raijin-server 0.1.0__py3-none-any.whl → 0.2.0__py3-none-any.whl

raijin_server/modules/bootstrap.py

@@ -1,6 +1,7 @@
 """Instalacao automatica de ferramentas necessarias para o raijin-server."""
 
 import shutil
+import platform
 from pathlib import Path
 
 import typer
@@ -8,6 +9,35 @@ import typer
 from raijin_server.utils import ExecutionContext, apt_install, apt_update, require_root, run_cmd, write_file
 
 
+def _kernel_headers_present() -> bool:
+    """Verifica se os headers do kernel atual estao presentes."""
+
+    release = platform.uname().release
+    return Path(f"/lib/modules/{release}/build").exists()
+
+
+def _ensure_kernel_headers(ctx: ExecutionContext) -> None:
+    """Instala headers do kernel se ausentes; falha de forma clara se nao encontrar."""
+
+    if _kernel_headers_present():
+        return
+
+    release = platform.uname().release
+    header_pkg = f"linux-headers-{release}"
+    typer.secho(
+        f"Headers do kernel {release} nao encontrados. Instalando {header_pkg}...",
+        fg=typer.colors.YELLOW,
+    )
+    apt_install([header_pkg], ctx)
+
+    if not _kernel_headers_present():
+        typer.secho(
+            f"Headers ainda ausentes apos instalar {header_pkg}. Verifique repos ou kernel custom.",
+            fg=typer.colors.RED,
+        )
+        raise typer.Exit(code=1)
+
+
 # Versoes das ferramentas
 HELM_VERSION = "3.14.0"
 KUBECTL_VERSION = "1.30.0"
@@ -93,6 +123,8 @@ def _install_containerd(ctx: ExecutionContext) -> None:
     """Configura containerd como container runtime."""
     typer.echo("Configurando containerd...")
 
+    _ensure_kernel_headers(ctx)
+
     # Carrega modulos do kernel necessarios
     modules_conf = """overlay
 br_netfilter
@@ -102,6 +134,12 @@ br_netfilter
     run_cmd(["modprobe", "overlay"], ctx, check=False)
     run_cmd(["modprobe", "br_netfilter"], ctx, check=False)
 
+    if not Path("/proc/sys/net/bridge/bridge-nf-call-iptables").exists():
+        typer.secho(
+            "Arquivo /proc/sys/net/bridge/bridge-nf-call-iptables ausente. Verifique suporte a br_netfilter no kernel.",
+            fg=typer.colors.YELLOW,
+        )
+
     # Sysctl para Kubernetes
     sysctl_conf = """net.bridge.bridge-nf-call-iptables  = 1
 net.bridge.bridge-nf-call-ip6tables = 1
@@ -110,6 +148,18 @@ net.ipv4.ip_forward                 = 1
     write_file(Path("/etc/sysctl.d/k8s.conf"), sysctl_conf, ctx)
     run_cmd(["sysctl", "--system"], ctx, check=False)
 
+    # Verificacao best-effort dos tunables
+    try:
+        with open("/proc/sys/net/bridge/bridge-nf-call-iptables") as f:
+            val = f.read().strip()
+            if val != "1":
+                typer.secho(
+                    "bridge-nf-call-iptables nao ficou em 1 (cheque modulo br_netfilter e sysctl).",
+                    fg=typer.colors.YELLOW,
+                )
+    except Exception:
+        pass
+
     apt_install(["containerd"], ctx)
 
     # Gera config padrao
@@ -158,6 +208,21 @@ def run(ctx: ExecutionContext) -> None:
     """Instala todas as ferramentas necessarias para o ambiente produtivo."""
     require_root(ctx)
 
+    # Precheck Secure Boot (pode afetar modulos DKMS e drivers)
+    try:
+        sb_path = Path("/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c")
+        secure_boot = False
+        if sb_path.exists():
+            data = sb_path.read_bytes()
+            secure_boot = len(data) >= 5 and data[4] == 1
+        if secure_boot:
+            typer.secho(
+                "Secure Boot detectado: modulos DKMS (WireGuard, drivers) podem exigir assinatura.",
+                fg=typer.colors.YELLOW,
+            )
+    except Exception:
+        pass
+
     typer.secho("\n=== Bootstrap: Instalando Ferramentas ===", fg=typer.colors.CYAN, bold=True)
 
     # Atualiza sistema

raijin_server/modules/calico.py

@@ -1,36 +1,107 @@
-"""Configuracao de Calico como CNI com CIDR customizado e policy default-deny."""
+"""Configuracao de Calico como CNI com CIDR customizado e policies opinativas."""
 
 from pathlib import Path
+from typing import Iterable
 
 import typer
 
-from raijin_server.utils import ExecutionContext, ensure_tool, kubectl_apply, require_root, run_cmd, write_file
+from raijin_server.utils import (
+    ExecutionContext,
+    ensure_tool,
+    kubectl_apply,
+    require_root,
+    run_cmd,
+    write_file,
+)
 
+EGRESS_LABEL_KEY = "networking.raijin.dev/egress"
+EGRESS_LABEL_VALUE = "internet"
 
-def run(ctx: ExecutionContext) -> None:
-        require_root(ctx)
-        ensure_tool("kubectl", ctx, install_hint="Instale kubectl ou habilite dry-run.")
-        ensure_tool("curl", ctx, install_hint="Instale curl.")
 
-        typer.echo("Aplicando Calico como CNI...")
-        pod_cidr = typer.prompt("Pod CIDR (Calico)", default="10.244.0.0/16")
+def _apply_policy(content: str, ctx: ExecutionContext, suffix: str) -> None:
+    path = Path(f"/tmp/raijin-{suffix}.yaml")
+    write_file(path, content, ctx)
+    kubectl_apply(str(path), ctx)
+    path.unlink(missing_ok=True)
+
+
+def _build_default_deny(namespace: str) -> str:
+    return f"""apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: {namespace}
+spec:
+  podSelector: {{}}
+  policyTypes:
+  - Ingress
+  - Egress
+"""
 
-        manifest_url = "https://raw.githubusercontent.com/projectcalico/calico/v3.27.2/manifests/calico.yaml"
-        cmd = f"curl -s {manifest_url} | sed 's#192.168.0.0/16#{pod_cidr}#' | kubectl apply -f -"
-        run_cmd(cmd, ctx, use_shell=True)
 
-        # NetworkPolicy default-deny para workloads (excepto kube-system).
-        default_deny = """apiVersion: networking.k8s.io/v1
+def _build_allow_internet(namespace: str, cidr: str) -> str:
+    return f"""apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-    name: default-deny-all
-    namespace: default
+  name: allow-egress-internet
+  namespace: {namespace}
 spec:
-    podSelector: {}
-    policyTypes:
-    - Ingress
-    - Egress
+  podSelector:
+    matchLabels:
+      {EGRESS_LABEL_KEY}: {EGRESS_LABEL_VALUE}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: {cidr}
 """
-        policy_path = Path("/tmp/raijin-default-deny.yaml")
-        write_file(policy_path, default_deny, ctx)
-        kubectl_apply(str(policy_path), ctx)
+
+
+def _split_namespaces(raw_value: str) -> Iterable[str]:
+    return [ns.strip() for ns in raw_value.split(",") if ns.strip()]
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    ensure_tool("kubectl", ctx, install_hint="Instale kubectl ou habilite dry-run.")
+    ensure_tool("curl", ctx, install_hint="Instale curl.")
+
+    typer.echo("Aplicando Calico como CNI...")
+    pod_cidr = typer.prompt("Pod CIDR (Calico)", default="10.244.0.0/16")
+
+    manifest_url = "https://raw.githubusercontent.com/projectcalico/calico/v3.27.2/manifests/calico.yaml"
+    cmd = f"curl -s {manifest_url} | sed 's#192.168.0.0/16#{pod_cidr}#' | kubectl apply -f -"
+    run_cmd(cmd, ctx, use_shell=True)
+
+    deny_namespaces_raw = typer.prompt(
+        "Namespaces para aplicar default-deny (CSV)",
+        default="default",
+    )
+    for namespace in _split_namespaces(deny_namespaces_raw):
+        typer.echo(f"Aplicando default-deny no namespace '{namespace}'...")
+        _apply_policy(_build_default_deny(namespace), ctx, f"default-deny-{namespace}")
+
+    if typer.confirm(
+        "Deseja liberar saida para internet (pods rotulados) em alguns namespaces?",
+        default=True,
+    ):
+        allow_namespaces_raw = typer.prompt(
+            "Namespaces com pods que precisam acessar APIs externas (CSV)",
+            default="default",
+        )
+        cidr = typer.prompt("CIDR liberado (ex.: 0.0.0.0/0)", default="0.0.0.0/0")
+        for namespace in _split_namespaces(allow_namespaces_raw):
+            typer.echo(
+                f"Criando policy allow-egress-internet em '{namespace}' para pods com "
+                f"label {EGRESS_LABEL_KEY}={EGRESS_LABEL_VALUE}"
+            )
+            _apply_policy(
+                _build_allow_internet(namespace, cidr),
+                ctx,
+                f"allow-egress-{namespace}",
+            )
+        typer.echo(
+            "Para habilitar egress em um workload específico execute:\n"
+            f"  kubectl label deployment MEU-APP -n <namespace> {EGRESS_LABEL_KEY}={EGRESS_LABEL_VALUE}"
+        )

raijin_server/modules/cert_manager.py

@@ -0,0 +1,127 @@
+"""Instala e configura cert-manager com emissores ACME (HTTP-01 ou DNS-01)."""
+
+from pathlib import Path
+
+import typer
+
+from raijin_server.utils import (
+    ExecutionContext,
+    ensure_tool,
+    helm_upgrade_install,
+    kubectl_apply,
+    require_root,
+    write_file,
+)
+
+CHART_REPO = "https://charts.jetstack.io"
+CHART_NAME = "cert-manager"
+NAMESPACE = "cert-manager"
+MANIFEST_PATH = Path("/tmp/raijin-cert-manager-issuer.yaml")
+
+
+def _build_http01_issuer(name: str, email: str, ingress_class: str, staging: bool) -> str:
+    server = (
+        "https://acme-staging-v02.api.letsencrypt.org/directory"
+        if staging
+        else "https://acme-v02.api.letsencrypt.org/directory"
+    )
+    return f"""apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: {name}
+spec:
+  acme:
+    email: {email}
+    server: {server}
+    privateKeySecretRef:
+      name: {name}
+    solvers:
+      - http01:
+          ingress:
+            class: {ingress_class}
+"""
+
+
+def _build_cloudflare_dns01(name: str, email: str, secret_name: str, staging: bool) -> str:
+    server = (
+        "https://acme-staging-v02.api.letsencrypt.org/directory"
+        if staging
+        else "https://acme-v02.api.letsencrypt.org/directory"
+    )
+    return f"""apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: {name}
+spec:
+  acme:
+    email: {email}
+    server: {server}
+    privateKeySecretRef:
+      name: {name}
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: {secret_name}
+              key: api-token
+"""
+
+
+def _build_cloudflare_secret(secret_name: str, api_token: str) -> str:
+    return f"""apiVersion: v1
+kind: Secret
+metadata:
+  name: {secret_name}
+  namespace: {NAMESPACE}
+type: Opaque
+stringData:
+  api-token: {api_token}
+"""
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    ensure_tool("helm", ctx, install_hint="Instale helm ou use --dry-run para simular.")
+    ensure_tool("kubectl", ctx, install_hint="Instale kubectl ou use --dry-run para simular.")
+
+    typer.echo("Instalando cert-manager via Helm...")
+    email = typer.prompt("Email para ACME (Let's Encrypt)", default="admin@example.com")
+    solver = typer.prompt("Tipo de desafio (http01/dns01)", default="http01")
+
+    helm_upgrade_install(
+        release="cert-manager",
+        chart=CHART_NAME,
+        namespace=NAMESPACE,
+        ctx=ctx,
+        repo="jetstack",
+        repo_url=CHART_REPO,
+        create_namespace=True,
+        extra_args=["--set", "installCRDs=true"],
+    )
+
+    issuer_docs = []
+
+    if solver.lower() == "dns01":
+        typer.secho("DNS-01 selecionado (Cloudflare)", fg=typer.colors.CYAN)
+        issuer_name = typer.prompt("Nome do ClusterIssuer", default="letsencrypt-dns")
+        staging = typer.confirm("Usar endpoint de staging? (para testes)", default=False)
+        secret_name = typer.prompt("Secret com API token do Cloudflare", default="cloudflare-api-token")
+        api_token = typer.prompt("Informe o API token do Cloudflare", hide_input=True)
+
+        issuer_docs.append(_build_cloudflare_secret(secret_name, api_token))
+        issuer_docs.append(_build_cloudflare_dns01(issuer_name, email, secret_name, staging))
+    else:
+        typer.secho("HTTP-01 selecionado (Ingress)", fg=typer.colors.CYAN)
+        issuer_name = typer.prompt("Nome do ClusterIssuer", default="letsencrypt-http")
+        staging = typer.confirm("Usar endpoint de staging? (para testes)", default=False)
+        ingress_class = typer.prompt("IngressClass para resolver HTTP-01", default="traefik")
+
+        issuer_docs.append(_build_http01_issuer(issuer_name, email, ingress_class, staging))
+
+    manifest = "---\n".join(issuer_docs)
+    write_file(MANIFEST_PATH, manifest, ctx)
+    kubectl_apply(str(MANIFEST_PATH), ctx)
+
+    typer.secho("cert-manager instalado e issuer aplicado.", fg=typer.colors.GREEN)
+    typer.echo("Execute um Certificate/Ingress apontando para o ClusterIssuer para emitir certificados.")
+

raijin_server/modules/full_install.py

@@ -1,36 +1,49 @@
 """Instalacao completa e automatizada do ambiente produtivo."""
 
+import os
+
 import typer
 
 from raijin_server.utils import ExecutionContext, require_root
 from raijin_server.modules import (
     bootstrap,
+    calico,
+    cert_manager,
     essentials,
-    hardening,
-    network,
     firewall,
-    kubernetes,
-    calico,
-    prometheus,
     grafana,
+    hardening,
+    kubernetes,
     loki,
+    network,
+    observability_dashboards,
+    observability_ingress,
+    prometheus,
+    secrets,
+    sanitize,
     traefik,
 )
 
 
 # Ordem de execucao dos modulos para instalacao completa
+# Modulos marcados com skip_env podem ser pulados via variavel de ambiente
 INSTALL_SEQUENCE = [
-    ("bootstrap", bootstrap.run, "Instalacao de ferramentas (helm, kubectl, containerd, etc.)"),
-    ("essentials", essentials.run, "Pacotes essenciais e NTP"),
-    ("hardening", hardening.run, "Seguranca do sistema (fail2ban, sysctl, auditd)"),
-    ("network", network.run, "Configuracao de rede (IP fixo)"),
-    ("firewall", firewall.run, "Firewall UFW"),
-    ("kubernetes", kubernetes.run, "Cluster Kubernetes (kubeadm)"),
-    ("calico", calico.run, "CNI Calico + NetworkPolicy"),
-    ("prometheus", prometheus.run, "Monitoramento Prometheus"),
-    ("grafana", grafana.run, "Dashboards Grafana"),
-    ("loki", loki.run, "Logs centralizados Loki"),
-    ("traefik", traefik.run, "Ingress Controller Traefik"),
+    ("sanitize", sanitize.run, "Limpeza total de instalacoes anteriores", None),
+    ("bootstrap", bootstrap.run, "Instalacao de ferramentas (helm, kubectl, containerd, etc.)", None),
+    ("essentials", essentials.run, "Pacotes essenciais e NTP", None),
+    ("hardening", hardening.run, "Seguranca do sistema (fail2ban, sysctl, auditd)", None),
+    ("network", network.run, "Configuracao de rede (IP fixo) - OPCIONAL", "RAIJIN_SKIP_NETWORK"),
+    ("firewall", firewall.run, "Firewall UFW", None),
+    ("kubernetes", kubernetes.run, "Cluster Kubernetes (kubeadm)", None),
+    ("calico", calico.run, "CNI Calico + NetworkPolicy", None),
+    ("cert_manager", cert_manager.run, "cert-manager + ClusterIssuer ACME", None),
+    ("secrets", secrets.run, "Sealed-Secrets + External-Secrets", None),
+    ("prometheus", prometheus.run, "Monitoramento Prometheus", None),
+    ("grafana", grafana.run, "Dashboards Grafana", None),
+    ("loki", loki.run, "Logs centralizados Loki", None),
+    ("traefik", traefik.run, "Ingress Controller Traefik", None),
+    ("observability_ingress", observability_ingress.run, "Ingress seguro para Grafana/Prometheus/Alertmanager", None),
+    ("observability_dashboards", observability_dashboards.run, "Dashboards opinativos e alertas", None),
 ]
 
 
@@ -54,10 +67,20 @@ def run(ctx: ExecutionContext) -> None:
 
     # Mostra sequencia de instalacao
     typer.echo("Sequencia de instalacao:")
-    for i, (name, _, desc) in enumerate(INSTALL_SEQUENCE, 1):
-        typer.echo(f"  {i:2}. {name:15} - {desc}")
+    for i, (name, _, desc, skip_env) in enumerate(INSTALL_SEQUENCE, 1):
+        suffix = ""
+        if skip_env and os.environ.get(skip_env, "").strip() in ("1", "true", "yes"):
+            suffix = " [SKIP]"
+        typer.echo(f"  {i:2}. {name:25} - {desc}{suffix}")
 
     typer.echo("")
+    typer.secho(
+        "Nota: O modulo 'network' eh OPCIONAL se o IP fixo ja foi configurado\n"
+        "      pelo provedor ISP ou durante instalacao do SO.\n"
+        "      Set RAIJIN_SKIP_NETWORK=1 para pular automaticamente.",
+        fg=typer.colors.YELLOW,
+    )
+    typer.echo("")
 
     if not ctx.dry_run:
         if not typer.confirm("Deseja continuar com a instalacao completa?", default=True):
@@ -67,8 +90,15 @@ def run(ctx: ExecutionContext) -> None:
     total = len(INSTALL_SEQUENCE)
     failed = []
     succeeded = []
+    skipped = []
+
+    for i, (name, handler, desc, skip_env) in enumerate(INSTALL_SEQUENCE, 1):
+        # Verifica se modulo deve ser pulado via env
+        if skip_env and os.environ.get(skip_env, "").strip() in ("1", "true", "yes"):
+            skipped.append(name)
+            typer.secho(f"⏭ {name} pulado via {skip_env}=1", fg=typer.colors.YELLOW)
+            continue
 
-    for i, (name, handler, desc) in enumerate(INSTALL_SEQUENCE, 1):
         typer.secho(
             f"\n{'='*60}",
             fg=typer.colors.CYAN,
@@ -108,6 +138,11 @@ def run(ctx: ExecutionContext) -> None:
         for name in succeeded:
             typer.echo(f"    - {name}")
 
+    if skipped:
+        typer.secho(f"\n⏭ Modulos pulados ({len(skipped)}):", fg=typer.colors.YELLOW)
+        for name in skipped:
+            typer.echo(f"    - {name}")
+
     if failed:
         typer.secho(f"\n✗ Modulos com falha ({len(failed)}):", fg=typer.colors.RED)
         for name, error in failed:

raijin_server/modules/network.py

@@ -1,7 +1,17 @@
-"""Configuracao de rede (IP fixo) via Netplan."""
+"""Configuracao de rede (IP fixo) via Netplan.
+
+Este modulo eh OPCIONAL quando:
+- IP fixo ja foi configurado no provedor ISP (ex: Ibi Internet Empresarial)
+- IP estatico foi definido manualmente durante instalacao do SO
+- Netplan ja possui configuracao funcional
+
+Set RAIJIN_SKIP_NETWORK=1 para pular automaticamente em automacoes.
+"""
 
 import os
+import subprocess
 from pathlib import Path
+from typing import Optional
 
 import typer
 
@@ -18,9 +28,93 @@ def _is_wsl() -> bool:
         return False
 
 
+def _get_current_ip() -> Optional[str]:
+    """Retorna o IP principal atual do sistema (excluindo loopback e docker)."""
+    try:
+        result = subprocess.run(
+            ["ip", "-4", "-o", "addr", "show", "scope", "global"],
+            capture_output=True,
+            text=True,
+            timeout=10,
+        )
+        for line in result.stdout.strip().split("\n"):
+            parts = line.split()
+            if len(parts) >= 4:
+                iface = parts[1]
+                # Ignora interfaces virtuais (docker, veth, br-, virbr, etc.)
+                if any(iface.startswith(p) for p in ("docker", "veth", "br-", "virbr", "cni", "flannel")):
+                    continue
+                ip_cidr = parts[3]
+                return ip_cidr
+    except Exception:
+        pass
+    return None
+
+
+def _has_static_netplan() -> bool:
+    """Verifica se ja existe configuracao Netplan com IP estatico."""
+    netplan_dir = Path("/etc/netplan")
+    if not netplan_dir.exists():
+        return False
+    for f in netplan_dir.glob("*.yaml"):
+        try:
+            content = f.read_text()
+            if "dhcp4: false" in content or "dhcp4: no" in content:
+                return True
+        except OSError:
+            continue
+    return False
+
+
 def run(ctx: ExecutionContext) -> None:
     require_root(ctx)
-    typer.echo("Configurando IP fixo (Netplan)...")
+
+    # Permite pular via variavel de ambiente (para automacao)
+    if os.environ.get("RAIJIN_SKIP_NETWORK", "").strip() in ("1", "true", "yes"):
+        typer.secho(
+            "RAIJIN_SKIP_NETWORK=1 detectado. Pulando configuracao de rede.",
+            fg=typer.colors.YELLOW,
+        )
+        return
+
+    current_ip = _get_current_ip()
+    has_static = _has_static_netplan()
+
+    # Se ja tem IP estatico configurado, oferece pular
+    if current_ip and has_static:
+        typer.secho(
+            f"\n✓ IP estatico detectado: {current_ip}",
+            fg=typer.colors.GREEN,
+        )
+        typer.secho(
+            "  Parece que a rede ja esta configurada (Netplan com dhcp4: false).",
+            fg=typer.colors.GREEN,
+        )
+        typer.echo("")
+        if not typer.confirm(
+            "Deseja reconfigurar a rede mesmo assim? (NAO recomendado se ja funciona)",
+            default=False,
+        ):
+            typer.secho("Pulando configuracao de rede.", fg=typer.colors.CYAN)
+            return
+    elif current_ip:
+        typer.secho(
+            f"\n✓ IP atual: {current_ip}",
+            fg=typer.colors.GREEN,
+        )
+        typer.echo(
+            "  Se este IP foi configurado pelo seu provedor ISP ou durante a instalacao,\n"
+            "  voce pode pular este passo."
+        )
+        typer.echo("")
+        if not typer.confirm(
+            "Deseja configurar IP estatico via Netplan?",
+            default=True,
+        ):
+            typer.secho("Pulando configuracao de rede.", fg=typer.colors.CYAN)
+            return
+
+    typer.echo("\nConfigurando IP fixo (Netplan)...")
 
     wsl = _is_wsl()
     if wsl: