdasan buatan |
| **Sistem Monitoring** | Monitoring operasional & infrastruktur |
| **Turnstiles** | Sistem akses & kontrol pintu putar |
| **Warehouse Management** | Manajemen gudang |
| **Energy Solution System** | Solusi energi |
### Layanan Enterprise IT Infrastructure
| Kategori | Layanan |
|----------|---------|
| **Data Center** | Perencanaan, implementasi, migrasi, dan pengelolaan Data Center |
| **Server Infrastructure** | Windows Server, Linux Server, Virtual Machine, High Availability |
| **Enterprise Network** | MikroTik, VLAN, VPN, Firewall, Routing, Reverse Proxy |
| **Identity Management** | Active Directory, LDAP, Single Sign-On (SSO) |
| **Database** | PostgreSQL, SQL Server, Backup, Replication, Performance Tuning |
| **Storage** | NAS, SAN, QNAP, Object Storage (S3), Backup & Recovery |
| **Monitoring** | Zabbix, Uptime Kuma |
| **Web Platform** | NGINX Reverse Proxy, SSL, Multi Domain Hosting |
| **Mail Server** | Multi Domain Mail Server, LDAP Integration, API Integration |
| **GIS Infrastructure** | ArcGIS Enterprise, ArcGIS Server, Portal for ArcGIS, GeoServer |
| **Asset Management** | Inventarisasi perangkat, monitoring endpoint, lifecycle asset |
| **IT Service Management** | Helpdesk, Ticketing, SLA |
---
## Pengalaman & Keahlian
### Enterprise Data Center
- Perencanaan dan implementasi infrastruktur Data Center
- Pengelolaan server fisik dan virtual
- Standarisasi infrastruktur TI untuk lingkungan enterprise
- Capacity planning dan optimalisasi sumber daya
### Infrastruktur Server
- Implementasi dan administrasi Windows Server & Linux Server
- Active Directory Domain Services (AD DS)
- LDAP Authentication dan Single Sign-On (SSO)
- Remote administration dan server hardening
### Virtualisasi
- Proxmox Virtual Environment
- Manajemen Virtual Machine
### Enterprise GIS Infrastructure
- ArcGIS Enterprise, ArcGIS Server, Portal for ArcGIS
- ArcGIS Online, ArcGIS Pro
- GeoServer
- Integrasi GIS dengan sistem enterprise
### Database Management
- Microsoft SQL Server & PostgreSQL
- Backup & restore, performance tuning, monitoring
- High Availability dan Disaster Recovery
### Storage & Backup
- QNAP NAS dan QuObjects (S3 Object Storage)
- Network Attached Storage (NAS)
- Backup repository, file sharing enterprise, sinkronisasi data
### Enterprise Network
- MikroTik RouterOS, VLAN, VPN, routing, firewall, NAT
- Reverse Proxy (NGINX)
- Multi Domain Hosting
### Monitoring & Observability
- Zabbix, Uptime Kuma
- Dashboard monitoring
- Alerting & notification
### Enterprise Mail System
- Multi Domain Mail Server
- Integrasi LDAP / Active Directory
- SMTP, IMAP, POP3
- SPF, DKIM, DMARC dan mail security
- API integration
### Asset Management
- Inventarisasi perangkat TI
- Monitoring endpoint
- Hardware lifecycle management & software inventory
- Warranty tracking dan asset audit
### Enterprise Service Management
- Helpdesk, Incident, Service Request, Problem, dan Change Management
- SLA Management
- Knowledge Base
### Software Development
- Laravel, FastAPI, Next.js, React
- REST API, API Gateway
- Enterprise dashboard
- Business Analytics, Social Analytics, Business Intelligence
---
## Teknologi & Vendor
| Vendor / Platform | Produk / Fokus |
|-------------------|----------------|
| **QNAP** | NAS, QuObjects S3, Qsync, Data Center & Storage |
| **Hikvision** | Surveillance / CCTV |
| **ZKTeco** | Biometric & access control |
| **Esri** | ArcGIS Enterprise, ArcGIS Server, ArcGIS Pro, ArcGIS Online, Survey123, Field Maps, Experience Builder |
| **Blue Marble** | Global Mapper, Global Mapper Pro |
| **DataEast** | XTools Pro dan solusi terkait |
| **Microsoft** | Windows Server, Active Directory, SQL Server, Microsoft 365 |
| **PostgreSQL** | PostgreSQL Database |
| **MikroTik** | RouterOS, VPN, Firewall |
| **NGINX** | Reverse Proxy & Load Balancer |
| **Open Source** | GeoServer, Zabbix, Uptime Kuma |
---
## Pengembangan Aplikasi Enterprise
Kami mengembangkan solusi aplikasi enterprise, antara lain:
| Platform / Modul | Fungsi |
|------------------|--------|
| GeoNet Console | Konsol manajemen enterprise |
| GeoNet Collector | Pengumpulan data & telemetry |
| GeoNet Agent | Agent endpoint |
| Asset Management | Inventaris & lifecycle aset |
| Enterprise Ticketing | Helpdesk & service management |
| Knowledge Base | Basis pengetahuan operasional |
| Monitoring Dashboard | Observability terpusat |
| Notification Service | Notifikasi & alerting |
| API Gateway | Gerbang API terpusat |
| Product Catalog | Katalog produk & layanan |
| License Management | Manajemen lisensi |
---
## Nilai Tambah
- Enterprise Architecture Design
- Multi Domain & Multi Tenant Infrastructure
- Hybrid Infrastructure (On-Premise & Cloud Ready)
- API First Architecture
- High Availability Design
- Disaster Recovery Planning
- Infrastruktur yang scalable dan mudah dikembangkan
- Integrasi antar sistem berbasis API
- Monitoring terpusat
- Dokumentasi teknis dan standarisasi implementasi
- Audit trail & logging
- Pengadaan perangkat + implementasi sistem dalam satu mitra
---
## Keunggulan Kompetitif
1. **End-to-end capability** — dari pengadaan perangkat, perencanaan infrastruktur, implementasi, integrasi aplikasi, hingga pemeliharaan dan dukungan operasional.
2. **Integrasi GIS + IT modern** — mampu menghubungkan solusi geospasial dengan infrastruktur TI enterprise.
3. **Open source & komersial** — menguasai solusi berbasis open source maupun produk vendor.
4. **Fokus operasional** — keamanan, performa, skalabilitas, dan kemudahan operasional menjadi prioritas desain.
5. **Arsitektur hybrid** — mendukung lingkungan on-premise, virtualisasi, dan cloud-ready.
6. **Solusi komunikasi & sistem** — mencakup surveillance, biometric, IP PABX, PA system, dan energy solution.
---
## Model Layanan
| Tahap | Lingkup |
|-------|---------|
| **Konsultasi & Perencanaan** | Assessment, arsitektur, capacity planning, roadmap |
| **Pengadaan** | Perangkat keras, perangkat lunak, dan perlengkapan komunikasi |
| **Implementasi** | Instalasi, konfigurasi, migrasi, hardening |
| **Integrasi** | API, LDAP/AD, GIS, aplikasi enterprise |
| **Operasional & Managed Services** | Monitoring, backup, patching, SLA, support |
| **Pengembangan** | Aplikasi enterprise, dashboard |
---
## Management
| Nama | Jabatan |
|------|---------|
| **Adiya Mugi Raharja** | CEO |
| **Muhamad Jejen** | CTO |
| **Rian Budi Setiawan** | CIO |
| **Muhamad Fahmi** | CSO |
> *"Kita menilai diri kita dengan cara mengukur dari apa yang kita rasa mampu untuk kerjakan, sedangkan orang lain mengukur kita dengan mengukur dari apa yang telah kita lakukan."*
> — Adiya Mugi Raharja, CEO
---
## Beberapa Klien
- PT EMI (Persero) — Energy Management Indonesia
- HERA
*(Daftar klien dapat dilengkapi sesuai portofolio resmi perusahaan.)*
---
## Kontak
**PT. Multiatur Sistem Solusi**
Ruko Tanjung Mas Raya B1/37
Jagakarsa, Tanjung Barat
Jakarta Selatan 12530
| | |
|---|---|
| **Telepon** | 021-27873814 |
| **Email** | admin@multiatur.com |
| **Website** | [www.multiatur.com](https://www.multiatur.com) |
---
## Penutup
PT. Multiatur Sistem Solusi berkomitmen menjadi mitra yang dapat diandalkan — menghadirkan produk komunikasi berkualitas, infrastruktur yang stabil, sistem yang terintegrasi, dan layanan berkelanjutan untuk mendukung pertumbuhan organisasi Anda.
---
*Dokumen ini disusun sebagai company profile layanan (service-based) untuk keperluan presentasi, proposal teknis, dan penawaran jasa. Menggabungkan profil resmi perusahaan dengan kapabilitas Enterprise IT Infrastructure & Managed Services.*

BIN
me/compro-preview/page-01.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 175 KiB

BIN
me/compro-preview/page-02.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 682 KiB

BIN
me/compro-preview/page-03.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 587 KiB

BIN
me/compro-preview/page-04.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 944 KiB

BIN
me/compro-preview/page-05.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 665 KiB

BIN
me/compro-preview/page-06.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 523 KiB

BIN
me/compro-preview/page-07.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 546 KiB

BIN
me/compro-preview/page-08.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 215 KiB

BIN
me/compro-preview/page-09.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 160 KiB

81
me/docs/ai-session-summary.md

@ -0,0 +1,81 @@ @@ -0,0 +1,81 @@
# AI Session Summary
```yaml
session: 2026-07-10-compro-multiatur-figma
project: me/
version: 0.1.0
status: blocked
next: Lanjut Figma halaman 06–09 setelah upgrade plan / kuota MCP
previous: N/A
agent: Cursor
branch: (local)
```
---
## TL;DR
- Disusun **company profile markdown** gabungan profil resmi PT. Multiatur Sistem Solusi + kapabilitas Enterprise IT/GIS dari `me.md`
- User bekerja di **PT. Multiatur Sistem Solusi** sebagai **CIO** (Rian Budi Setiawan)
- Desain Figma compro dimulai (gaya PDF v13); **halaman 01–05 selesai**, 06–09 terhenti **rate limit Figma MCP Starter**
- Rekomendasi seat Cursor: **Full** (tulis desain) / **Dev** (MCP baca); **Collab tidak cukup**
---
## Lanjut dari sini
1. Upgrade Figma ke Professional **Full seat** (atau tunggu reset kuota), lalu lanjut halaman 06–09 di file yang sama
2. Opsional: ganti placeholder warna di Layanan dengan foto/asset dari PDF; unggah logo resmi
3. Export PDF dari Figma setelah 9 halaman lengkap
> Backlog: [todo.md](./todo.md)
---
## Jangan
- Jangan buat file Figma compro baru — pakai file yang sudah ada
- Jangan pilih **Collab seat** untuk kolaborasi Cursor (kuota MCP ~6/bulan)
- Jangan klaim proyek klien spesifik yang belum ada di sumber resmi
- Jangan commit secret / kredensial Figma
---
## Detail
### Artefak penting
| Artefak | Lokasi / URL |
|---------|----------------|
| Compro markdown | [../company-profile-pt-multiatur.md](../company-profile-pt-multiatur.md) |
| Figma file | https://www.figma.com/design/sf2KWo2Jgiuwf4AVHUG6fb |
| PDF referensi | `../Compro PT Multiatur Sistem Solusi v13_260710_121308.pdf` |
| Preview PNG | `../compro-preview/page-01.png``page-09.png` |
### Figma — status halaman
| # | Nama | Status |
|---|------|--------|
| 01 | Cover | Done |
| 02 | Tentang Kami | Done |
| 03 | Visi & Misi | Done |
| 04 | Layanan 1 | Done |
| 05 | Layanan 2 | Done |
| 06 | Enterprise IT | Pending (rate limit) |
| 07 | Partner & Klien | Pending |
| 08 | Management | Pending |
| 09 | Thank You / Kontak | Pending |
### Brand (dari PDF)
- Navy `#0A2540`, Orange `#F2A900`, A4 ~1240×1754, font Inter
- Kontak: 021-27873814 · admin@multiatur.com · www.multiatur.com
- Alamat: Ruko Tanjung Mas Raya B1/37, Jagakarsa, Tanjung Barat, Jakarta Selatan 12530
### Catatan AI berikutnya
- `use_figma` + `create_new_file` butuh skill figma-use / figma-create-new-file
- PlanKey user: `team::1263886893605566811` (rianjawa93's team)
- Blocker: [ISS-001](./issues.md)
**On-demand:** [context-index.md](./context-index.md) | [todo.md](./todo.md) | [issues.md](./issues.md)

23
me/docs/changelog.md

@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
# Changelog
Format: [Keep a Changelog](https://keepachangelog.com/).
---
## [Unreleased]
### Added
-
### Changed
-
---
## [0.1.0] - 2026-07-10
### Added
- Company profile markdown gabungan: profil resmi PT. Multiatur Sistem Solusi + kapabilitas Enterprise IT / GIS / Managed Services
- File Figma Company Profile (halaman 01–05); kerangka 06–09
- Preview PNG 9 halaman dari PDF compro v13
- Struktur docs standar (`AGENTS.md`, session summary, todo, issues, context-index)

66
me/docs/context-index.md

@ -0,0 +1,66 @@ @@ -0,0 +1,66 @@
# Context Index
> Cold start: [../AGENTS.md](../AGENTS.md) → [ai-session-summary.md](./ai-session-summary.md) → **STOP**.
---
## Zona A - Always-read pointers
| Item | Value |
|------|-------|
| Nama | me (Company Profile & Personal Notes) |
| Path monorepo | `me/` |
| Cold start | [../AGENTS.md](../AGENTS.md) |
| Sesi terakhir | [ai-session-summary.md](./ai-session-summary.md) |
| Priority aktif | [todo.md](./todo.md) |
| Versi | 0.1.0 - [version.md](./version.md) |
| Tipe | docs-only |
| Last updated | 2026-07-10 |
---
## Zona B - On-demand map
### Dokumentasi inti
| Dokumen | Isi | Kapan baca |
|---------|-----|------------|
| [ai-session-summary.md](./ai-session-summary.md) | Narasi sesi | Setelah AGENTS |
| [todo.md](./todo.md) | Priority | Ambil task |
| [issues.md](./issues.md) | Blocker Figma MCP | Lanjut desain |
| [changelog.md](./changelog.md) | Riwayat | Audit |
| [version.md](./version.md) | Poin versi | Cek rilis |
### Sumber konten compro
| File | Peran |
|------|-------|
| [../company-profile-pt-multiatur.md](../company-profile-pt-multiatur.md) | **SSOT compro markdown** (gabungan) |
| [../me.md](../me.md) | Kapabilitas teknis / Enterprise IT (sumber) |
| [../PT. MULTIATUR SISTEM SOLUSI.md](../PT.%20MULTIATUR%20SISTEM%20SOLUSI.md) | Profil resmi OCR (alamat, management, layanan komunikasi) |
| `../Compro PT Multiatur Sistem Solusi v13_*.pdf` | Referensi desain visual |
| [../compro-preview/](../compro-preview/) | PNG per halaman PDF |
### Desain Figma
| Item | Value |
|------|-------|
| File | https://www.figma.com/design/sf2KWo2Jgiuwf4AVHUG6fb |
| Nama | Company Profile - PT Multiatur Sistem Solusi |
| Plan team | `team::1263886893605566811` |
| Halaman selesai | 01–05 |
| Pending | 06–09 — lihat [ISS-001](./issues.md) |
### Perusahaan (fakta kunci)
| Field | Value |
|-------|-------|
| Nama | PT. Multiatur Sistem Solusi |
| Berdiri | 2023 |
| Website | www.multiatur.com |
| Telepon | 021-27873814 |
| Email | admin@multiatur.com |
| CIO | Rian Budi Setiawan |
| CEO | Adiya Mugi Raharja |
| CTO | Muhamad Jejen |
| CSO | Muhamad Fahmi |

26
me/docs/issues.md

@ -0,0 +1,26 @@ @@ -0,0 +1,26 @@
# Issues
---
## ISS-001 — Figma MCP rate limit (Starter)
| Field | Value |
|-------|-------|
| **Status** | open |
| **Severity** | blocker (lanjut desain via Cursor) |
| **Date** | 2026-07-10 |
### Gejala
`use_figma` gagal dengan: *You've reached the Figma MCP tool call limit on the Starter plan.*
### Root cause
Akun pada plan **Starter**; kuota MCP untuk seat terbatas. Collab/View ≈ 6 panggilan/bulan. Full/Dev pada plan berbayar ≈ 200/hari.
### Workaround / Fix
1. Upgrade ke **Professional Full seat** ($20/mo) — direkomendasikan jika Cursor harus **buat/edit** desain
2. Atau **Dev seat** ($15/mo) — cukup untuk MCP baca/Dev Mode, **tanpa** Figma Design
3. **Jangan** Collab seat untuk kolaborasi Cursor
### Ref
- File: https://www.figma.com/design/sf2KWo2Jgiuwf4AVHUG6fb
- Docs Figma: rate-limits-access (MCP)

11
me/docs/project-status.md

@ -0,0 +1,11 @@ @@ -0,0 +1,11 @@
# Project Status
> Last updated: 2026-07-10
| Area | Status | Catatan |
|------|--------|---------|
| Compro markdown | ✅ ready | `company-profile-pt-multiatur.md` |
| Sumber resmi + teknis | ✅ | `PT. MULTIATUR…md` + `me.md` |
| Figma desain | ⏸ blocked | 5/9 halaman; ISS-001 MCP Starter |
| Export PDF final | ❌ | Setelah 9 halaman selesai |
| Docs handover | ✅ | AGENTS + Tier 1 |

43
me/docs/todo.md

@ -0,0 +1,43 @@ @@ -0,0 +1,43 @@
# TODO
> Last updated: 2026-07-10
> Sesi terakhir: [ai-session-summary.md](./ai-session-summary.md)
---
## High Priority
- [ ] Selesaikan Figma compro halaman **06–09** (Enterprise IT, Partner & Klien, Management, Thank You) di file yang sama
- [ ] Upgrade Figma Professional **Full seat** (atau tunggu kuota MCP) agar Cursor bisa lanjut `use_figma`
---
## Medium Priority
- [ ] Ganti placeholder visual layanan dengan foto/asset dari PDF / brand kit
- [ ] Unggah logo resmi Multiatur ke Figma (bukan SVG placeholder)
- [ ] Export PDF final dari Figma setelah 9 halaman lengkap
- [ ] Lengkapi daftar klien resmi di compro markdown (jika ada portofolio)
---
## Low Priority
- [ ] Versi ringkas 1–2 halaman (pitch deck) dari compro
- [ ] Versi bilingual (EN) jika dibutuhkan proposal
---
## Technical Debt
- [ ] Preview PNG di `compro-preview/` besar — pertimbangkan gitignore jika tidak perlu di repo
---
## Selesai (Sesi Ini)
- [x] Company profile markdown gabungan (resmi + Enterprise IT) - 2026-07-10
- [x] Bootstrap docs `me/` (AGENTS + Tier 1 handover) - 2026-07-10
- [x] Figma file dibuat; halaman 01–05 selesai - 2026-07-10
- [x] Konversi PDF referensi → PNG preview - 2026-07-10
- [x] Catatan seat Figma untuk Cursor (Collab vs Dev vs Full) - 2026-07-10

9
me/docs/version.md

@ -0,0 +1,9 @@ @@ -0,0 +1,9 @@
# Version History
---
## [0.1.0] - 2026-07-10
- Inisialisasi project docs `me/` (company profile & personal capability notes)
- Compro markdown v1 (service-based, gabungan sumber resmi + `me.md`)
- Desain Figma compro dimulai (5/9 halaman); blocker MCP Starter

275
me/me.md

@ -0,0 +1,275 @@ @@ -0,0 +1,275 @@
# dokumen ini mendeskripsikan siapa saya:
Berdasarkan seluruh percakapan kita selama ini, saya melihat pengalaman saya bukan hanya sebagai IT Infrastructure, tetapi juga mencakup:
Enterprise GIS Infrastructure
Data Center & Server Management
Active Directory & LDAP
Windows & Linux Server
Virtualisasi (Proxmox/VM)
Docker & Microservices
Reverse Proxy (NGINX)
PostgreSQL & SQL Server
Storage (QNAP, S3)
Monitoring (Grafana, Loki, Zabbix, Uptime Kuma)
Automation (n8n, Node-RED)
Asset Management
Enterprise Ticketing
AI Integration
Network (MikroTik, VPN, Firewall)
IT Support Internal & External Client
Enterprise Application Development
Saya menyarankan company profile dibuat lebih profesional dan berorientasi pada layanan (service-based), bukan sekadar daftar keahlian.
Company Profile – Data Center & Enterprise IT Services
Tentang Kami
Kami menyediakan layanan Enterprise IT Infrastructure, Data Center, GIS Platform, Cloud, dan Managed Services untuk mendukung operasional bisnis, instansi pemerintah, maupun perusahaan swasta.
Dengan pengalaman dalam membangun dan mengelola lingkungan hybrid infrastructure berbasis Windows, Linux, virtualisasi, container, serta sistem geospasial enterprise, kami menghadirkan solusi yang aman, terintegrasi, dan mudah dikembangkan.
Layanan Utama
Kategori Layanan
Data Center Perencanaan, implementasi, migrasi, dan pengelolaan Data Center
Server Infrastructure Windows Server, Linux Server, Virtual Machine, High Availability
Enterprise Network MikroTik, VLAN, VPN, Firewall, Routing, Reverse Proxy
Identity Management Active Directory, LDAP, Single Sign-On (SSO), RBAC
Database PostgreSQL, SQL Server, Backup, Replication, Performance Tuning
Storage NAS, SAN, QNAP, Object Storage (S3), Backup & Recovery
Monitoring Grafana, Loki, Promtail, Zabbix, Uptime Kuma
Automation Node-RED, n8n, Workflow Automation
Container Platform Docker, Docker Compose, Dockge
Web Platform NGINX Reverse Proxy, SSL, Multi Domain Hosting
Mail Server Multi Domain Mail Server, LDAP Integration, API Integration
GIS Infrastructure ArcGIS Enterprise, ArcGIS Server, Portal for ArcGIS, GeoServer
Asset Management Inventarisasi perangkat, monitoring endpoint, lifecycle asset
IT Service Management Helpdesk, Ticketing, SLA, CMDB
AI Integration Integrasi AI untuk monitoring, automation, dan knowledge management
Produk & Platform yang Didukung
Vendor Produk
Esri ArcGIS Enterprise, ArcGIS Server, ArcGIS Pro, ArcGIS Online, Survey123, Field Maps, Experience Builder
Blue Marble Global Mapper, Global Mapper Pro
DataEast XTools Pro dan solusi terkait
Microsoft Windows Server, Active Directory, SQL Server, Microsoft 365
PostgreSQL PostgreSQL Database
QNAP NAS, QuObjects S3, Qsync
MikroTik RouterOS, VPN, Firewall
Docker Docker Engine, Docker Compose
Grafana Grafana Stack
NGINX Reverse Proxy & Load Balancer
Keahlian Infrastruktur
Enterprise Data Center
Hybrid Infrastructure
High Availability
Disaster Recovery
Backup & Restore
Multi Domain Hosting
Multi Domain Mail Server
Reverse Proxy
Object Storage (S3)
Container Platform
Enterprise Monitoring
Centralized Logging
Endpoint Monitoring
Remote Device Management
Automation Platform
Pengembangan Aplikasi Enterprise
Kami juga mengembangkan solusi internal berbasis microservices, antara lain:
GeoNet Console
GeoNet Collector
GeoNet Agent
Asset Management
Enterprise Ticketing
Knowledge Base
Monitoring Dashboard
Notification Service
API Gateway
Product Catalog
License Management
CMDB
Workflow Automation
Nilai Tambah
Arsitektur berbasis Microservices
API First Architecture
Integrasi dengan Active Directory / LDAP
Multi Domain & Multi Tenant Ready
Dukungan REST API
Audit Trail & Logging
Monitoring Terpusat
Skalabel untuk pengembangan jangka panjang
Siap diintegrasikan dengan AI dan otomatisasi
Visi
Menjadi penyedia solusi Enterprise IT Infrastructure, Data Center, GIS Platform, dan Managed Services yang mampu menghadirkan sistem yang sayal, aman, dan mudah dikembangkan untuk mendukung transformasi digital organisasi.
Nilai yang Saya Lihat dari Pengalaman saya
Dari diskusi kita selama ini, kekuatan utama saya bukan hanya sebagai IT Support, tetapi sebagai Enterprise Infrastructure Architect. saya mampu menggabungkan:
Infrastruktur fisik dan virtual.
Operasional Data Center.
GIS Enterprise.
Pengembangan aplikasi.
Integrasi AI.
Otomatisasi proses bisnis.
Ini merupakan kombinasi yang cukup jarang dimiliki dalam satu peran. Karena itu, jika company profile ini digunakan untuk penawaran jasa atau presentasi ke calon klien, saya menyarankan menonjolkan kemampuan end-to-end, yaitu mulai dari perencanaan infrastruktur, implementasi, integrasi aplikasi, hingga operasional dan dukungan purna jual, bukan hanya layanan teknis per komponen.
Berikut contoh daftar pengalaman (Experience & Expertise) yang profesional untuk dimasukkan ke company profile (compro). Saya menyusunnya berdasarkan topik-topik yang sering saya kerjakan, sehingga mencerminkan kemampuan perusahaan secara menyeluruh tanpa mengklaim proyek tertentu yang belum disebutkan.
Pengalaman & Keahlian
Enterprise Data Center
Perencanaan dan implementasi infrastruktur Data Center.
Pengelolaan server fisik dan virtual.
Stsayarisasi infrastruktur TI untuk lingkungan enterprise.
Perencanaan kapasitas (Capacity Planning) dan optimalisasi sumber daya.
Infrastruktur Server
Implementasi dan administrasi Windows Server.
Implementasi dan administrasi Linux Server.
Active Directory Domain Services (AD DS).
LDAP Authentication dan Single Sign-On (SSO).
Remote Administration dan Server Hardening.
Virtualisasi & Container
Implementasi Proxmox Virtual Environment.
Manajemen Virtual Machine.
Docker & Docker Compose.
Dockge untuk pengelolaan Docker Stack.
Arsitektur Microservices.
Enterprise GIS Infrastructure
ArcGIS Enterprise.
ArcGIS Server.
Portal for ArcGIS.
ArcGIS Online.
ArcGIS Pro.
GeoServer.
Integrasi GIS dengan sistem enterprise.
Database Management
Microsoft SQL Server.
PostgreSQL.
Backup & Restore.
Database Performance Tuning.
Database Monitoring.
High Availability dan Disaster Recovery.
Storage & Backup
QNAP NAS.
QNAP QuObjects (S3 Object Storage).
Network Attached Storage (NAS).
Backup Repository.
File Sharing Enterprise.
Sinkronisasi Data.
Enterprise Network
MikroTik RouterOS.
VLAN.
VPN.
Routing.
Firewall.
NAT.
Reverse Proxy (NGINX).
Multi Domain Hosting.
Monitoring & Observability
Grafana.
Loki.
Promtail.
Zabbix.
Uptime Kuma.
Dashboard Monitoring.
Centralized Logging.
Alerting & Notification.
Enterprise Mail System
Multi Domain Mail Server.
Integrasi LDAP / Active Directory.
SMTP, IMAP, POP3.
SPF, DKIM, DMARC.
API Integration.
Mail Security.
Automation Platform
Node-RED.
n8n.
Workflow Automation.
Scheduled Task.
Integrasi API antar sistem.
Asset Management
Inventarisasi perangkat TI.
Monitoring endpoint.
Hardware Lifecycle Management.
Software Inventory.
Warranty Tracking.
Asset Audit.
Enterprise Service Management
Helpdesk.
Incident Management.
Service Request Management.
Problem Management.
Change Management.
SLA Management.
Knowledge Base.
CMDB.
Software Development
Laravel.
FastAPI.
REST API.
Next.js.
React.
PostgreSQL.
Microservices Architecture.
API Gateway.
Enterprise Dashboard.
Integrasi AI
AI-assisted Development.
AI Documentation.
AI Knowledge Base.
AI Workflow Automation.
AI Monitoring.
AI Agent Integration.
Vendor & Product Support
Esri
ArcGIS Enterprise
ArcGIS Server
ArcGIS Pro
ArcGIS Online
Survey123
Field Maps
Experience Builder
Blue Marble
Global Mapper
Global Mapper Pro
DataEast
XTools Pro
Solusi GIS pendukung
Microsoft
Windows Server
Active Directory
SQL Server
Microsoft 365
Open Source Platform
PostgreSQL
GeoServer
Docker
NGINX
Grafana
Loki
Node-RED
n8n
Nilai Tambah
Enterprise Architecture Design.
Multi Domain & Multi Tenant Infrastructure.
Hybrid Infrastructure (On-Premise & Cloud Ready).
API First Architecture.
High Availability Design.
Disaster Recovery Planning.
Infrastruktur yang mudah dikembangkan (Scalable).
Integrasi antar sistem berbasis API.
Monitoring dan Logging Terpusat.
Otomatisasi operasional TI.
Dokumentasi teknis dan stsayarisasi implementasi.
Keunggulan Kompetitif
Pengalaman mengelola infrastruktur enterprise dari sisi jaringan, server, database, storage, hingga aplikasi.
Mampu mengintegrasikan solusi GIS dengan infrastruktur TI modern.
Berpengalaman membangun platform berbasis microservices yang siap dikembangkan.
Menguasai solusi berbasis open source maupun komersial.
Fokus pada keamanan, performa, skalabilitas, dan kemudahan operasional.
Mampu merancang solusi end-to-end mulai dari perencanaan, implementasi, integrasi, hingga pemeliharaan sistem.
Daftar ini cocok digunakan pada company profile, proposal teknis, maupun dokumen penawaran layanan karena menampilkan kapabilitas secara profesional tanpa berlebihan atau mengklaim pengalaman spesifik yang belum didukung informasi.

13
server-audit/.cursor/server.md

@ -6,8 +6,10 @@ ssh -m hmac-sha1 admin@192.168.0.1 -p 255 @@ -6,8 +6,10 @@ ssh -m hmac-sha1 admin@192.168.0.1 -p 255
ssh -i "$env:USERPROFILE\.ssh\id_rsa_mikrotik" -o IdentitiesOnly=yes -m hmac-sha1 -p 255 admin@192.168.0.1
Reverse_proxy (proxy.lan — nginx + GeoNetAgent collector):
ssh -m hmac-sha1 root@10.100.1.24 -p 22
ssh reverse-proxy
ssh -m hmac-sha1 root@10.100.1.24 -p 22
# Key: ~/.ssh/id_rsa_geonet_laptop — passwordless ✅ 2026-07-10
# SSOT: server-audit/docs/guide/ssh-access.md
# nginx: /etc/nginx/conf.d/ · SSL: /etc/nginx/conf.d/ssl.conf
# Wildcard cert: /home/ssl-gisportal/
# Domain routing & troubleshooting: .cursor/infra-reverse-proxy.md
@ -17,8 +19,10 @@ Reverse_proxy (proxy.lan — nginx + GeoNetAgent collector): @@ -17,8 +19,10 @@ Reverse_proxy (proxy.lan — nginx + GeoNetAgent collector):
# Deploy nginx: infra/collector/deploy_nginx.sh · lihat infra/nginx/README.md
Main_Database:
ssh -m hmac-sha1 root@10.100.1.25 -p 22
ssh main-db
ssh -m hmac-sha1 root@10.100.1.25 -p 22
# Key: ~/.ssh/id_rsa_geonet_laptop — passwordless ✅ 2026-07-10
# SSOT: server-audit/docs/guide/ssh-access.md
# PostgreSQL 12 — GeoNetAgent dev DB: geonetagent_dev (13 tabel CMDB)
# Credentials (root only): /root/geonetagent_dev.credentials
# Deploy ulang schema: infra/db/README.md
@ -26,8 +30,11 @@ Main_Database: @@ -26,8 +30,11 @@ Main_Database:
Main_Webserver:
ssh -m hmac-sha1 Administrator@10.100.1.41 -p 22
AD-LDAP:
AD-LDAP (Windows Server 2012 R2):
ssh ad-ldap
ssh -m hmac-sha1 Administrator@10.100.1.40 -p 22
# Key: ~/.ssh/id_rsa_geonet_laptop — passwordless ✅ 2026-07-10
# Setup: server-audit/scripts/setup-ssh-ad-ldap.ps1
zabbix:
ssh -m hmac-sha1 root@10.100.1.42 -p 22

22
server-audit/.env.example

@ -0,0 +1,22 @@ @@ -0,0 +1,22 @@
# .env.example — server-audit (AMAN di-commit)
# Copy ke .env lokal jika skrip butuh konfigurasi (JANGAN commit .env)
# --- SSH defaults (laptop developer) ---
SSH_USER_LINUX=root
SSH_PORT_LINUX=22
SSH_MAC_LEGACY=hmac-sha1
# --- Host references (baca dari docs/server.md; jangan hardcode di skrip baru) ---
SSH_HOST_REVERSE_PROXY=10.100.1.24
SSH_HOST_MAIN_DB=10.100.1.25
SSH_HOST_OLLAMA=10.100.1.26
SSH_HOST_MAILCOW=10.100.1.28
SSH_HOST_MIKROTIK=10.100.1.1
SSH_PORT_MIKROTIK=255
# --- Key paths (laptop, bukan di repo) ---
# SSH_KEY_GEONET_LAPTOP=%USERPROFILE%\.ssh\id_rsa_geonet_laptop
# SSH_KEY_MAILCOW=%USERPROFILE%\.ssh\id_ed25519_mailcow
# SSH_KEY_MIKROTIK=%USERPROFILE%\.ssh\id_rsa_mikrotik
# Dokumentasi: docs/guide/ssh-access.md | docs/server.md

41
server-audit/AGENTS.md

@ -0,0 +1,41 @@ @@ -0,0 +1,41 @@
# AGENTS.md — Cold Start
> Project: `server-audit/`
> Sesi terakhir: [docs/ai-session-summary.md](./docs/ai-session-summary.md)
> Peta lengkap: [docs/context-index.md](./docs/context-index.md)
> Env template: [.env.example](./.env.example)
## Apa ini?
SSOT inventori server GeoNet, audit infrastruktur, dan **runbook SSH key-based access** dari laptop Windows ke seluruh host di LAN `10.100.1.x`.
## Aturan kritis
- **SSOT SSH:** [docs/guide/ssh-access.md](./docs/guide/ssh-access.md) — jangan duplikasi detail key di chat
- **No hardcoded IP di skrip baru** — gunakan variabel / parameter; referensi host di [docs/server.md](./docs/server.md)
- Jangan commit private key, password, atau isi `~/.ssh/` ke repo
- Wajib **PowerShell** (bukan CMD) untuk `$env:USERPROFILE` dan pipe SSH
- Server RHEL/CentOS: `-m hmac-sha1` (alias `-o MACs=hmac-sha1`); log auth di `/var/log/secure`
- Server Ubuntu/Debian: log auth di `/var/log/auth.log`; biasanya tanpa `-m`
- No commit kecuali user minta eksplisit
- **Perubahan material:** append [docs/version.md](./docs/version.md) + update [host.md](./host.md) ringkas
## Lanjut kerja
```
1. AGENTS.md
2. docs/ai-session-summary.md
3. STOP
4. On-demand: docs/guide/ssh-access.md, docs/server.md, host.md, docs/todo.md
```
## Pointer cepat
| Butuh | Buka |
|-------|------|
| SSH setup / status key | [docs/guide/ssh-access.md](./docs/guide/ssh-access.md) |
| Quick SSH commands | [host.md](./host.md) |
| Inventori host | [docs/server.md](./docs/server.md) |
| Setup scripts | [scripts/](./scripts/) |
| Versi / riwayat | [docs/version.md](./docs/version.md) |
| Reverse proxy detail | [.cursor/infra-reverse-proxy.md](./.cursor/infra-reverse-proxy.md) |

7
server-audit/docs/adr/000-template.md

@ -0,0 +1,7 @@ @@ -0,0 +1,7 @@
# ADR Template
Gunakan format `ADR-NNN-judul-kebab-case.md` di folder ini untuk keputusan arsitektur infra.
Lihat `AI-Agent-Standards/templates/repo/adr-template.md` untuk template lengkap.
Existing ADR legacy: [../.cursor/adr/](../.cursor/adr/)

28
server-audit/docs/ai-session-summary.md

@ -0,0 +1,28 @@ @@ -0,0 +1,28 @@
# AI Session Summary
```yaml
session: 2026-07-10-ssh-and-ad-ldap
project: server-audit/
version: 0.1.8
status: ready
next: Setup key Zabbix (.42) dan Main Webserver (.41)
agent: Cursor
```
## TL;DR
- Bootstrap `server-audit/` docs standar + SSOT SSH [guide/ssh-access.md](./guide/ssh-access.md)
- Key laptop: `id_rsa_geonet_laptop` + `id_ed25519_mailcow`; alias di `~/.ssh/config`
- Key-only ✅: `.24` reverse-proxy, `.25` main-db, `.28` mailcow, `.26` ollama (`geonet`), `.40` ad-ldap (Win2012 R2)
- AD `.40`: UTF-8 no BOM + `administrators_authorized_keys` + `PubkeyAcceptedAlgorithms +ssh-rsa`
## Lanjut dari sini
1. `scripts/setup-ssh-*` untuk Zabbix `.42` / Webserver `.41` jika perlu
2. Runbook: [guide/ssh-access.md](./guide/ssh-access.md) | Quick: [host.md](../host.md)
## Jangan
- Jangan commit private key / password
- RHEL log: `/var/log/secure` (bukan `auth.log`)
- Wajib PowerShell (`$env:USERPROFILE`); Win admin key di ProgramData bukan `~\.ssh\authorized_keys`

33
server-audit/docs/changelog.md

@ -0,0 +1,33 @@ @@ -0,0 +1,33 @@
# Changelog
Format berdasarkan [Keep a Changelog](https://keepachangelog.com/).
---
## [0.1.1] - 2026-07-10
### Added
- `docs/guide/ssh-access.md` — SSOT runbook SSH key-based access
- `scripts/setup-ssh-reverse-proxy.ps1`, `setup-ssh-main-db.ps1`, `setup-ssh-mailcow.ps1`
- `scripts/ssh-config.example` — template `~/.ssh/config`
- `AGENTS.md`, `docs/context-index.md`, `docs/server.md`, `docs/system-requirements.md`
- `.env.example` dengan referensi host SSH
### Changed
- `host.md` — status key-only per host, link ke runbook
- `.cursor/server.md` — sinkron status SSH reverse-proxy
### Documented
- Sesi setup SSH laptop 2026-07-10 (reverse-proxy verified, Mailcow/DB pending)
- Perbedaan auth log RHEL (`/var/log/secure`) vs Ubuntu (`/var/log/auth.log`)
---
## [0.1.0] - 2026-07-10
### Added
- Struktur dokumentasi standar AI-Agent-Standards untuk `server-audit/`

50
server-audit/docs/context-index.md

@ -0,0 +1,50 @@ @@ -0,0 +1,50 @@
# Context Index
## Zona A — Always-read pointers
| Item | Value |
|------|-------|
| Nama | server-audit |
| Path monorepo | `server-audit/` |
| Cold start | [../AGENTS.md](../AGENTS.md) |
| Sesi terakhir | [ai-session-summary.md](./ai-session-summary.md) |
| Priority aktif | [todo.md](./todo.md) |
| Server / infra | [server.md](./server.md) |
| SSH runbook (SSOT) | [guide/ssh-access.md](./guide/ssh-access.md) |
| Quick commands | [../host.md](../host.md) |
| System requirements | [system-requirements.md](./system-requirements.md) |
| Env template | [../.env.example](../.env.example) |
| Versi | 0.1.1 — [version.md](./version.md) |
| Stack | Markdown docs, PowerShell scripts, `.cursor/` legacy |
| Tipe | infra / docs-only |
| Last updated | 2026-07-10 |
## Zona B — On-demand map
### Dokumentasi inti
| Dokumen | Isi | Kapan baca |
|---------|-----|------------|
| [guide/ssh-access.md](./guide/ssh-access.md) | Key-based SSH, alias, setup per host | Setup laptop baru / debug auth |
| [server.md](./server.md) | Inventori host/IP/role | Deploy / audit |
| [../host.md](../host.md) | Cheat sheet SSH cepat | Login harian |
| [../.cursor/infra-reverse-proxy.md](../.cursor/infra-reverse-proxy.md) | DNS, nginx, SSL `.24` | Troubleshoot domain |
| [../.cursor/server.md](../.cursor/server.md) | Mirror host.md (legacy `.cursor`) | Kompatibilitas agent lama |
### Scripts
| Script | Host | Kapan |
|--------|------|-------|
| [../scripts/setup-ssh-reverse-proxy.ps1](../scripts/setup-ssh-reverse-proxy.ps1) | `.24` | Laptop baru |
| [../scripts/setup-ssh-main-db.ps1](../scripts/setup-ssh-main-db.ps1) | `.25` | Laptop baru |
| [../scripts/setup-ssh-mailcow.ps1](../scripts/setup-ssh-mailcow.ps1) | `.28` | Laptop baru |
| [../scripts/setup-ssh-key-multimedia.ps1](../scripts/setup-ssh-key-multimedia.ps1) | `.14` | Di PC MULTIMEDIA |
### Parent / sibling
| Dokumen | Path | Kapan baca |
|---------|------|------------|
| Workspace registry | `Workspace-Context.md` | Navigasi monorepo |
| nginx detail | `nginx/docs/server.md` | Vhost `.24` |
| Mailcow detail | `Mailcow/docs/server.md` | VM `.28` |
| server-connection SSH | `server-connection/scripts/ssh-*.ps1` | Deploy app |

8
server-audit/docs/guide/README.md

@ -0,0 +1,8 @@ @@ -0,0 +1,8 @@
# Guide — server-audit
| Dokumen | Isi |
|---------|-----|
| [ssh-access.md](./ssh-access.md) | **SSOT** SSH key-based access laptop → server |
| [migration.md](./migration.md) | Migrasi server/domain (checklist) |
Quick SSH commands: [../host.md](../host.md)

29
server-audit/docs/guide/migration.md

@ -0,0 +1,29 @@ @@ -0,0 +1,29 @@
# Migration Guide — Server & Domain
**Owner:** `server-audit/`
Inventori host: [../server.md](../server.md)
SSH re-setup setelah migrasi laptop: [ssh-access.md](./ssh-access.md)
---
## Migrasi laptop developer (SSH key)
Saat pindah ke laptop/PC baru:
1. Generate key sesuai [ssh-access.md](./ssh-access.md) (atau salin key dari backup aman — **bukan** via git)
2. Upload public key ke setiap host (one-liner per host)
3. Salin `~/.ssh/config` dari [scripts/ssh-config.example](../../scripts/ssh-config.example)
4. Verifikasi `KEY_AUTH_OK` per host
5. Update status di [host.md](../../host.md) dan [ssh-access.md](./ssh-access.md)
---
## Inventori migrasi infra (TODO)
| Item | Nilai saat ini | Nilai target | File update |
|------|----------------|--------------|-------------|
| Reverse proxy | `10.100.1.24` | — | `docs/server.md`, `host.md` |
| Main DB | `10.100.1.25` | — | `docs/server.md` |
| Mailcow | `10.100.1.28` | — | `Mailcow/docs/server.md` |
> Isi detail saat migrasi pertama terjadi.

299
server-audit/docs/guide/ssh-access.md

@ -0,0 +1,299 @@ @@ -0,0 +1,299 @@
# SSH Key-Based Access — Runbook (SSOT)
> **Last updated:** 2026-07-10
> **Owner:** `server-audit/`
> Quick ref: [host.md](../../host.md) | Inventori: [server.md](../server.md)
Dokumen ini adalah **Single Source of Truth** untuk setup SSH passwordless dari laptop Windows (OpenSSH) ke infrastruktur GeoNet.
---
## Prasyarat
| Item | Nilai |
|------|-------|
| Shell | **PowerShell** (bukan CMD) |
| Client | Windows OpenSSH (`ssh`, `scp`) |
| Network | Terhubung ke LAN `10.100.1.x` |
| Key storage | `%USERPROFILE%\.ssh\` (tidak di-commit ke git) |
---
## Key inventory (laptop)
| Key file | Algoritma | Dipakai untuk | Alias config |
|----------|-----------|---------------|--------------|
| `id_rsa_geonet_laptop` | RSA 4096 | `.24`, `.25`, `.26` (Linux root) | `reverse-proxy`, `main-db`, `ollama` |
| `id_ed25519_mailcow` | ed25519 | `.28` Mailcow | `mailcow` |
| `id_rsa_mikrotik` | RSA | MikroTik `.1` port 255 | — |
| `id_ed25519_geonet_proxmox` | ed25519 | Windows Server `.14`, `.51`, `.52` | `multimedia`, `dev51-base` |
| `id_ed25519` | ed25519 | QNAP `.10` | — |
**Dibuat sesi 2026-07-10:** `id_rsa_geonet_laptop`, `id_ed25519_mailcow`, `~/.ssh/config`
---
## `~/.ssh/config` (template)
Salin ke `%USERPROFILE%\.ssh\config` di laptop:
```
Host reverse-proxy
HostName 10.100.1.24
User root
Port 22
IdentityFile ~/.ssh/id_rsa_geonet_laptop
IdentitiesOnly yes
MACs hmac-sha1
Host main-db
HostName 10.100.1.25
User root
Port 22
IdentityFile ~/.ssh/id_rsa_geonet_laptop
IdentitiesOnly yes
MACs hmac-sha1
Host ollama
HostName 10.100.1.26
User root
Port 22
IdentityFile ~/.ssh/id_rsa_geonet_laptop
IdentitiesOnly yes
MACs hmac-sha1
Host mailcow
HostName 10.100.1.28
User root
Port 22
IdentityFile ~/.ssh/id_ed25519_mailcow
IdentitiesOnly yes
```
Template file: [scripts/ssh-config.example](../../scripts/ssh-config.example)
---
## Aturan MAC `hmac-sha1`
Server **RHEL/CentOS** (reverse-proxy `.24`, main-db `.25`) membutuhkan:
```powershell
-m hmac-sha1
# setara: -o MACs=hmac-sha1
```
Server **Ubuntu** (Ollama `.26`, Mailcow `.28`) biasanya **tanpa** flag `-m`.
**SCP** ke server lama: gunakan `-o MACs=hmac-sha1` (bukan `-m`).
---
## Setup per host
### 1. Reverse proxy — `10.100.1.24`
| Item | Nilai |
|------|-------|
| OS | RHEL/CentOS (`proxy`) |
| Key | `id_rsa_geonet_laptop` |
| Alias | `ssh reverse-proxy` |
| Status | **Key-only verified** 2026-07-10 |
**Script (sekali):**
```powershell
.\server-audit\scripts\setup-ssh-reverse-proxy.ps1
```
**Manual one-liner:**
```powershell
type $env:USERPROFILE\.ssh\id_rsa_geonet_laptop.pub | ssh -m hmac-sha1 root@10.100.1.24 -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK"
```
**Verifikasi:**
```powershell
ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -m hmac-sha1 root@10.100.1.24 -p 22 "echo KEY_AUTH_OK"
# atau: ssh reverse-proxy "echo KEY_AUTH_OK"
```
**Debug auth (RHEL):**
```powershell
ssh -m hmac-sha1 root@10.100.1.24 -p 22 "grep sshd /var/log/secure | tail -20"
```
---
### 2. Main Database — `10.100.1.25`
| Item | Nilai |
|------|-------|
| OS | RHEL/CentOS |
| Key | `id_rsa_geonet_laptop` (sama dengan `.24`) |
| Alias | `ssh main-db` |
| Status | **Key-only verified** 2026-07-10 |
**Script:**
```powershell
.\server-audit\scripts\setup-ssh-main-db.ps1
```
**Manual:**
```powershell
type $env:USERPROFILE\.ssh\id_rsa_geonet_laptop.pub | ssh -m hmac-sha1 root@10.100.1.25 -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK"
```
---
### 3. Mailcow — `10.100.1.28`
| Item | Nilai |
|------|-------|
| OS | Ubuntu (`mailserver`) |
| Key | `id_ed25519_mailcow` (dedicated) |
| Alias | `ssh mailcow` |
| Status | **Key-only verified** 2026-07-10 |
**Script:**
```powershell
.\server-audit\scripts\setup-ssh-mailcow.ps1
```
**Manual (tanpa `-m`):**
```powershell
type $env:USERPROFILE\.ssh\id_ed25519_mailcow.pub | ssh root@10.100.1.28 -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK"
```
**Debug auth (Ubuntu):**
```powershell
ssh root@10.100.1.28 -p 22 "grep sshd /var/log/auth.log | tail -20"
```
---
### 4. Ollama — `10.100.1.26`
Key: `id_rsa_geonet_laptop` | User: **`geonet`** (bukan root) | Alias: `ssh ollama`
Status: **Key-only verified** 2026-07-10
```powershell
ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -o BatchMode=yes -m hmac-sha1 geonet@10.100.1.26 -p 22 "echo KEY_AUTH_OK"
# atau: ssh ollama "echo KEY_AUTH_OK"
```
> `root@10.100.1.26` belum di-setup key — gunakan `geonet` untuk operasional.
---
### 5. MikroTik — `10.100.1.1` port 255
Key: `id_rsa_mikrotik` (RSA wajib — RouterOS 7.5)
```powershell
ssh -i "$env:USERPROFILE\.ssh\id_rsa_mikrotik" -o IdentitiesOnly=yes -m hmac-sha1 -p 255 admin@10.100.1.1
```
Setup: `server-connection/scripts/setup-ssh-mikrotik.ps1`
---
### 6. AD-LDAP — `10.100.1.40` (Windows Server 2012 R2) ✅
| Item | Nilai |
|------|-------|
| OS | Windows Server 2012 R2 (`ad-server`) |
| User | `Administrator` |
| Key (laptop ini) | `id_rsa_geonet_laptop` |
| Alias | `ssh ad-ldap` |
| Authorized keys file | `C:\ProgramData\ssh\administrators_authorized_keys` |
| Status | **Key-only verified** 2026-07-10 |
**Penting Win2012 R2 / OpenSSH Windows:**
- Akun Administrator **tidak** memakai `C:\Users\...\.ssh\authorized_keys`
- Wajib file: `C:\ProgramData\ssh\administrators_authorized_keys`
- ACL: hanya `SYSTEM` + `Administrators` (inheritance off)
- `sshd_config` harus punya:
```
Match Group administrators
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
```
- MAC: `-m hmac-sha1` / `MACs hmac-sha1`
- Host key pertama kali: `StrictHostKeyChecking=accept-new` (script sudah set)
**Script (PowerShell):**
```powershell
.\server-audit\scripts\setup-ssh-ad-ldap.ps1
```
**Verifikasi:**
```powershell
ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -o BatchMode=yes -m hmac-sha1 Administrator@10.100.1.40 -p 22 "echo KEY_AUTH_OK"
# atau: ssh ad-ldap "echo KEY_AUTH_OK"
```
> Laptop lain / ArcGIS / MULTIMEDIA masih boleh pakai `id_ed25519_geonet_proxmox` — key berbeda, boleh keduanya di `administrators_authorized_keys`.
### 7. Windows lain (Webserver, ArcGIS, MULTIMEDIA)
Key legacy: `id_ed25519_geonet_proxmox``administrators_authorized_keys`
MULTIMEDIA `.14`: `scripts/setup-ssh-key-multimedia.ps1`
ArcGIS `.51`/`.52`: lihat [host.md](../../host.md)
---
## Windows private key ACL
Setelah generate key, perketat ACL (hindari error "permissions too open"):
```powershell
icacls $env:USERPROFILE\.ssh\id_rsa_geonet_laptop /inheritance:r
icacls $env:USERPROFILE\.ssh\id_rsa_geonet_laptop /grant:r "${env:USERNAME}:(R)"
```
---
## Troubleshooting
| Gejala | Penyebab | Solusi |
|--------|----------|--------|
| Masih minta password | Pubkey belum di `authorized_keys` | Jalankan setup script / one-liner upload |
| `grep: auth.log: No such file` | Server RHEL, bukan Debian | Pakai `/var/log/secure` |
| `no matching MAC` | Server SSH lama | Tambah `-m hmac-sha1` |
| `Permissions too open` | ACL Windows key | Jalankan `icacls` di atas |
| `$env:USERPROFILE` kosong / key not found | Pakai **CMD** bukan PowerShell | Buka PowerShell; di CMD pakai `%USERPROFILE%` |
| `Host key verification failed` | Host belum di `known_hosts` | Script pakai `accept-new`; atau `ssh-keygen -R 10.100.1.40` lalu connect ulang |
| Pubkey gagal di Administrator Windows | Key di `~\.ssh\authorized_keys` | Pindah ke `C:\ProgramData\ssh\administrators_authorized_keys` + ACL |
| `KEY_INSTALLED_OK` tapi `Permission denied (publickey)` | File UTF-16 (Add-Content WinPS) | Tulis ulang UTF-8 no BOM; jalankan ulang `setup-ssh-ad-ldap.ps1` |
---
## Riwayat sesi 2026-07-10
1. Laptop baru: tidak ada `~/.ssh/config` dan private key
2. Generate `id_rsa_geonet_laptop` (RSA 4096, comment `geonet-laptop`)
3. Buat `~/.ssh/config` dengan alias `reverse-proxy`, `main-db`, `ollama`, `mailcow`
4. Upload pub key ke `.24``KEY_INSTALLED_OK``KEY_AUTH_OK`
5. Generate `id_ed25519_mailcow` untuk Mailcow `.28`
6. Buat script setup: `setup-ssh-reverse-proxy.ps1`, `setup-ssh-main-db.ps1`, `setup-ssh-mailcow.ps1`
7. Temuan: `.24` hostname `proxy`, OS RHEL — log di `/var/log/secure`
**Duplikat script (backward compat):**
| SSOT (server-audit) | Legacy |
|---------------------|--------|
| `server-audit/scripts/setup-ssh-reverse-proxy.ps1` | `server-connection/scripts/setup-ssh-reverse-proxy.ps1` |
| `server-audit/scripts/setup-ssh-main-db.ps1` | `server-connection/scripts/setup-ssh-main-db.ps1` |
| `server-audit/scripts/setup-ssh-mailcow.ps1` | `Mailcow/scripts/setup-ssh-key-simple.ps1` |

26
server-audit/docs/issues.md

@ -0,0 +1,26 @@ @@ -0,0 +1,26 @@
# Issues
> Last updated: 2026-07-10
---
## Open
*(belum ada issue terbuka)*
---
## Known / Documented
| ID | Ringkasan | Workaround | Ref |
|----|-----------|------------|-----|
| DOC-001 | `grep auth.log` gagal di RHEL `.24` | Pakai `/var/log/secure` | [ssh-access.md](./guide/ssh-access.md) |
| DOC-002 | Windows OpenSSH `$env:USERPROFILE` kosong di CMD | Wajib PowerShell | [ssh-access.md](./guide/ssh-access.md) |
---
## Fixed
| ID | Ringkasan | Fix | Tanggal |
|----|-----------|-----|---------|
| — | — | — | — |

22
server-audit/docs/project-status.md

@ -0,0 +1,22 @@ @@ -0,0 +1,22 @@
# Project Status
> Last updated: 2026-07-10
## Ringkasan
`server-audit/` adalah SSOT inventori server GeoNet dan runbook SSH untuk laptop developer IT.
## Progress
| Area | Status |
|------|--------|
| Dokumentasi standar | ✅ Done (bootstrap 2026-07-10) |
| SSH runbook SSOT | ✅ Done |
| reverse-proxy `.24` key-only | ✅ Verified |
| Main DB `.25` key-only | ✅ Verified 2026-07-10 |
| Mailcow `.28` key-only | ✅ Verified 2026-07-10 |
| Ollama `.26` key-only (`geonet`) | ✅ Verified 2026-07-10 |
## Next priority
[Lihat todo.md](./todo.md) — Zabbix, AD, Webserver.

87
server-audit/docs/server.md

@ -0,0 +1,87 @@ @@ -0,0 +1,87 @@
# Server Inventory — GeoNet LAN
**Owner:** `server-audit/`
**Last updated:** 2026-07-10
**Credential location:** Private key di `~/.ssh/` laptop; password server tidak didokumentasikan di repo.
Cold start SSH: [guide/ssh-access.md](./guide/ssh-access.md) | Quick ref: [../host.md](../host.md)
---
## Ringkasan
| Field | Value |
|-------|-------|
| Project | `server-audit/` |
| Network | LAN `10.100.1.0/24` (+ `192.168.0.x` MikroTik) |
| Gateway | MikroTik `10.100.1.1` port 255 |
| Publik NAT | `117.102.73.x` → reverse-proxy `.24` |
---
## Host / Server
| Host / IP | Hostname | Env | Role | OS | SSH alias | Key laptop | MAC hmac-sha1 |
|-----------|----------|-----|------|-----|-----------|------------|---------------|
| `10.100.1.1` | — | prod | Gateway NAT/firewall | RouterOS | — | `id_rsa_mikrotik` | ✅ port 255 |
| `10.100.1.14` | MULTIMEDIA | dev | Workstation GIS | Windows 10 | `multimedia` | `id_ed25519_geonet_proxmox` | — |
| `10.100.1.24` | proxy | prod | Reverse proxy, Docker stacks | RHEL/CentOS | `reverse-proxy` | `id_rsa_geonet_laptop` | ✅ |
| `10.100.1.25` | — | prod | PostgreSQL + SQL Server | RHEL/CentOS | `main-db` | `id_rsa_geonet_laptop` | ✅ |
| `10.100.1.26` | aiopr | prod | Ollama inference CPU | Ubuntu 22.04 | `ollama` | `id_rsa_geonet_laptop` | ✅ |
| `10.100.1.28` | mailserver | prod | Mailcow dockerized | Ubuntu | `mailcow` | `id_ed25519_mailcow` | — |
| `10.100.1.40` | — | prod | Active Directory LDAP | Windows Server 2012 R2 | `ad-ldap` | `id_rsa_geonet_laptop` | ✅ |
| `10.100.1.41` | — | prod | Main webserver | Windows Server | — | TBD | ✅ |
| `10.100.1.42` | — | prod | Zabbix monitoring | Linux | — | TBD | ✅ |
| `10.100.1.51`–`.53` | — | dev | ArcGIS Enterprise | Windows Server | `dev51-base` | `id_ed25519_geonet_proxmox` | — |
| `10.100.1.10` | — | prod | QNAP NAS TS-932X | QTS | — | `id_ed25519` | opsional |
| `10.100.1.101` | — | dev | Proxmox Dev | Proxmox | — | — | — |
| `10.100.1.102` | — | prod | Proxmox Opr | Proxmox | — | — | — |
**Status key-only (2026-07-10):** `.24`, `.25`, `.28`, `.26` (geonet) verified ✅
---
## Aplikasi & Runtime per Host
| Host | Aplikasi | Jenis | Port | Path / Catatan |
|------|----------|-------|------|----------------|
| `.24` | nginx | reverse proxy | 443 | `/etc/nginx/conf.d/` |
| `.24` | Docker stacks | Docker Compose | — | `/opt/stacks/` (Dockge) |
| `.24` | GeoNet collector | Docker | 8000 | `geonetagent-collector` |
| `.25` | PostgreSQL 12 | DB | 5432 | `geonetagent_dev` |
| `.25` | SQL Server | DB | 1433 | — |
| `.26` | Ollama | systemd | 11434 | CPU inference |
| `.28` | Mailcow | Docker | 443 | `/opt/stacks/mailcow` |
| `.42` | Zabbix | monitoring | — | — |
---
## Auth log per OS
| OS family | Log path |
|-----------|----------|
| RHEL/CentOS (`.24`, `.25`) | `/var/log/secure` |
| Ubuntu/Debian (`.26`, `.28`) | `/var/log/auth.log` |
| journald (semua Linux) | `journalctl -u sshd -n 20` |
---
## Mapping ke monorepo
| Komponen | Path monorepo |
|----------|---------------|
| SSH SSOT | `server-audit/docs/guide/ssh-access.md` |
| nginx config docs | `nginx/` |
| Mailcow | `Mailcow/` |
| GeoNetAgent collector | `GeoNetAgent/` |
| Deploy scripts | `server-connection/scripts/` |
---
## Catatan operasional
- Laptop developer harus di jaringan `10.100.1.x` untuk SSH langsung
- SCP dari Windows ke Linux lama: `-o MACs=hmac-sha1`
- Windows Server SSH: public key ke `C:\ProgramData\ssh\administrators_authorized_keys`
**Jangan:** password, private key, API token di file ini.

33
server-audit/docs/system-requirements.md

@ -0,0 +1,33 @@ @@ -0,0 +1,33 @@
# System Requirements — server-audit
> Last updated: 2026-07-10
## Tipe project
Dokumentasi infra + PowerShell scripts — tidak ada runtime aplikasi.
## Laptop developer (SSH client)
| Tool | Versi minimum | Catatan |
|------|---------------|---------|
| Windows | 10/11 | OpenSSH Client terinstall |
| PowerShell | 5.1+ | Wajib untuk skrip SSH |
| OpenSSH | bawaan Windows | `ssh`, `scp`, `ssh-keygen` |
## Server target
| OS | Host contoh | SSH notes |
|----|-------------|-----------|
| RHEL/CentOS | `.24`, `.25` | `-m hmac-sha1`, log `/var/log/secure` |
| Ubuntu 22.04 | `.26`, `.28` | Tanpa `-m`, log `/var/log/auth.log` |
| Windows Server | `.40`, `.41`, `.51` | `administrators_authorized_keys` |
| RouterOS 7.5 | `.1` | RSA key, port 255 |
## Variabel konfigurasi
Lihat [.env.example](../.env.example) — referensi host IP untuk skrip (bukan secret).
## Aturan
- No hardcode IP di skrip baru — gunakan parameter atau baca `.env`
- Private key hanya di `~/.ssh/`, tidak di repo

26
server-audit/docs/todo.md

@ -0,0 +1,26 @@ @@ -0,0 +1,26 @@
# TODO
> Last updated: 2026-07-10
> Sesi terakhir: [ai-session-summary.md](./ai-session-summary.md)
---
## High Priority
- [ ] Setup key Zabbix `10.100.1.42`
- [ ] Setup key Main Webserver `10.100.1.41` (Windows)
---
## Low Priority
- [ ] Dokumentasi alias `~/.ssh/config` untuk MikroTik dan QNAP
- [ ] Sinkron `Workspace-Context.md` path lokal laptop (`F:\geonetinfomedia`)
---
## Selesai (Sesi Ini)
- [x] Bootstrap docs + SSOT SSH runbook
- [x] Key-only: `.24` `.25` `.28` `.26`(geonet) `.40`(ad-ldap)
- [x] Script setup SSH + `setup-ssh-ad-ldap.ps1` (UTF-8 / Win2012)

74
server-audit/docs/version.md

@ -0,0 +1,74 @@ @@ -0,0 +1,74 @@
# Version History
**Owner:** riwayat versi `server-audit/`**APPEND** setiap perubahan material.
---
## [0.1.8] - 2026-07-10
- AD-LDAP `10.100.1.40` (`ad-server`): key-only verified (`KEY_AUTH_OK`)
- Login: `ssh ad-ldap`
---
## [0.1.7] - 2026-07-10
- AD `.40`: force overwrite authorized_keys; dual write ProgramData + profile; enable `ssh-rsa`; uncomment Match Group
- Client: `PubkeyAcceptedAlgorithms +ssh-rsa` di alias `ad-ldap`
---
## [0.1.6] - 2026-07-10
- Fix AD `.40` setup: tulis `administrators_authorized_keys` sebagai **UTF-8 no BOM** (bukan UTF-16 dari Add-Content)
- ACL ketat SYSTEM + Administrators only
---
## [0.1.5] - 2026-07-10
- Script SSH key-only AD-LDAP `.40` (Win2012 R2): `scripts/setup-ssh-ad-ldap.ps1`
- Alias `ad-ldap` di `~/.ssh/config` + `ssh-config.example`
- Key: `id_rsa_geonet_laptop``administrators_authorized_keys` (bukan user profile authorized_keys)
---
## [0.1.4] - 2026-07-10
- Ollama `10.100.1.26`: key-only verified untuk user `geonet` (`KEY_AUTH_OK`)
- Alias `ssh ollama` diupdate ke `User geonet` di `~/.ssh/config`
---
## [0.1.3] - 2026-07-10
- Mailcow `10.100.1.28`: key-only verified (`KEY_AUTH_OK`) via PowerShell
- Login: `ssh mailcow`
- Catatan: perintah dengan `$env:USERPROFILE` gagal di CMD — wajib PowerShell
---
## [0.1.2] - 2026-07-10
- Main DB `10.100.1.25`: key-only verified (`KEY_AUTH_OK`)
- Login: `ssh main-db`
---
## [0.1.1] - 2026-07-10
- Dokumentasi SSOT SSH key-based access: `docs/guide/ssh-access.md`
- Bootstrap struktur docs standar AI-Agent-Standards (`AGENTS.md`, `docs/*`)
- Setup laptop: `id_rsa_geonet_laptop` + `id_ed25519_mailcow` + `~/.ssh/config`
- reverse-proxy `.24`: key-only verified (`KEY_AUTH_OK`)
- Script setup: `setup-ssh-reverse-proxy.ps1`, `setup-ssh-main-db.ps1`, `setup-ssh-mailcow.ps1`
- Temuan operasional: RHEL `.24` log auth di `/var/log/secure` (bukan `auth.log`)
- Update `host.md` dengan status key dan link ke runbook
---
## [0.1.0] - 2026-07-10
- Bootstrap dokumentasi standar (AGENTS.md + docs/)
- Inisialisasi project `server-audit` sebagai SSOT inventori server GeoNet
- Migrasi referensi dari `host.md` dan `.cursor/server.md` ke struktur `docs/`

38
server-audit/host.md

@ -1,3 +1,21 @@ @@ -1,3 +1,21 @@
# SSH Host Reference — GeoNet LAN
> **SSOT lengkap:** [docs/guide/ssh-access.md](docs/guide/ssh-access.md)
> **Inventori:** [docs/server.md](docs/server.md) | **Cold start:** [AGENTS.md](AGENTS.md)
> Last updated: 2026-07-10
## Status key-only (laptop ini)
| Host | Alias | Key | Status |
|------|-------|-----|--------|
| `10.100.1.24` | `reverse-proxy` | `id_rsa_geonet_laptop` | ✅ 2026-07-10 |
| `10.100.1.25` | `main-db` | `id_rsa_geonet_laptop` | ✅ 2026-07-10 |
| `10.100.1.28` | `mailcow` | `id_ed25519_mailcow` | ✅ 2026-07-10 |
| `10.100.1.26` | `ollama` | `id_rsa_geonet_laptop` | ✅ 2026-07-10 (`geonet`) |
| `10.100.1.40` | `ad-ldap` | `id_rsa_geonet_laptop` | ✅ 2026-07-10 |
---
# Workstation MULTIMEDIA (Windows 10 Pro):
ssh multimedia
ssh admin@10.100.1.14 -p 22
@ -42,7 +60,10 @@ ssh -i "$env:USERPROFILE\.ssh\id_rsa_mikrotik" -o IdentitiesOnly=yes -m hmac-sha @@ -42,7 +60,10 @@ ssh -i "$env:USERPROFILE\.ssh\id_rsa_mikrotik" -o IdentitiesOnly=yes -m hmac-sha
ssh root@10.100.1.101
# Reverse_proxy (App Server):
ssh reverse-proxy
ssh -m hmac-sha1 root@10.100.1.24 -p 22
# Key: ~/.ssh/id_rsa_geonet_laptop — passwordless ✅ 2026-07-10
# Setup: .\server-audit\scripts\setup-ssh-reverse-proxy.ps1
## Disk Cleanup — 1 Jul 2026
- Sebelum: disk 98% penuh (1.3 GB free / 50 GB)
@ -61,16 +82,22 @@ ssh -i "$env:USERPROFILE\.ssh\id_rsa_mikrotik" -o IdentitiesOnly=yes -m hmac-sha @@ -61,16 +82,22 @@ ssh -i "$env:USERPROFILE\.ssh\id_rsa_mikrotik" -o IdentitiesOnly=yes -m hmac-sha
# Mailserver (Mailcow):
ssh mailcow
ssh root@10.100.1.28
# Key: ~/.ssh/id_ed25519_mailcow — passwordless OK 2026-07-03
# Key: ~/.ssh/id_ed25519_mailcow — passwordless ✅ 2026-07-10
# Main_Database:
ssh main-db
ssh -m hmac-sha1 root@10.100.1.25 -p 22
# Key: ~/.ssh/id_rsa_geonet_laptop — passwordless ✅ 2026-07-10
# Main_Webserver:
ssh -m hmac-sha1 Administrator@10.100.1.41 -p 22
# AD-LDAP:
# AD-LDAP (Windows Server 2012 R2):
ssh ad-ldap
ssh -m hmac-sha1 Administrator@10.100.1.40 -p 22
# Key laptop ini: ~/.ssh/id_rsa_geonet_laptop → C:\ProgramData\ssh\administrators_authorized_keys
# Setup: .\server-audit\scripts\setup-ssh-ad-ldap.ps1
# Status: passwordless ✅ 2026-07-10 (Win2012 R2)
# zabbix:
ssh -m hmac-sha1 root@10.100.1.42 -p 22
@ -78,11 +105,10 @@ ssh -i "$env:USERPROFILE\.ssh\id_rsa_mikrotik" -o IdentitiesOnly=yes -m hmac-sha @@ -78,11 +105,10 @@ ssh -i "$env:USERPROFILE\.ssh\id_rsa_mikrotik" -o IdentitiesOnly=yes -m hmac-sha
# Ollama (aiopr, Ubuntu 22.04) — POC & inference CPU:
ssh ollama
.\scripts\ssh-ollama.ps1
ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -m hmac-sha1 root@10.100.1.26 -p 22
.\server-connection\scripts\ssh-ollama.ps1 -User geonet
ssh -i "$env:USERPROFILE\.ssh\id_rsa_geonet_laptop" -o IdentitiesOnly=yes -m hmac-sha1 geonet@10.100.1.26 -p 22
# Wajib PowerShell (bukan CMD) agar $env:USERPROFILE terbaca. Jangan pakai password — login key only.
# setup key geonet (sekali): type $env:USERPROFILE\.ssh\id_rsa_geonet_laptop.pub | ssh -m hmac-sha1 geonet@10.100.1.26 -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
# Key geonet: passwordless ✅ 2026-07-10 (user operasional)
# root@10.100.1.26 — belum upload key (opsional)
# NAS QNAP (TS-932X):
ssh -i "$env:USERPROFILE\.ssh\id_ed25519" -o IdentitiesOnly=yes admin@10.100.1.10 -p 22

7
server-audit/perintah.md

@ -1,4 +1,11 @@ @@ -1,4 +1,11 @@
# PERTANYAAN SYNC
## Sync terakhir: 2026-07-10 — SSH laptop setup (server-audit)
- SSOT SSH: `server-audit/docs/guide/ssh-access.md`
- reverse-proxy `.24` key-only verified; Mailcow `.28` + Main DB `.25` pending
- Versi: `server-audit` v0.1.1 — lihat `server-audit/docs/version.md`
```
1. Sinkronisasi Dokumentasi

169
server-audit/scripts/setup-ssh-ad-ldap.ps1

@ -0,0 +1,169 @@ @@ -0,0 +1,169 @@
# Setup SSH key — Administrator@10.100.1.40 (AD LDAP, Windows Server 2012 R2)
# SSOT: server-audit/docs/guide/ssh-access.md
# Usage: .\server-audit\scripts\setup-ssh-ad-ldap.ps1
# Sekali jalan: password Administrator 1–2x (scp + ssh), lalu key-only.
# Wajib PowerShell (bukan CMD).
$ErrorActionPreference = 'Stop'
$hostIp = '10.100.1.40'
$SshUser = 'Administrator'
$key = Join-Path $env:USERPROFILE '.ssh\id_rsa_geonet_laptop'
$pub = "$key.pub"
$aliasName = 'ad-ldap'
if (-not (Test-Path $pub)) {
Write-Host "Generating key $key ..."
ssh-keygen -t rsa -b 4096 -f $key -C 'geonet-laptop' -N '""'
}
Write-Host "Fixing private key ACL..."
icacls $key /inheritance:r 2>$null | Out-Null
icacls $key /grant:r "${env:USERNAME}:(R)" 2>$null | Out-Null
# Pub key LF-only
$tempPub = Join-Path $env:TEMP 'geonet_ad_ldap_key.pub'
$keyLine = (Get-Content $pub -Raw).Trim() -replace "`r", ""
[System.IO.File]::WriteAllText($tempPub, $keyLine + "`n")
# Remote installer (Windows OpenSSH — Administrator)
# FORCE overwrite UTF-8 no BOM; tulis ke administrators_authorized_keys + profile fallback
$remotePs = @'
$ErrorActionPreference = "Stop"
$authFile = "C:\ProgramData\ssh\administrators_authorized_keys"
$userAuthDir = "C:\Users\Administrator\.ssh"
$userAuthFile = Join-Path $userAuthDir "authorized_keys"
$sshDir = "C:\ProgramData\ssh"
$sshdConfig = "C:\ProgramData\ssh\sshd_config"
$pubPath = Join-Path $env:TEMP "geonet_ad_ldap_key.pub"
if (-not (Test-Path $pubPath)) { throw "Missing $pubPath — scp failed?" }
$keyLine = [System.IO.File]::ReadAllText($pubPath).Trim() -replace "`r","" -replace "`0",""
if ($keyLine -notmatch "^ssh-") { throw "Invalid pubkey content" }
if (-not (Test-Path $sshDir)) { New-Item -ItemType Directory -Path $sshDir | Out-Null }
$utf8 = New-Object System.Text.UTF8Encoding $false
# FORCE overwrite — jangan merge file korup UTF-16 lama
[System.IO.File]::WriteAllText($authFile, $keyLine + "`n", $utf8)
Write-Host "FORCE wrote administrators_authorized_keys (UTF-8 no BOM)"
function Fix-AclAdminOnly([string]$path) {
$acl = Get-Acl $path
$acl.SetAccessRuleProtection($true, $false)
@($acl.Access) | ForEach-Object { [void]$acl.RemoveAccessRule($_) }
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl","Allow")))
$acl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl","Allow")))
Set-Acl -Path $path -AclObject $acl
}
Fix-AclAdminOnly $authFile
Write-Host "ACL ProgramData OK"
# Fallback: profile authorized_keys (jika Match Group di-comment)
if (-not (Test-Path $userAuthDir)) { New-Item -ItemType Directory -Path $userAuthDir | Out-Null }
[System.IO.File]::WriteAllText($userAuthFile, $keyLine + "`n", $utf8)
$uacl = Get-Acl $userAuthFile
$uacl.SetAccessRuleProtection($true, $false)
@($uacl.Access) | ForEach-Object { [void]$uacl.RemoveAccessRule($_) }
$uacl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl","Allow")))
$uacl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl","Allow")))
$uacl.AddAccessRule((New-Object System.Security.AccessControl.FileSystemAccessRule("Administrator","FullControl","Allow")))
Set-Acl -Path $userAuthFile -AclObject $uacl
Write-Host "Wrote profile authorized_keys fallback"
if (Test-Path $sshdConfig) {
$cfg = Get-Content $sshdConfig -Raw
# Uncomment Match Group administrators if commented
$cfg = $cfg -replace "(?m)^#\s*Match Group administrators","Match Group administrators"
$cfg = $cfg -replace "(?m)^#\s*AuthorizedKeysFile\s+__PROGRAMDATA__/ssh/administrators_authorized_keys"," AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys"
if ($cfg -match "(?m)^#?\s*PubkeyAuthentication\s+no") {
$cfg = $cfg -replace "(?m)^#?\s*PubkeyAuthentication\s+no","PubkeyAuthentication yes"
Write-Host "Enabled PubkeyAuthentication"
}
if ($cfg -notmatch "(?m)^\s*PubkeyAuthentication\s+yes") {
$cfg = "PubkeyAuthentication yes`r`n" + $cfg
Write-Host "Inserted PubkeyAuthentication yes"
}
# Allow ssh-rsa for older Win32-OpenSSH / mixed client
if ($cfg -notmatch "(?m)^\s*PubkeyAccepted") {
$cfg = $cfg.TrimEnd() + "`r`nPubkeyAcceptedKeyTypes ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa`r`n"
Write-Host "Added PubkeyAcceptedKeyTypes (+ssh-rsa)"
}
if ($cfg -notmatch "(?m)^\s*Match Group administrators") {
$cfg = $cfg.TrimEnd() + "`r`n`r`nMatch Group administrators`r`n AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys`r`n"
Write-Host "Added Match Group administrators block"
}
[System.IO.File]::WriteAllText($sshdConfig, $cfg, $utf8)
Write-Host "sshd_config updated"
}
Write-Host "--- diagnostics ---"
Write-Host ("auth bytes: " + (Get-Item $authFile).Length)
$bytes = [System.IO.File]::ReadAllBytes($authFile)
Write-Host ("first3: " + $bytes[0] + "," + $bytes[1] + "," + $bytes[2] + " (expect 115,115,104 = ssh)")
Select-String -Path $sshdConfig -Pattern "Match Group|AuthorizedKeysFile|PubkeyAuth|PubkeyAccepted" | ForEach-Object { $_.Line }
Get-Service sshd | Format-List Status, Name
Restart-Service sshd -Force
Start-Sleep -Seconds 2
Write-Host "KEY_INSTALLED_OK"
'@
$tempRemote = Join-Path $env:TEMP 'setup-ad-ldap-authorized-keys.ps1'
# Remote script must be CRLF-friendly for Windows PowerShell; keep as-is
[System.IO.File]::WriteAllText($tempRemote, $remotePs)
$commonOpts = @(
'-o', 'PreferredAuthentications=password',
'-o', 'PubkeyAuthentication=no',
'-o', 'StrictHostKeyChecking=accept-new',
'-o', 'MACs=hmac-sha1'
)
# scp: -P (port). ssh: -p (port) + -m hmac-sha1
$scpOpts = $commonOpts + @('-P', '22')
$sshOpts = $commonOpts + @('-m', 'hmac-sha1', '-p', '22')
Write-Host "Upload pub + installer ke ${SshUser}@${hostIp} (password)..."
scp @scpOpts $tempPub "${SshUser}@${hostIp}:C:/Users/Administrator/AppData/Local/Temp/geonet_ad_ldap_key.pub"
scp @scpOpts $tempRemote "${SshUser}@${hostIp}:C:/Users/Administrator/AppData/Local/Temp/setup-ad-ldap-authorized-keys.ps1"
Write-Host "Run installer on server..."
ssh @sshOpts "${SshUser}@${hostIp}" "powershell -NoProfile -ExecutionPolicy Bypass -File C:\Users\Administrator\AppData\Local\Temp\setup-ad-ldap-authorized-keys.ps1"
Remove-Item $tempPub, $tempRemote -Force -ErrorAction SilentlyContinue
# Ensure local ssh config alias
$configPath = Join-Path $env:USERPROFILE '.ssh\config'
$block = @"
Host $aliasName
HostName $hostIp
User $SshUser
Port 22
IdentityFile ~/.ssh/id_rsa_geonet_laptop
IdentitiesOnly yes
MACs hmac-sha1
PubkeyAcceptedAlgorithms +ssh-rsa
"@
if (-not (Test-Path $configPath)) {
Set-Content -Path $configPath -Value $block.TrimStart() -Encoding UTF8
Write-Host "Created ~/.ssh/config with Host $aliasName"
} elseif (-not (Select-String -Path $configPath -Pattern "Host\s+$aliasName" -Quiet)) {
Add-Content -Path $configPath -Value $block
Write-Host "Appended Host $aliasName to ~/.ssh/config"
} else {
Write-Host "Host $aliasName already in ~/.ssh/config"
}
Write-Host ""
Write-Host "Test key-only..."
# Win2012 OpenSSH sering butuh ssh-rsa eksplisit dari client baru
ssh -i $key -o BatchMode=yes -o IdentitiesOnly=yes -o PreferredAuthentications=publickey -o PubkeyAcceptedAlgorithms=+ssh-rsa -m hmac-sha1 "${SshUser}@${hostIp}" -p 22 "echo KEY_AUTH_OK & hostname"
if ($LASTEXITCODE -ne 0) {
Write-Host ""
Write-Host "Masih gagal. Cek di server (password sekali):"
Write-Host " ssh -m hmac-sha1 ${SshUser}@${hostIp} -p 22 `"powershell -Command Get-Content C:\ProgramData\ssh\administrators_authorized_keys`""
Write-Host " Pastikan OpenSSH Server terpasang & sshd running."
Write-Host " Win2012 R2: Match Group administrators -> administrators_authorized_keys"
exit 1
}
Write-Host "Success. Login: ssh $aliasName"

33
server-audit/scripts/setup-ssh-mailcow.ps1

@ -0,0 +1,33 @@ @@ -0,0 +1,33 @@
# Setup SSH key — root@10.100.1.28 (Mailcow VM, Ubuntu)
# SSOT: server-audit/docs/guide/ssh-access.md
# Usage: .\server-audit\scripts\setup-ssh-mailcow.ps1
$ErrorActionPreference = 'Stop'
$hostIp = '10.100.1.28'
$key = Join-Path $env:USERPROFILE '.ssh\id_ed25519_mailcow'
$pub = "$key.pub"
if (-not (Test-Path $pub)) {
Write-Host "Generating key $key ..."
ssh-keygen -t ed25519 -f $key -C 'geonet-mailcow' -N '""'
}
Write-Host "Fixing private key ACL..."
icacls $key /inheritance:r 2>$null | Out-Null
icacls $key /grant:r "${env:USERNAME}:(R)" 2>$null | Out-Null
Write-Host "Upload public key ke root@${hostIp} (password 1x)..."
type $pub | ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no "root@${hostIp}" -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK"
Write-Host ""
Write-Host "Test key-only..."
ssh -i $key -o BatchMode=yes -o IdentitiesOnly=yes -o PreferredAuthentications=publickey "root@${hostIp}" -p 22 "echo KEY_AUTH_OK"
if ($LASTEXITCODE -ne 0) {
Write-Host ""
Write-Host "Masih gagal — cek auth log (password sekali):"
Write-Host " ssh root@${hostIp} -p 22 `"grep sshd /var/log/auth.log | tail -20`""
exit 1
}
Write-Host "Success. Login: ssh mailcow"

33
server-audit/scripts/setup-ssh-main-db.ps1

@ -0,0 +1,33 @@ @@ -0,0 +1,33 @@
# Setup SSH key — root@10.100.1.25 (main-db / PostgreSQL + SQL Server)
# SSOT: server-audit/docs/guide/ssh-access.md
# Usage: .\server-audit\scripts\setup-ssh-main-db.ps1
$ErrorActionPreference = 'Stop'
$hostIp = '10.100.1.25'
$key = Join-Path $env:USERPROFILE '.ssh\id_rsa_geonet_laptop'
$pub = "$key.pub"
if (-not (Test-Path $pub)) {
Write-Host "Generating key $key ..."
ssh-keygen -t rsa -b 4096 -f $key -C 'geonet-laptop' -N '""'
}
Write-Host "Fixing private key ACL..."
icacls $key /inheritance:r 2>$null | Out-Null
icacls $key /grant:r "${env:USERNAME}:(R)" 2>$null | Out-Null
Write-Host "Upload public key ke root@${hostIp} (password 1x)..."
type $pub | ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no -m hmac-sha1 "root@${hostIp}" -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK"
Write-Host ""
Write-Host "Test key-only..."
ssh -i $key -o BatchMode=yes -o IdentitiesOnly=yes -o PreferredAuthentications=publickey -m hmac-sha1 "root@${hostIp}" -p 22 "echo KEY_AUTH_OK"
if ($LASTEXITCODE -ne 0) {
Write-Host ""
Write-Host "Masih gagal — cek auth log (password sekali):"
Write-Host " ssh -m hmac-sha1 root@${hostIp} -p 22 `"grep sshd /var/log/secure | tail -20`""
exit 1
}
Write-Host "Success. Login: ssh main-db"

33
server-audit/scripts/setup-ssh-reverse-proxy.ps1

@ -0,0 +1,33 @@ @@ -0,0 +1,33 @@
# Setup SSH key — root@10.100.1.24 (reverse-proxy / nginx + Docker)
# SSOT: server-audit/docs/guide/ssh-access.md
# Usage: .\server-audit\scripts\setup-ssh-reverse-proxy.ps1
$ErrorActionPreference = 'Stop'
$hostIp = '10.100.1.24'
$key = Join-Path $env:USERPROFILE '.ssh\id_rsa_geonet_laptop'
$pub = "$key.pub"
if (-not (Test-Path $pub)) {
Write-Host "Generating key $key ..."
ssh-keygen -t rsa -b 4096 -f $key -C 'geonet-laptop' -N '""'
}
Write-Host "Fixing private key ACL..."
icacls $key /inheritance:r 2>$null | Out-Null
icacls $key /grant:r "${env:USERNAME}:(R)" 2>$null | Out-Null
Write-Host "Upload public key ke root@${hostIp} (password 1x)..."
type $pub | ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no -m hmac-sha1 "root@${hostIp}" -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK"
Write-Host ""
Write-Host "Test key-only..."
ssh -i $key -o BatchMode=yes -o IdentitiesOnly=yes -o PreferredAuthentications=publickey -m hmac-sha1 "root@${hostIp}" -p 22 "echo KEY_AUTH_OK"
if ($LASTEXITCODE -ne 0) {
Write-Host ""
Write-Host "Masih gagal — cek auth log (password sekali):"
Write-Host " ssh -m hmac-sha1 root@${hostIp} -p 22 `"grep sshd /var/log/secure | tail -20`""
exit 1
}
Write-Host "Success. Login: ssh reverse-proxy"

43
server-audit/scripts/ssh-config.example

@ -0,0 +1,43 @@ @@ -0,0 +1,43 @@
# GeoNet infra — salin ke %USERPROFILE%\.ssh\config
# SSOT: server-audit/docs/guide/ssh-access.md
# Wajib PowerShell. MAC hmac-sha1 untuk RHEL/CentOS.
Host reverse-proxy
HostName 10.100.1.24
User root
Port 22
IdentityFile ~/.ssh/id_rsa_geonet_laptop
IdentitiesOnly yes
MACs hmac-sha1
Host main-db
HostName 10.100.1.25
User root
Port 22
IdentityFile ~/.ssh/id_rsa_geonet_laptop
IdentitiesOnly yes
MACs hmac-sha1
Host ollama
HostName 10.100.1.26
User geonet
Port 22
IdentityFile ~/.ssh/id_rsa_geonet_laptop
IdentitiesOnly yes
MACs hmac-sha1
Host mailcow
HostName 10.100.1.28
User root
Port 22
IdentityFile ~/.ssh/id_ed25519_mailcow
IdentitiesOnly yes
Host ad-ldap
HostName 10.100.1.40
User Administrator
Port 22
IdentityFile ~/.ssh/id_rsa_geonet_laptop
IdentitiesOnly yes
MACs hmac-sha1
PubkeyAcceptedAlgorithms +ssh-rsa

33
server-connection/scripts/setup-ssh-main-db.ps1

@ -0,0 +1,33 @@ @@ -0,0 +1,33 @@
# Setup SSH key — root@10.100.1.25 (main-db / PostgreSQL + SQL Server)
# SSOT: server-audit/docs/guide/ssh-access.md
# Usage: .\server-connection\scripts\setup-ssh-main-db.ps1# Sekali jalan: minta password root 1x, lalu login key-only.
$ErrorActionPreference = 'Stop'
$hostIp = '10.100.1.25'
$key = Join-Path $env:USERPROFILE '.ssh\id_rsa_geonet_laptop'
$pub = "$key.pub"
if (-not (Test-Path $pub)) {
Write-Host "Generating key $key ..."
ssh-keygen -t rsa -b 4096 -f $key -C 'geonet-laptop' -N '""'
}
Write-Host "Fixing private key ACL..."
icacls $key /inheritance:r 2>$null | Out-Null
icacls $key /grant:r "${env:USERNAME}:(R)" 2>$null | Out-Null
Write-Host "Upload public key ke root@${hostIp} (password 1x)..."
type $pub | ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no -m hmac-sha1 "root@${hostIp}" -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK"
Write-Host ""
Write-Host "Test key-only..."
ssh -i $key -o BatchMode=yes -o IdentitiesOnly=yes -o PreferredAuthentications=publickey -m hmac-sha1 "root@${hostIp}" -p 22 "echo KEY_AUTH_OK"
if ($LASTEXITCODE -ne 0) {
Write-Host ""
Write-Host "Masih gagal — cek auth log (password sekali):"
Write-Host " ssh -m hmac-sha1 root@${hostIp} -p 22 `"grep sshd /var/log/secure | tail -20`""
exit 1
}
Write-Host "Success. Login: ssh main-db"

33
server-connection/scripts/setup-ssh-reverse-proxy.ps1

@ -0,0 +1,33 @@ @@ -0,0 +1,33 @@
# Setup SSH key — root@10.100.1.24 (reverse-proxy / nginx + Docker)
# SSOT: server-audit/docs/guide/ssh-access.md
# Usage: .\server-connection\scripts\setup-ssh-reverse-proxy.ps1# Sekali jalan: minta password root 1x, lalu login key-only.
$ErrorActionPreference = 'Stop'
$hostIp = '10.100.1.24'
$key = Join-Path $env:USERPROFILE '.ssh\id_rsa_geonet_laptop'
$pub = "$key.pub"
if (-not (Test-Path $pub)) {
Write-Host "Generating key $key ..."
ssh-keygen -t rsa -b 4096 -f $key -C 'geonet-laptop' -N '""'
}
Write-Host "Fixing private key ACL..."
icacls $key /inheritance:r 2>$null | Out-Null
icacls $key /grant:r "${env:USERNAME}:(R)" 2>$null | Out-Null
Write-Host "Upload public key ke root@${hostIp} (password 1x)..."
type $pub | ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no -m hmac-sha1 "root@${hostIp}" -p 22 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && echo KEY_INSTALLED_OK"
Write-Host ""
Write-Host "Test key-only..."
ssh -i $key -o BatchMode=yes -o IdentitiesOnly=yes -o PreferredAuthentications=publickey -m hmac-sha1 "root@${hostIp}" -p 22 "echo KEY_AUTH_OK"
if ($LASTEXITCODE -ne 0) {
Write-Host ""
Write-Host "Masih gagal — cek auth log (password sekali):"
Write-Host " ssh -m hmac-sha1 root@${hostIp} -p 22 `"grep sshd /var/log/secure | tail -20`""
exit 1
}
Write-Host "Success. Login: ssh reverse-proxy"

19
server-connection/scripts/ssh-remote.ps1

@ -6,13 +6,18 @@ param( @@ -6,13 +6,18 @@ param(
[string]$Command = ""
)
$HostAddr = "10.100.1.24"
$SshPort = 22
$SshMac = "hmac-sha1"
$SshUser = "root"
$IdentityFile = Join-Path $env:USERPROFILE ".ssh\id_rsa_geonet_laptop"
$SshArgs = @(
"-i", $IdentityFile,
"-o", "IdentitiesOnly=yes",
"-m", "hmac-sha1",
"root@10.100.1.24",
"-p", "22"
)
if ($Command) {
ssh -o BatchMode=yes -m $SshMac "${SshUser}@${HostAddr}" -p $SshPort $Command
} else {
ssh -m $SshMac "${SshUser}@${HostAddr}" -p $SshPort
$SshArgs = @("-o", "BatchMode=yes") + $SshArgs
$SshArgs += $Command
}
ssh @SshArgs

Loading…
Cancel
Save