marco/webmoney
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c787077a39
webmoney/ROTEIRO_INSTALACAO_SERVIDOR.md
marco 54cccdd095 refactor: migração para desenvolvimento direto no servidor 
- Removido README.md padrão do Laravel (backend)
- Removidos scripts de deploy (não mais necessários)
- Atualizado copilot-instructions.md para novo fluxo
- Adicionada documentação de auditoria do servidor
- Sincronizado código de produção com repositório

Novo workflow:
- Trabalhamos diretamente em /root/webmoney (symlink para /var/www/webmoney)
- Mudanças PHP são instantâneas
- Mudanças React requerem 'npm run build'
- Commit após validação funcional
2025-12-19 11:45:32 +01:00

2634 lines
55 KiB
Markdown
Executable File
Raw Blame History

# 🚀 ROTEIRO DE INSTALAÇÃO DO SERVIDOR - WEBMoney/ConneXiFly
**Versão:** 2.0.0
**Data:** 7 de Dezembro de 2025
**Servidor:** 213.165.93.60
**Domínio:** cnxifly.com
**Senha Padrão:** `M@ster9354`
> ⚠️ **IMPORTANTE:** Este roteiro deve ser executado **COMANDO A COMANDO** manualmente.
> Não usar scripts automatizados. Verificar cada passo antes de prosseguir.
---
## 📦 VERSÕES INSTALADAS (Dezembro 2025)
| Software | Versão | Fonte |
|----------|--------|-------|
| Ubuntu Server | 24.04.3 LTS | ISO oficial |
| Nginx | 1.29.3 (mainline) | Repo oficial Nginx |
| PHP | 8.4.15 | PPA ondrej/php |
| MariaDB | 11.4.9 LTS | Repo oficial MariaDB |
| Node.js | 22.21.0 LTS | NodeSource |
| PM2 | 6.0.14 | npm |
| Redis | 7.0.15 | Repo Ubuntu |
| Postfix | 3.8.6 | Repo Ubuntu |
| Dovecot | 2.3.21 | Repo Ubuntu |
| OpenDKIM | 2.11.x | Repo Ubuntu |
| Certbot | 5.2.1 | Snap |
| Composer | 2.9.2 | getcomposer.org |
| PostfixAdmin | 3.3.x | GitHub |
| Roundcube | 1.6.11 | GitHub |
| phpMyAdmin | 5.2.x | Repo Ubuntu |
---
## 📋 ÍNDICE
1. [Pré-requisitos e Preparação](#1-pré-requisitos-e-preparação)
2. [Fase 1: Sistema Base](#2-fase-1-sistema-base-15-min)
3. [Fase 2: Firewall e Segurança](#3-fase-2-firewall-e-segurança-5-min)
4. [Fase 3: MariaDB 11.4 LTS](#4-fase-3-mariadb-114-lts-10-min)
5. [Fase 4: PHP 8.4](#5-fase-4-php-84-10-min)
6. [Fase 5: Nginx Mainline](#6-fase-5-nginx-mainline-10-min)
7. [Fase 6: SSL/Let's Encrypt](#7-fase-6-ssllets-encrypt-5-min)
8. [Fase 7: Postfix + Dovecot + OpenDKIM](#8-fase-7-postfix--dovecot--opendkim-25-min)
9. [Fase 8: PostfixAdmin + Roundcube + phpMyAdmin](#9-fase-8-postfixadmin--roundcube--phpmyadmin-20-min)
10. [Fase 9: Node.js 22 LTS](#10-fase-9-nodejs-22-lts-5-min)
11. [Fase 10: Deploy WEBMoney](#11-fase-10-deploy-webmoney-15-min)
12. [Fase 11: Otimização de Desempenho](#12-fase-11-otimização-de-desempenho-20-min)
13. [Fase 12: Validação Final](#13-fase-12-validação-final)
14. [Comandos de Verificação](#14-comandos-de-verificação)
15. [Referência Rápida](#15-referência-rápida)
---
## 1. PRÉ-REQUISITOS E PREPARAÇÃO
### Informações do Projeto
| Item | Valor |
|------|-------|
| IP do Servidor | 213.165.93.60 |
| IPv6 | 2001:ba0:268:ab00::1 |
| Domínio Principal | cnxifly.com |
| Subdomínios | webmoney, mail, webmail, phpmyadmin |
| Timezone | Europe/Madrid |
| Locale | es_ES.UTF-8 |
| Senha Única | M@ster9354 |
### Estrutura de Subdomínios Final
```
cnxifly.com → Redirect para webmoney
www.cnxifly.com → Redirect para webmoney
webmoney.cnxifly.com → Aplicação WEBMoney (Laravel+React)
mail.cnxifly.com → PostfixAdmin (admin email)
webmail.cnxifly.com → Roundcube (webmail usuários)
phpmyadmin.cnxifly.com → phpMyAdmin (admin BD)
```
### DNS Necessários (verificar antes de começar)
```bash
# No painel DNS do registrador (UI-DNS), garantir:
dig cnxifly.com A +short # → 213.165.93.60
dig mail.cnxifly.com A +short # → 213.165.93.60
dig webmoney.cnxifly.com A +short # → 213.165.93.60
dig webmail.cnxifly.com A +short # → 213.165.93.60
dig phpmyadmin.cnxifly.com A +short # → 213.165.93.60
dig cnxifly.com MX +short # → 10 mail.cnxifly.com
dig cnxifly.com TXT +short # → v=spf1 mx a ip4:213.165.93.60 -all
```
---
## 2. FASE 1: SISTEMA BASE (~15 min)
### 2.1 Conectar ao Servidor
```bash
ssh root@213.165.93.60
```
Senha: `Master9354`
### 2.2 Verificar Versão do Sistema
```bash
cat /etc/os-release
```
Deve mostrar: Ubuntu 24.04.x LTS
### 2.3 Atualizar Sistema Completamente
```bash
apt update
```
```bash
apt upgrade -y
```
```bash
apt dist-upgrade -y
```
```bash
apt autoremove -y
```
### 2.4 Instalar Pacotes Essenciais
```bash
apt install -y software-properties-common apt-transport-https ca-certificates curl wget gnupg lsb-release git unzip zip htop net-tools dnsutils vim nano
```
### 2.5 Configurar Timezone (CRÍTICO - FAZER PRIMEIRO)
```bash
timedatectl set-timezone Europe/Madrid
```
Verificar:
```bash
timedatectl
```
Deve mostrar: `Time zone: Europe/Madrid`
### 2.6 Configurar Locale UTF-8 (CRÍTICO - FAZER PRIMEIRO)
```bash
apt install -y locales
```
```bash
sed -i '/es_ES.UTF-8/s/^# //g' /etc/locale.gen
```
```bash
locale-gen es_ES.UTF-8
```
```bash
update-locale LANG=es_ES.UTF-8 LC_ALL=es_ES.UTF-8
```
Aplicar imediatamente na sessão atual:
```bash
export LANG=es_ES.UTF-8
export LC_ALL=es_ES.UTF-8
```
Verificar:
```bash
locale
```
### 2.7 Criar arquivo /etc/environment
```bash
cat > /etc/environment << 'EOF'
LANG=es_ES.UTF-8
LC_ALL=es_ES.UTF-8
LC_CTYPE=es_ES.UTF-8
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
EOF
```
### 2.8 Configurar Hostname
```bash
hostnamectl set-hostname mail.cnxifly.com
```
```bash
echo "213.165.93.60 mail.cnxifly.com mail" >> /etc/hosts
```
Verificar:
```bash
hostname -f
```
Deve mostrar: `mail.cnxifly.com`
### 2.9 Reiniciar para Aplicar Todas as Configurações
```bash
reboot
```
Aguardar 30 segundos e reconectar:
```bash
ssh root@213.165.93.60
```
---
## 3. FASE 2: FIREWALL E SEGURANÇA (~5 min)
### 3.1 Configurar UFW
```bash
apt install -y ufw
# Regras básicas
ufw default deny incoming
ufw default allow outgoing
# SSH
ufw allow 22/tcp
# HTTP/HTTPS
ufw allow 80/tcp
ufw allow 443/tcp
# Email
ufw allow 25/tcp # SMTP
ufw allow 465/tcp # SMTPS
ufw allow 587/tcp # Submission
ufw allow 143/tcp # IMAP
ufw allow 993/tcp # IMAPS
# Ativar
ufw --force enable
ufw status verbose
```
### 3.2 Criar Usuário Admin (opcional mas recomendado)
```bash
adduser admin
# Senha: M@ster9354
usermod -aG sudo admin
```
---
## 4. FASE 3: MARIADB 11.4 LTS (~10 min)
### 4.1 Adicionar Repositório Oficial MariaDB 11.4
```bash
curl -fsSL https://mariadb.org/mariadb_release_signing_key.pgp | gpg --dearmor -o /usr/share/keyrings/mariadb-keyring.gpg
```
```bash
echo "deb [signed-by=/usr/share/keyrings/mariadb-keyring.gpg] https://dlm.mariadb.com/repo/mariadb-server/11.4/repo/ubuntu noble main" > /etc/apt/sources.list.d/mariadb.list
```
```bash
apt update
```
### 4.2 Instalar MariaDB 11.4
```bash
apt install -y mariadb-server mariadb-client
```
Verificar versão:
```bash
mariadb --version
```
Deve mostrar: `mariadb Ver 15.1 Distrib 11.4.x`
### 4.3 Habilitar e Iniciar
```bash
systemctl enable mariadb
```
```bash
systemctl start mariadb
```
```bash
systemctl status mariadb
```
### 4.4 Configurar Charset UTF-8 e Performance
```bash
cat > /etc/mysql/mariadb.conf.d/99-custom.cnf << 'EOF'
[mysqld]
# Charset
character-set-server = utf8mb4
collation-server = utf8mb4_unicode_ci
skip-character-set-client-handshake
# InnoDB Performance
innodb_buffer_pool_size = 256M
innodb_log_file_size = 64M
innodb_flush_log_at_trx_commit = 2
innodb_flush_method = O_DIRECT
# Query Cache (deprecated but still useful)
query_cache_type = 1
query_cache_size = 32M
query_cache_limit = 2M
# Connections
max_connections = 100
wait_timeout = 600
interactive_timeout = 600
# Temp tables
tmp_table_size = 64M
max_heap_table_size = 64M
# Logging
slow_query_log = 1
slow_query_log_file = /var/log/mysql/slow.log
long_query_time = 2
[client]
default-character-set = utf8mb4
[mysql]
default-character-set = utf8mb4
EOF
```
```bash
systemctl restart mariadb
```
### 4.5 Executar Segurança Inicial
```bash
mariadb-secure-installation
```
Responder:
- Enter current password for root: (pressionar Enter, está vazio)
- Switch to unix_socket authentication: **n**
- Change the root password: **Y** → Digite: `M@ster9354`
- Remove anonymous users: **Y**
- Disallow root login remotely: **Y**
- Remove test database: **Y**
- Reload privilege tables: **Y**
### 4.6 Criar Usuários e Bancos
```bash
mariadb -u root -p'M@ster9354'
```
Dentro do MariaDB, executar cada comando:
```sql
-- Usuário admin geral
CREATE USER 'admin'@'localhost' IDENTIFIED BY 'M@ster9354';
GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost' WITH GRANT OPTION;
-- Banco WEBMoney
CREATE DATABASE webmoney CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'webmoney'@'localhost' IDENTIFIED BY 'M@ster9354';
GRANT ALL PRIVILEGES ON webmoney.* TO 'webmoney'@'localhost';
-- Banco PostfixAdmin
CREATE DATABASE postfixadmin CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'postfixadmin'@'localhost' IDENTIFIED BY 'M@ster9354';
GRANT ALL PRIVILEGES ON postfixadmin.* TO 'postfixadmin'@'localhost';
-- Banco Roundcube
CREATE DATABASE roundcube CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'roundcube'@'localhost' IDENTIFIED BY 'M@ster9354';
GRANT ALL PRIVILEGES ON roundcube.* TO 'roundcube'@'localhost';
-- Banco phpMyAdmin
CREATE DATABASE phpmyadmin CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'phpmyadmin'@'localhost' IDENTIFIED BY 'M@ster9354';
GRANT ALL PRIVILEGES ON phpmyadmin.* TO 'phpmyadmin'@'localhost';
FLUSH PRIVILEGES;
EXIT;
```
### 4.7 Verificar
```bash
mariadb -u admin -p'M@ster9354' -e "SHOW DATABASES;"
```
```bash
mariadb -u admin -p'M@ster9354' -e "SHOW VARIABLES LIKE 'character%';"
```
```bash
mariadb -u admin -p'M@ster9354' -e "SELECT VERSION();"
```
---
## 5. FASE 4: PHP 8.4 (~10 min)
### 5.1 Adicionar Repositório PHP (ondrej/php)
```bash
add-apt-repository -y ppa:ondrej/php
```
```bash
apt update
```
### 5.2 Instalar PHP 8.4 e Extensões
```bash
apt install -y php8.4-fpm php8.4-cli php8.4-common
```
```bash
apt install -y php8.4-mysql php8.4-pgsql php8.4-sqlite3
```
```bash
apt install -y php8.4-curl php8.4-gd php8.4-mbstring php8.4-xml php8.4-zip
```
```bash
apt install -y php8.4-bcmath php8.4-intl php8.4-soap php8.4-imap
```
```bash
apt install -y php8.4-ldap php8.4-imagick php8.4-redis php8.4-opcache
```
Verificar versão:
```bash
php -v
```
Deve mostrar: `PHP 8.4.x`
### 5.3 Configurar PHP-FPM (php.ini)
```bash
sed -i 's/;date.timezone =/date.timezone = Europe\/Madrid/' /etc/php/8.4/fpm/php.ini
```
```bash
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 64M/' /etc/php/8.4/fpm/php.ini
```
```bash
sed -i 's/post_max_size = 8M/post_max_size = 64M/' /etc/php/8.4/fpm/php.ini
```
```bash
sed -i 's/memory_limit = 128M/memory_limit = 256M/' /etc/php/8.4/fpm/php.ini
```
```bash
sed -i 's/max_execution_time = 30/max_execution_time = 300/' /etc/php/8.4/fpm/php.ini
```
```bash
sed -i 's/;max_input_vars = 1000/max_input_vars = 5000/' /etc/php/8.4/fpm/php.ini
```
### 5.4 Configurar PHP CLI
```bash
sed -i 's/;date.timezone =/date.timezone = Europe\/Madrid/' /etc/php/8.4/cli/php.ini
```
### 5.5 Configurar OPcache para Performance
```bash
cat > /etc/php/8.4/mods-available/opcache-custom.ini << 'EOF'
opcache.enable=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=16
opcache.max_accelerated_files=10000
opcache.revalidate_freq=2
opcache.save_comments=1
opcache.enable_cli=0
opcache.jit=1255
opcache.jit_buffer_size=128M
EOF
```
```bash
ln -sf /etc/php/8.4/mods-available/opcache-custom.ini /etc/php/8.4/fpm/conf.d/99-opcache-custom.ini
```
### 5.6 Configurar PHP-FPM Pool para Performance
```bash
sed -i 's/pm = dynamic/pm = ondemand/' /etc/php/8.4/fpm/pool.d/www.conf
```
```bash
sed -i 's/pm.max_children = 5/pm.max_children = 20/' /etc/php/8.4/fpm/pool.d/www.conf
```
```bash
sed -i 's/;pm.process_idle_timeout = 10s/pm.process_idle_timeout = 10s/' /etc/php/8.4/fpm/pool.d/www.conf
```
### 5.7 Habilitar e Reiniciar PHP-FPM
```bash
systemctl enable php8.4-fpm
```
```bash
systemctl restart php8.4-fpm
```
```bash
systemctl status php8.4-fpm
```
### 5.8 Instalar Composer (Última Versão)
```bash
curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
```
Verificar:
```bash
composer --version
```
Deve mostrar: `Composer version 2.8.x`
---
## 6. FASE 5: NGINX MAINLINE (~10 min)
### 6.1 Remover Nginx do Repo Ubuntu (se existir)
```bash
apt remove --purge -y nginx nginx-common nginx-full 2>/dev/null || true
```
### 6.2 Adicionar Repositório Oficial Nginx (Mainline)
```bash
curl -fsSL https://nginx.org/keys/nginx_signing.key | gpg --dearmor -o /usr/share/keyrings/nginx-keyring.gpg
```
```bash
echo "deb [signed-by=/usr/share/keyrings/nginx-keyring.gpg] http://nginx.org/packages/mainline/ubuntu noble nginx" > /etc/apt/sources.list.d/nginx.list
```
```bash
apt update
```
### 6.3 Instalar Nginx Mainline
```bash
apt install -y nginx
```
Verificar versão:
```bash
nginx -v
```
Deve mostrar: `nginx version: nginx/1.27.x`
### 6.4 Criar Estrutura de Diretórios
```bash
mkdir -p /etc/nginx/sites-available
```
```bash
mkdir -p /etc/nginx/sites-enabled
```
```bash
mkdir -p /var/www/webmoney/public
```
```bash
mkdir -p /var/www/html
```
```bash
chown -R www-data:www-data /var/www
```
### 6.5 Configuração Base Nginx (Otimizada)
```bash
cat > /etc/nginx/nginx.conf << 'EOF'
user www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log warn;
events {
worker_connections 4096;
multi_accept on;
use epoll;
}
http {
# Basic
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
keepalive_requests 1000;
types_hash_max_size 2048;
server_tokens off;
# MIME
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Charset UTF-8
charset utf-8;
charset_types text/html text/xml text/plain text/css text/javascript application/json application/javascript;
# SSL Global Settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Gzip Compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_min_length 256;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy
text/xml;
# Buffers
client_body_buffer_size 10K;
client_header_buffer_size 1k;
client_max_body_size 64M;
large_client_header_buffers 4 32k;
# Timeouts
client_body_timeout 12;
client_header_timeout 12;
send_timeout 10;
# FastCGI Cache
fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=FASTCGI:100m inactive=60m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
# Open File Cache
open_file_cache max=10000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# Logging
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'rt=$request_time uct="$upstream_connect_time" '
'uht="$upstream_header_time" urt="$upstream_response_time"';
access_log /var/log/nginx/access.log main;
# Rate Limiting
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
limit_conn_zone $binary_remote_addr zone=addr:10m;
# Includes
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
EOF
```
### 6.6 Criar Diretório de Cache
```bash
mkdir -p /var/cache/nginx
```
```bash
chown -R www-data:www-data /var/cache/nginx
```
### 6.7 Criar Vhost Temporário (para Certbot)
```bash
cat > /etc/nginx/sites-available/temp-http.conf << 'EOF'
server {
listen 80;
listen [::]:80;
server_name cnxifly.com www.cnxifly.com webmoney.cnxifly.com mail.cnxifly.com webmail.cnxifly.com phpmyadmin.cnxifly.com;
root /var/www/html;
location /.well-known/acme-challenge/ {
root /var/www/html;
}
location / {
return 200 'Server ready for SSL';
add_header Content-Type text/plain;
}
}
EOF
```
```bash
ln -sf /etc/nginx/sites-available/temp-http.conf /etc/nginx/sites-enabled/
```
### 6.8 Testar e Iniciar Nginx
```bash
nginx -t
```
```bash
systemctl enable nginx
```
```bash
systemctl start nginx
```
```bash
systemctl status nginx
```
---
## 7. FASE 6: SSL/LET'S ENCRYPT (~5 min)
### 7.1 Instalar Certbot via Snap (Última Versão)
```bash
apt install -y snapd
```
```bash
snap install core
```
```bash
snap refresh core
```
```bash
snap install --classic certbot
```
```bash
ln -sf /snap/bin/certbot /usr/bin/certbot
```
Verificar versão:
```bash
certbot --version
```
### 7.2 Obter Certificado (todos os domínios)
```bash
certbot certonly --webroot -w /var/www/html \
-d cnxifly.com \
-d www.cnxifly.com \
-d webmoney.cnxifly.com \
-d mail.cnxifly.com \
-d webmail.cnxifly.com \
-d phpmyadmin.cnxifly.com \
--email admin@cnxifly.com \
--agree-tos \
--no-eff-email
```
### 7.3 Verificar Certificado
```bash
certbot certificates
```
### 7.4 Configurar Renovação Automática
```bash
systemctl enable snap.certbot.renew.timer
```
```bash
systemctl start snap.certbot.renew.timer
```
### 7.5 Testar Renovação
```bash
certbot renew --dry-run
```
### 7.6 Criar Hook para Reload do Nginx
```bash
cat > /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh << 'EOF'
#!/bin/bash
systemctl reload nginx
EOF
```
```bash
chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh
```
### 7.7 Remover Vhost Temporário
```bash
rm /etc/nginx/sites-enabled/temp-http.conf
```
---
## 8. FASE 7: POSTFIX + DOVECOT + OPENDKIM (~25 min)
### 8.1 Pré-configurar Postfix (evitar prompts)
```bash
debconf-set-selections <<< "postfix postfix/mailname string cnxifly.com"
```
```bash
debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'"
```
### 8.2 Instalar Postfix
```bash
apt install -y postfix postfix-mysql
```
Verificar versão:
```bash
postconf mail_version
```
### 8.3 Instalar Dovecot
```bash
apt install -y dovecot-core dovecot-imapd dovecot-lmtpd dovecot-mysql dovecot-pop3d
```
Verificar versão:
```bash
dovecot --version
```
### 8.4 Instalar OpenDKIM
```bash
apt install -y opendkim opendkim-tools
```
Verificar versão:
```bash
opendkim -V
```
### 8.5 Configurar OpenDKIM
Criar diretórios:
```bash
mkdir -p /etc/opendkim/keys/cnxifly.com
```
Gerar chaves DKIM (2048 bits):
```bash
opendkim-genkey -b 2048 -d cnxifly.com -D /etc/opendkim/keys/cnxifly.com -s default -v
```
Ajustar permissões:
```bash
chown -R opendkim:opendkim /etc/opendkim
```
```bash
chmod 600 /etc/opendkim/keys/cnxifly.com/default.private
```
Configurar opendkim.conf:
```bash
cat > /etc/opendkim.conf << 'EOF'
Syslog yes
SyslogSuccess yes
LogWhy yes
Canonicalization relaxed/simple
Mode sv
SubDomains no
OversignHeaders From
AutoRestart yes
AutoRestartRate 10/1M
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256
KeyTable /etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
ExternalIgnoreList /etc/opendkim/trusted.hosts
InternalHosts /etc/opendkim/trusted.hosts
Socket local:/var/spool/postfix/opendkim/opendkim.sock
PidFile /run/opendkim/opendkim.pid
UMask 007
UserID opendkim
EOF
```
Criar key.table:
```bash
cat > /etc/opendkim/key.table << 'EOF'
default._domainkey.cnxifly.com cnxifly.com:default:/etc/opendkim/keys/cnxifly.com/default.private
EOF
```
Criar signing.table:
```bash
cat > /etc/opendkim/signing.table << 'EOF'
*@cnxifly.com default._domainkey.cnxifly.com
EOF
```
Criar trusted.hosts:
```bash
cat > /etc/opendkim/trusted.hosts << 'EOF'
127.0.0.1
localhost
cnxifly.com
mail.cnxifly.com
EOF
```
Criar diretório do socket:
```bash
mkdir -p /var/spool/postfix/opendkim
```
```bash
chown opendkim:postfix /var/spool/postfix/opendkim
```
```bash
chmod 750 /var/spool/postfix/opendkim
```
```bash
usermod -aG opendkim postfix
```
Iniciar OpenDKIM:
```bash
systemctl enable opendkim
```
```bash
systemctl restart opendkim
```
```bash
systemctl status opendkim
```
### 8.6 Mostrar Chave DKIM para DNS
```bash
echo "============================================"
echo "ADICIONAR ESTE REGISTRO TXT NO DNS:"
echo "============================================"
echo "Nome: default._domainkey.cnxifly.com"
echo "Tipo: TXT"
echo "Valor:"
cat /etc/opendkim/keys/cnxifly.com/default.txt
echo "============================================"
```
> ⚠️ **IMPORTANTE:** Copie o conteúdo e adicione no painel DNS AGORA. A propagação pode levar até 24h.
### 8.7 Configurar Postfix main.cf
```bash
cat > /etc/postfix/main.cf << 'EOF'
# Basic
smtpd_banner = $myhostname ESMTP
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 3.6
# Hostname
myhostname = mail.cnxifly.com
mydomain = cnxifly.com
myorigin = $mydomain
mydestination = localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
# Virtual mailbox
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
# TLS Incoming
smtpd_tls_cert_file = /etc/letsencrypt/live/cnxifly.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/cnxifly.com/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
# TLS Outgoing
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
# SASL Auth
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
# Restrictions
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:/var/spool/postfix/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
# Limits
mailbox_size_limit = 0
message_size_limit = 52428800
recipient_delimiter = +
# Queue
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
EOF
```
### 8.8 Configurar Postfix MySQL Maps
Criar mysql-virtual-mailbox-domains.cf:
```bash
cat > /etc/postfix/mysql-virtual-mailbox-domains.cf << 'EOF'
user = postfixadmin
password = M@ster9354
hosts = localhost
dbname = postfixadmin
query = SELECT domain FROM domain WHERE domain='%s' AND active = '1'
EOF
```
Criar mysql-virtual-mailbox-maps.cf:
```bash
cat > /etc/postfix/mysql-virtual-mailbox-maps.cf << 'EOF'
user = postfixadmin
password = M@ster9354
hosts = localhost
dbname = postfixadmin
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'
EOF
```
Criar mysql-virtual-alias-maps.cf:
```bash
cat > /etc/postfix/mysql-virtual-alias-maps.cf << 'EOF'
user = postfixadmin
password = M@ster9354
hosts = localhost
dbname = postfixadmin
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'
EOF
```
Ajustar permissões:
```bash
chmod 640 /etc/postfix/mysql-*.cf
```
```bash
chown root:postfix /etc/postfix/mysql-*.cf
```
### 8.9 Configurar Postfix master.cf (submission/smtps)
```bash
cat >> /etc/postfix/master.cf << 'EOF'
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
EOF
```
### 8.10 Configurar Dovecot
Criar usuário e diretório de mail:
```bash
mkdir -p /var/mail/vhosts/cnxifly.com
```
```bash
groupadd -g 5000 vmail
```
```bash
useradd -g vmail -u 5000 vmail -d /var/mail/vhosts -s /usr/sbin/nologin
```
```bash
chown -R vmail:vmail /var/mail/vhosts
```
Configurar dovecot.conf:
```bash
cat > /etc/dovecot/dovecot.conf << 'EOF'
protocols = imap lmtp pop3
listen = *, ::
dict {
}
!include conf.d/*.conf
EOF
```
Configurar 10-auth.conf:
```bash
cat > /etc/dovecot/conf.d/10-auth.conf << 'EOF'
disable_plaintext_auth = yes
auth_mechanisms = plain login
!include auth-sql.conf.ext
EOF
```
Configurar 10-mail.conf:
```bash
cat > /etc/dovecot/conf.d/10-mail.conf << 'EOF'
mail_location = maildir:/var/mail/vhosts/%d/%n
mail_uid = vmail
mail_gid = vmail
mail_privileged_group = vmail
first_valid_uid = 5000
last_valid_uid = 5000
EOF
```
Configurar 10-master.conf:
```bash
cat > /etc/dovecot/conf.d/10-master.conf << 'EOF'
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = dovecot
}
service auth-worker {
user = vmail
}
service stats {
unix_listener stats-reader {
user = vmail
group = vmail
mode = 0660
}
unix_listener stats-writer {
user = vmail
group = vmail
mode = 0660
}
}
EOF
```
Configurar 10-ssl.conf:
```bash
cat > /etc/dovecot/conf.d/10-ssl.conf << 'EOF'
ssl = required
ssl_cert = </etc/letsencrypt/live/cnxifly.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/cnxifly.com/privkey.pem
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
EOF
```
Configurar auth-sql.conf.ext:
```bash
cat > /etc/dovecot/conf.d/auth-sql.conf.ext << 'EOF'
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
}
EOF
```
Configurar dovecot-sql.conf.ext:
```bash
cat > /etc/dovecot/dovecot-sql.conf.ext << 'EOF'
driver = mysql
connect = host=localhost dbname=postfixadmin user=postfixadmin password=M@ster9354
default_pass_scheme = SHA512-CRYPT
password_query = SELECT username AS user, password FROM mailbox WHERE username = '%u' AND active = '1'
user_query = SELECT CONCAT('/var/mail/vhosts/', maildir) AS home, 5000 AS uid, 5000 AS gid FROM mailbox WHERE username = '%u' AND active = '1'
iterate_query = SELECT username AS user FROM mailbox WHERE active = '1'
EOF
```
Ajustar permissões:
```bash
chmod 600 /etc/dovecot/dovecot-sql.conf.ext
```
```bash
chown root:root /etc/dovecot/dovecot-sql.conf.ext
```
Permitir www-data usar doveadm (para PostfixAdmin):
```bash
usermod -aG dovecot www-data
```
### 8.11 Iniciar Serviços de Email
```bash
systemctl enable dovecot
```
```bash
systemctl restart dovecot
```
```bash
systemctl status dovecot
```
```bash
systemctl restart postfix
```
```bash
systemctl status postfix
```
---
## 9. FASE 8: POSTFIXADMIN + ROUNDCUBE + PHPMYADMIN (~20 min)
### 9.1 Instalar PostfixAdmin
```bash
apt install -y postfixadmin
```
Durante a instalação, se aparecer prompt do dbconfig:
- Configure database: **Yes**
- Database type: **mysql**
- Password: **M@ster9354**
Criar link simbólico:
```bash
ln -sf /usr/share/postfixadmin/public /var/www/postfixadmin
```
### 9.2 Configurar PostfixAdmin
Gerar hash da senha de setup:
```bash
SETUP_HASH=$(php -r "echo password_hash('M@ster9354', PASSWORD_BCRYPT);")
echo $SETUP_HASH
```
Criar config.local.php:
```bash
cat > /etc/postfixadmin/config.local.php << 'EOFPHP'
<?php
$CONF['configured'] = true;
$CONF['database_type'] = 'mysqli';
$CONF['database_host'] = 'localhost';
$CONF['database_user'] = 'postfixadmin';
$CONF['database_password'] = 'M@ster9354';
$CONF['database_name'] = 'postfixadmin';
$CONF['admin_email'] = 'admin@cnxifly.com';
$CONF['encrypt'] = 'dovecot:SHA512-CRYPT';
$CONF['dovecotpw'] = '/usr/bin/doveadm pw';
$CONF['default_aliases'] = array(
'abuse' => 'admin@cnxifly.com',
'hostmaster' => 'admin@cnxifly.com',
'postmaster' => 'admin@cnxifly.com',
'webmaster' => 'admin@cnxifly.com'
);
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['forgotten_admin_password_reset'] = false;
$CONF['alias_domain'] = 'YES';
$CONF['password_validation'] = array(
'/^.{8,}$/' => 'password_too_short 8'
);
$CONF['default_language'] = 'es';
EOFPHP
```
Agora adicionar o hash de setup (copie o valor de $SETUP_HASH):
```bash
echo "\$CONF['setup_password'] = '$(php -r "echo password_hash('M@ster9354', PASSWORD_BCRYPT);")'; " >> /etc/postfixadmin/config.local.php
```
Ajustar permissões:
```bash
chown root:www-data /etc/postfixadmin/config.local.php
```
```bash
chmod 640 /etc/postfixadmin/config.local.php
```
### 9.3 Instalar Roundcube
```bash
apt install -y roundcube roundcube-mysql roundcube-plugins
```
Durante a instalação, se aparecer prompt do dbconfig:
- Configure database: **Yes**
- Database type: **mysql**
- Password: **M@ster9354**
### 9.4 Configurar Roundcube
Gerar chave aleatória:
```bash
DES_KEY=$(openssl rand -base64 24)
echo "DES_KEY gerada: $DES_KEY"
```
Criar configuração (substituir DES_KEY pelo valor gerado):
```bash
cat > /etc/roundcube/config.inc.php << 'EOF'
<?php
$config = array();
// Database
$config['db_dsnw'] = 'mysql://roundcube:M@ster9354@localhost/roundcube';
// IMAP
$config['default_host'] = 'localhost';
$config['default_port'] = 143;
$config['imap_auth_type'] = 'PLAIN';
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
),
);
// SMTP
$config['smtp_server'] = 'localhost';
$config['smtp_port'] = 587;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['smtp_auth_type'] = 'PLAIN';
$config['smtp_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
),
);
// General
$config['product_name'] = 'WEBMoney Mail';
$config['skin'] = 'elastic';
$config['language'] = 'es_ES';
$config['timezone'] = 'Europe/Madrid';
// Plugins
$config['plugins'] = array(
'archive',
'zipdownload',
'password',
);
// Misc
$config['draft_autosave'] = 60;
$config['enable_spellcheck'] = false;
$config['mail_pagesize'] = 50;
$config['addressbook_pagesize'] = 50;
EOF
```
Adicionar DES_KEY (substitua pelo valor gerado):
```bash
echo "\$config['des_key'] = '$(openssl rand -base64 24)';" >> /etc/roundcube/config.inc.php
```
Ajustar permissões:
```bash
chown root:www-data /etc/roundcube/config.inc.php
```
```bash
chmod 640 /etc/roundcube/config.inc.php
```
### 9.5 Instalar phpMyAdmin
Pré-configurar para evitar prompts:
```bash
debconf-set-selections <<< "phpmyadmin phpmyadmin/dbconfig-install boolean true"
```
```bash
debconf-set-selections <<< "phpmyadmin phpmyadmin/mysql/admin-pass password M@ster9354"
```
```bash
debconf-set-selections <<< "phpmyadmin phpmyadmin/mysql/app-pass password M@ster9354"
```
```bash
debconf-set-selections <<< "phpmyadmin phpmyadmin/reconfigure-webserver multiselect none"
```
```bash
apt install -y phpmyadmin
```
### 9.6 Configurar phpMyAdmin
Gerar blowfish_secret:
```bash
BLOWFISH=$(openssl rand -base64 32)
echo "Blowfish Secret: $BLOWFISH"
```
Criar configuração:
```bash
cat > /etc/phpmyadmin/config.inc.php << 'EOF'
<?php
$i = 0;
$i++;
$cfg['Servers'][$i]['auth_type'] = 'cookie';
$cfg['Servers'][$i]['host'] = 'localhost';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['AllowNoPassword'] = false;
$cfg['Servers'][$i]['controlhost'] = 'localhost';
$cfg['Servers'][$i]['controluser'] = 'phpmyadmin';
$cfg['Servers'][$i]['controlpass'] = 'M@ster9354';
$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
$cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
$cfg['Servers'][$i]['relation'] = 'pma__relation';
$cfg['Servers'][$i]['table_info'] = 'pma__table_info';
$cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
$cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
$cfg['Servers'][$i]['column_info'] = 'pma__column_info';
$cfg['Servers'][$i]['history'] = 'pma__history';
$cfg['Servers'][$i]['tracking'] = 'pma__tracking';
$cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
$cfg['Servers'][$i]['recent'] = 'pma__recent';
$cfg['Servers'][$i]['favorite'] = 'pma__favorite';
$cfg['Servers'][$i]['users'] = 'pma__users';
$cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
$cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
$cfg['Servers'][$i]['savedsearches'] = 'pma__savedsearches';
$cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
$cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
$cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';
$cfg['UploadDir'] = '';
$cfg['SaveDir'] = '';
$cfg['TempDir'] = '/tmp';
EOF
```
Adicionar blowfish_secret (substitua pelo valor gerado):
```bash
echo "\$cfg['blowfish_secret'] = '$(openssl rand -base64 32)';" >> /etc/phpmyadmin/config.inc.php
```
Importar tabelas de controle:
```bash
mysql -u phpmyadmin -p'M@ster9354' phpmyadmin < /usr/share/phpmyadmin/sql/create_tables.sql 2>/dev/null || true
```
### 9.7 Criar Vhosts Nginx Finais
**webmoney.cnxifly.com (Aplicação principal):**
```bash
cat > /etc/nginx/sites-available/webmoney.cnxifly.com << 'EOF'
server {
listen 80;
listen [::]:80;
server_name webmoney.cnxifly.com cnxifly.com www.cnxifly.com;
return 301 https://webmoney.cnxifly.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name webmoney.cnxifly.com cnxifly.com www.cnxifly.com;
root /var/www/webmoney/public;
index index.php index.html;
ssl_certificate /etc/letsencrypt/live/cnxifly.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cnxifly.com/privkey.pem;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php8.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_hide_header X-Powered-By;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
EOF
```
**mail.cnxifly.com (PostfixAdmin):**
```bash
cat > /etc/nginx/sites-available/mail.cnxifly.com << 'EOF'
server {
listen 80;
listen [::]:80;
server_name mail.cnxifly.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mail.cnxifly.com;
root /usr/share/postfixadmin/public;
index index.php;
ssl_certificate /etc/letsencrypt/live/cnxifly.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cnxifly.com/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php8.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
EOF
```
**webmail.cnxifly.com (Roundcube):**
```bash
cat > /etc/nginx/sites-available/webmail.cnxifly.com << 'EOF'
server {
listen 80;
listen [::]:80;
server_name webmail.cnxifly.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name webmail.cnxifly.com;
root /usr/share/roundcube;
index index.php;
ssl_certificate /etc/letsencrypt/live/cnxifly.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cnxifly.com/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php8.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
location ~ ^/(config|temp|logs)/ {
deny all;
}
}
EOF
```
**phpmyadmin.cnxifly.com:**
```bash
cat > /etc/nginx/sites-available/phpmyadmin.cnxifly.com << 'EOF'
server {
listen 80;
listen [::]:80;
server_name phpmyadmin.cnxifly.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name phpmyadmin.cnxifly.com;
root /usr/share/phpmyadmin;
index index.php;
ssl_certificate /etc/letsencrypt/live/cnxifly.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cnxifly.com/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php8.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
EOF
```
### 9.8 Ativar Sites Nginx
```bash
ln -sf /etc/nginx/sites-available/webmoney.cnxifly.com /etc/nginx/sites-enabled/
```
```bash
ln -sf /etc/nginx/sites-available/mail.cnxifly.com /etc/nginx/sites-enabled/
```
```bash
ln -sf /etc/nginx/sites-available/webmail.cnxifly.com /etc/nginx/sites-enabled/
```
```bash
ln -sf /etc/nginx/sites-available/phpmyadmin.cnxifly.com /etc/nginx/sites-enabled/
```
Testar e recarregar Nginx:
```bash
nginx -t
```
```bash
systemctl reload nginx
```
### 9.9 Criar Admin PostfixAdmin
Primeiro, acessar setup.php para criar tabelas:
```bash
curl -s https://mail.cnxifly.com/setup.php > /dev/null
```
Criar admin via SQL (mais confiável):
```bash
ADMIN_HASH=$(doveadm pw -s SHA512-CRYPT -p 'M@ster9354')
echo "Hash gerado: $ADMIN_HASH"
```
```bash
mysql -u postfixadmin -p'M@ster9354' postfixadmin << EOSQL
INSERT INTO admin (username, password, superadmin, created, modified, active)
VALUES ('admin@cnxifly.com', '$(doveadm pw -s SHA512-CRYPT -p "M@ster9354")', 1, NOW(), NOW(), 1)
ON DUPLICATE KEY UPDATE password='$(doveadm pw -s SHA512-CRYPT -p "M@ster9354")', active=1;
EOSQL
```
Desativar setup.php por segurança:
```bash
mv /usr/share/postfixadmin/public/setup.php /usr/share/postfixadmin/public/setup.php.disabled 2>/dev/null || true
```
---
## 10. FASE 9: NODE.JS 22 LTS + DEPLOY WEBMONEY (~15 min)
### 10.1 Instalar Node.js 22 LTS (Última Versão LTS)
Adicionar repositório oficial NodeSource:
```bash
curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
```
Instalar Node.js:
```bash
apt install -y nodejs
```
Verificar versões:
```bash
node --version
```
Deve mostrar: `v22.x.x`
```bash
npm --version
```
### 10.2 Preparar Estrutura de Diretórios
```bash
mkdir -p /var/www/webmoney/public
```
```bash
mkdir -p /var/www/webmoney/storage/logs
```
```bash
mkdir -p /var/www/webmoney/storage/framework/{sessions,views,cache}
```
```bash
mkdir -p /var/www/webmoney/bootstrap/cache
```
```bash
chown -R www-data:www-data /var/www/webmoney
```
### 10.3 Deploy Backend (Laravel)
**Na máquina de desenvolvimento:**
Criar .env.production:
```bash
cd /workspaces/webmoney/backend
```
```bash
cat > .env.production << 'EOF'
APP_NAME=WEBMoney
APP_ENV=production
APP_KEY=
APP_DEBUG=false
APP_TIMEZONE=Europe/Madrid
APP_URL=https://webmoney.cnxifly.com
DB_CONNECTION=mysql
DB_HOST=127.0.0.1
DB_PORT=3306
DB_DATABASE=webmoney
DB_USERNAME=webmoney
DB_PASSWORD=M@ster9354
MAIL_MAILER=smtp
MAIL_HOST=localhost
MAIL_PORT=587
MAIL_USERNAME=no-reply@cnxifly.com
MAIL_PASSWORD=M@ster9354
MAIL_ENCRYPTION=tls
MAIL_FROM_ADDRESS=no-reply@cnxifly.com
MAIL_FROM_NAME="${APP_NAME}"
EOF
```
Enviar arquivos para o servidor:
```bash
rsync -avz --exclude='.git' --exclude='node_modules' --exclude='vendor' \
./ root@213.165.93.60:/var/www/webmoney/
```
**No servidor (via SSH):**
```bash
ssh root@213.165.93.60
```
```bash
cd /var/www/webmoney
```
```bash
cp .env.production .env
```
```bash
composer install --no-dev --optimize-autoloader
```
```bash
php artisan key:generate
```
```bash
php artisan migrate --force
```
```bash
php artisan config:cache
```
```bash
php artisan route:cache
```
```bash
php artisan view:cache
```
```bash
chown -R www-data:www-data /var/www/webmoney
```
```bash
chmod -R 755 /var/www/webmoney
```
```bash
chmod -R 775 /var/www/webmoney/storage
```
```bash
chmod -R 775 /var/www/webmoney/bootstrap/cache
```
### 10.4 Deploy Frontend (React + Vite)
**Na máquina de desenvolvimento:**
```bash
cd /workspaces/webmoney/frontend
```
```bash
npm install
```
```bash
npm run build
```
Enviar build para o servidor:
```bash
rsync -avz ./dist/ root@213.165.93.60:/var/www/webmoney/public/
```
**No servidor:**
```bash
chown -R www-data:www-data /var/www/webmoney/public
```
---
## 11. FASE 10: VALIDAÇÃO FINAL (~5 min)
### 11.1 Criar Domínio e Mailbox no PostfixAdmin
Acessar PostfixAdmin:
```
URL: https://mail.cnxifly.com/login.php
Login: admin@cnxifly.com
Senha: M@ster9354
```
1. **Criar Domínio:**
- Menu: "Lista de Domínios" → "Novo Domínio"
- Domínio: `cnxifly.com`
- Caixas de Correio: 100
- Aliases: 100
- Guardar
2. **Criar Mailboxes:**
- Menu: "Lista Virtual" → "Adicionar Caixa de Correio"
- `admin@cnxifly.com` / M@ster9354
- `no-reply@cnxifly.com` / M@ster9354
- `support@cnxifly.com` / M@ster9354
### 11.2 Testar Envio de Email
```bash
echo "Teste de email do servidor" | mail -s "Teste SMTP $(date)" admin@cnxifly.com
```
### 11.3 Verificar Status dos Serviços
```bash
systemctl status nginx
```
```bash
systemctl status php8.4-fpm
```
```bash
systemctl status mariadb
```
```bash
systemctl status postfix
```
```bash
systemctl status dovecot
```
```bash
systemctl status opendkim
```
### 11.4 Testar Configurações
```bash
nginx -t
```
```bash
postfix check
```
```bash
doveconf -n | head -20
```
### 11.5 Verificar Portas Abertas
```bash
ss -tlnp | grep -E ':(22|25|80|143|443|465|587|993)'
```
### 11.6 Testar DKIM
```bash
opendkim-testkey -d cnxifly.com -s default -vvv
```
### 11.7 Verificar DNS
```bash
dig cnxifly.com MX +short
```
```bash
dig cnxifly.com TXT +short
```
```bash
dig default._domainkey.cnxifly.com TXT +short
```
```bash
dig _dmarc.cnxifly.com TXT +short
```
### 11.8 Checklist Final
| Verificação | Status |
|-------------|--------|
| https://webmoney.cnxifly.com carrega | [ ] |
| https://mail.cnxifly.com login funciona | [ ] |
| https://webmail.cnxifly.com login funciona | [ ] |
| https://phpmyadmin.cnxifly.com login funciona | [ ] |
| SSL válido em todos os subdomínios | [ ] |
| Email enviado chega no inbox (não spam) | [ ] |
| DKIM/SPF/DMARC pass | [ ] |
---
## 12. FASE 11: OTIMIZAÇÃO DE DESEMPENHO 🚀 (~20 min)
Esta é a fase final de otimização para máximo desempenho do servidor.
### 12.1 Otimização do Kernel (sysctl.conf)
```bash
cat >> /etc/sysctl.conf << 'EOF'
# ============================================
# WEBMONEY SERVER PERFORMANCE TUNING
# ============================================
# Network Performance
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
# TCP Buffer Sizes
net.core.rmem_default = 262144
net.core.rmem_max = 16777216
net.core.wmem_default = 262144
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 262144 16777216
net.ipv4.tcp_wmem = 4096 262144 16777216
# Enable TCP Fast Open
net.ipv4.tcp_fastopen = 3
# File Descriptors
fs.file-max = 2097152
fs.nr_open = 2097152
# Virtual Memory
vm.swappiness = 10
vm.dirty_ratio = 60
vm.dirty_background_ratio = 5
# Security (já ativo por padrão mas bom garantir)
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
EOF
```
Aplicar configurações:
```bash
sysctl -p
```
### 12.2 Aumentar Limites de Arquivos Abertos
```bash
cat >> /etc/security/limits.conf << 'EOF'
# WEBMONEY Performance Limits
* soft nofile 65535
* hard nofile 65535
* soft nproc 65535
* hard nproc 65535
www-data soft nofile 65535
www-data hard nofile 65535
mysql soft nofile 65535
mysql hard nofile 65535
EOF
```
### 12.3 Otimização do PHP-FPM (Pool Dedicado)
Criar pool otimizado para produção:
```bash
cat > /etc/php/8.4/fpm/pool.d/webmoney.conf << 'EOF'
[webmoney]
user = www-data
group = www-data
listen = /run/php/php8.4-fpm-webmoney.sock
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
; Process Manager - ondemand para economia de recursos
pm = ondemand
pm.max_children = 50
pm.process_idle_timeout = 10s
pm.max_requests = 500
; Status e Logs
pm.status_path = /status
ping.path = /ping
ping.response = pong
; Slow log para debug
slowlog = /var/log/php8.4-fpm-webmoney-slow.log
request_slowlog_timeout = 5s
; Limites
request_terminate_timeout = 300s
rlimit_files = 65535
rlimit_core = 0
; Environment
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
; PHP Settings
php_admin_value[error_log] = /var/log/php8.4-fpm-webmoney-error.log
php_admin_flag[log_errors] = on
php_admin_value[memory_limit] = 256M
php_value[session.save_handler] = files
php_value[session.save_path] = /var/lib/php/sessions
EOF
```
### 12.4 Otimização Avançada do OPcache
```bash
cat > /etc/php/8.4/mods-available/opcache-production.ini << 'EOF'
; OPcache Production Settings
opcache.enable=1
opcache.enable_cli=0
opcache.memory_consumption=256
opcache.interned_strings_buffer=32
opcache.max_accelerated_files=20000
opcache.max_wasted_percentage=10
opcache.revalidate_freq=0
opcache.validate_timestamps=0
opcache.save_comments=1
opcache.fast_shutdown=1
opcache.file_cache=/tmp/opcache
opcache.file_cache_only=0
opcache.file_cache_consistency_checks=1
; JIT (PHP 8+)
opcache.jit=1255
opcache.jit_buffer_size=256M
EOF
```
Criar diretório de cache:
```bash
mkdir -p /tmp/opcache
```
```bash
chown www-data:www-data /tmp/opcache
```
Ativar configuração:
```bash
rm -f /etc/php/8.4/fpm/conf.d/99-opcache-custom.ini
```
```bash
ln -sf /etc/php/8.4/mods-available/opcache-production.ini /etc/php/8.4/fpm/conf.d/99-opcache-production.ini
```
### 12.5 Otimização do MariaDB
```bash
cat > /etc/mysql/mariadb.conf.d/99-performance.cnf << 'EOF'
[mysqld]
# InnoDB Settings
innodb_buffer_pool_size = 512M
innodb_buffer_pool_instances = 4
innodb_log_file_size = 128M
innodb_log_buffer_size = 16M
innodb_flush_log_at_trx_commit = 2
innodb_flush_method = O_DIRECT
innodb_file_per_table = 1
innodb_io_capacity = 2000
innodb_io_capacity_max = 4000
innodb_read_io_threads = 4
innodb_write_io_threads = 4
# Query Cache (deprecated in MySQL 8, still works in MariaDB)
query_cache_type = 1
query_cache_size = 64M
query_cache_limit = 2M
# Connections
max_connections = 200
max_connect_errors = 100000
wait_timeout = 600
interactive_timeout = 600
# Buffers
join_buffer_size = 4M
sort_buffer_size = 4M
read_buffer_size = 2M
read_rnd_buffer_size = 2M
# Table Cache
table_open_cache = 4000
table_definition_cache = 2000
# Temp Tables
tmp_table_size = 64M
max_heap_table_size = 64M
# Binary Log (para replicação futura)
# log_bin = mysql-bin
# binlog_format = ROW
# expire_logs_days = 7
# Slow Query Log
slow_query_log = 1
slow_query_log_file = /var/log/mysql/slow.log
long_query_time = 2
# Thread Pool
thread_handling = pool-of-threads
thread_pool_size = 4
EOF
```
### 12.6 Otimização do Nginx (Produção)
Atualizar nginx.conf com configurações de produção:
```bash
cat > /etc/nginx/conf.d/performance.conf << 'EOF'
# Additional Performance Settings
# Proxy Cache
proxy_cache_path /var/cache/nginx/proxy levels=1:2 keys_zone=PROXY:10m inactive=60m max_size=1g;
# Static File Caching
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css 1M;
application/javascript 1M;
~image/ 1M;
~font/ 1M;
application/font-woff 1M;
application/font-woff2 1M;
}
# Brotli Compression (se disponível)
# brotli on;
# brotli_comp_level 6;
# brotli_types text/plain text/css application/json application/javascript text/xml application/xml;
EOF
```
Criar diretório de cache do proxy:
```bash
mkdir -p /var/cache/nginx/proxy
```
```bash
chown -R www-data:www-data /var/cache/nginx
```
### 12.7 Configurar Cache de Sessão PHP com Arquivos
```bash
mkdir -p /var/lib/php/sessions
```
```bash
chown -R www-data:www-data /var/lib/php/sessions
```
```bash
chmod 1733 /var/lib/php/sessions
```
### 12.8 Instalar e Configurar Redis (Cache Opcional)
Instalar Redis:
```bash
apt install -y redis-server
```
Configurar Redis:
```bash
sed -i 's/^# maxmemory .*/maxmemory 128mb/' /etc/redis/redis.conf
```
```bash
sed -i 's/^# maxmemory-policy .*/maxmemory-policy allkeys-lru/' /etc/redis/redis.conf
```
Habilitar e iniciar:
```bash
systemctl enable redis-server
```
```bash
systemctl start redis-server
```
Verificar:
```bash
redis-cli ping
```
Deve retornar: `PONG`
### 12.9 Atualizar Vhosts para Usar Pool Dedicado
Atualizar webmoney.cnxifly.com para usar o novo pool:
```bash
sed -i 's|php8.4-fpm.sock|php8.4-fpm-webmoney.sock|g' /etc/nginx/sites-available/webmoney.cnxifly.com
```
### 12.10 Reiniciar Todos os Serviços
```bash
systemctl restart php8.4-fpm
```
```bash
systemctl restart mariadb
```
```bash
systemctl restart nginx
```
```bash
systemctl restart redis-server
```
### 12.11 Verificar Otimizações
Verificar OPcache:
```bash
php -i | grep -i opcache
```
Verificar limites de arquivo:
```bash
ulimit -n
```
Verificar conexões MariaDB:
```bash
mysql -u root -p'M@ster9354' -e "SHOW VARIABLES LIKE 'max_connections';"
```
Verificar buffer pool:
```bash
mysql -u root -p'M@ster9354' -e "SHOW VARIABLES LIKE 'innodb_buffer_pool_size';"
```
### 12.12 Benchmark Simples
Testar resposta do servidor:
```bash
curl -w "@-" -o /dev/null -s "https://webmoney.cnxifly.com" << 'EOF'
time_namelookup: %{time_namelookup}s\n
time_connect: %{time_connect}s\n
time_appconnect: %{time_appconnect}s\n
time_pretransfer: %{time_pretransfer}s\n
time_redirect: %{time_redirect}s\n
time_starttransfer: %{time_starttransfer}s\n
----------\n
time_total: %{time_total}s\n
EOF
```
---
## 13. COMANDOS DE VERIFICAÇÃO E MONITORAMENTO
### Status dos Serviços
```bash
systemctl status nginx php8.4-fpm mariadb postfix dovecot opendkim redis-server
```
### Testar Configurações
```bash
nginx -t
```
```bash
postfix check
```
```bash
doveconf -n
```
### Verificar Portas
```bash
ss -tlnp | grep -E ':(22|25|80|143|443|465|587|993|6379)'
```
### Testar DKIM
```bash
opendkim-testkey -d cnxifly.com -s default -vvv
```
### Verificar DNS
```bash
dig cnxifly.com MX +short
```
```bash
dig cnxifly.com TXT +short
```
```bash
dig default._domainkey.cnxifly.com TXT +short
```
```bash
dig _dmarc.cnxifly.com TXT +short
```
### Monitorar Logs em Tempo Real
```bash
tail -f /var/log/nginx/error.log
```
```bash
tail -f /var/log/mail.log
```
```bash
tail -f /var/log/php8.4-fpm-webmoney-error.log
```
```bash
tail -f /var/log/mysql/slow.log
```
### Testar Email via Terminal
```bash
echo "Teste de configuração SMTP" | mail -s "Teste SMTP" admin@cnxifly.com
```
### Verificar Uso de Recursos
```bash
htop
```
```bash
free -h
```
```bash
df -h
```
---
## 14. REFERÊNCIA RÁPIDA
### Credenciais Unificadas
| Serviço | Usuário | Senha |
|---------|---------|-------|
| SSH root | root | Master9354 |
| SSH admin | admin | M@ster9354 |
| MariaDB root | root | M@ster9354 |
| MariaDB admin | admin | M@ster9354 |
| PostfixAdmin | admin@cnxifly.com | M@ster9354 |
| phpMyAdmin | admin | M@ster9354 |
| Email (criar) | admin@cnxifly.com | M@ster9354 |
### URLs Finais
| Serviço | URL |
|---------|-----|
| WEBMoney App | https://webmoney.cnxifly.com |
| PostfixAdmin | https://mail.cnxifly.com |
| Roundcube | https://webmail.cnxifly.com |
| phpMyAdmin | https://phpmyadmin.cnxifly.com |
| API | https://webmoney.cnxifly.com/api |
### Arquivos de Configuração Importantes
| Arquivo | Propósito |
|---------|-----------|
| /etc/nginx/nginx.conf | Nginx principal |
| /etc/nginx/sites-available/* | Vhosts Nginx |
| /etc/php/8.4/fpm/pool.d/webmoney.conf | PHP-FPM Pool |
| /etc/php/8.4/mods-available/opcache-production.ini | OPcache |
| /etc/mysql/mariadb.conf.d/99-performance.cnf | MariaDB tuning |
| /etc/postfix/main.cf | Postfix config |
| /etc/dovecot/dovecot.conf | Dovecot config |
| /etc/opendkim.conf | DKIM config |
| /etc/postfixadmin/config.local.php | PostfixAdmin |
| /etc/roundcube/config.inc.php | Roundcube |
| /var/www/webmoney/.env | Laravel env |
### Versões Instaladas
| Software | Versão |
|----------|--------|
| Ubuntu | 24.04 LTS |
| PHP | 8.4.x |
| MariaDB | 11.4 LTS |
| Nginx | 1.27.x (Mainline) |
| Node.js | 22.x LTS |
| Composer | 2.8.x |
| Postfix | 3.9.x |
| Dovecot | 2.3.x |
| Redis | 7.x |
### Registro DNS DKIM (adicionar no painel)
```
Nome: default._domainkey.cnxifly.com
Tipo: TXT
Valor: [Usar o conteúdo de /etc/opendkim/keys/cnxifly.com/default.txt]
```
### Registro DNS DMARC (adicionar no painel)
```
Nome: _dmarc.cnxifly.com
Tipo: TXT
Valor: v=DMARC1; p=quarantine; rua=mailto:postmaster@cnxifly.com; ruf=mailto:postmaster@cnxifly.com; fo=1; sp=quarantine; adkim=s; aspf=s; pct=100
```
### Registro DNS SPF (adicionar no painel)
```
Nome: cnxifly.com (ou @)
Tipo: TXT
Valor: v=spf1 mx a ip4:213.165.93.60 -all
```
---
## 15. TROUBLESHOOTING COMUM
### Nginx não inicia
```bash
nginx -t
journalctl -xeu nginx
```
### PHP-FPM erro de socket
```bash
ls -la /run/php/
systemctl restart php8.4-fpm
```
### MariaDB não aceita conexão
```bash
systemctl status mariadb
journalctl -xeu mariadb
mysql -u root -p'M@ster9354' -e "SELECT 1;"
```
### Email não enviado
```bash
tail -50 /var/log/mail.log
postqueue -p
postfix check
```
### Dovecot não autentica
```bash
doveconf -n | grep auth
tail -50 /var/log/mail.log | grep dovecot
```
### SSL não funciona
```bash
certbot certificates
nginx -t
openssl s_client -connect webmoney.cnxifly.com:443 -servername webmoney.cnxifly.com
```
### Laravel erro 500
```bash
tail -50 /var/www/webmoney/storage/logs/laravel.log
php artisan config:clear
php artisan cache:clear
chown -R www-data:www-data /var/www/webmoney/storage
```
---
**Tempo Total Estimado:** ~120 minutos (com otimização de desempenho)
**Autor:** GitHub Copilot
**Data:** 7 de Dezembro de 2025
**Versão:** 2.0.0 - Manual Completo com Otimização
Reference in New Issue View Git Blame Copy Permalink