raijin-server 0.1.0__py3-none-any.whl → 0.2.0__py3-none-any.whl

raijin_server/modules/ssh_hardening.py

@@ -0,0 +1,128 @@
+"""Hardening de SSH com usuario dedicado e chaves publicas."""
+
+from __future__ import annotations
+
+import os
+import pwd
+from pathlib import Path
+
+import typer
+
+from raijin_server.utils import ExecutionContext, apt_install, require_root, run_cmd, write_file
+
+SSHD_DROPIN = Path("/etc/ssh/sshd_config.d/99-raijin.conf")
+FAIL2BAN_JAIL = Path("/etc/fail2ban/jail.d/raijin-sshd.conf")
+AUTHORIZED_KEYS_TEMPLATE = "# gerenciado pelo raijin-server\n{key}\n"
+
+
+def _user_exists(username: str) -> bool:
+    try:
+        pwd.getpwnam(username)
+        return True
+    except KeyError:
+        return False
+
+
+def _ensure_user(username: str, ctx: ExecutionContext) -> None:
+    if _user_exists(username):
+        typer.echo(f"Usuario {username} ja existe, reutilizando...")
+        return
+
+    typer.echo(f"Criando usuario {username} sem senha...")
+    run_cmd(["useradd", "-m", "-s", "/bin/bash", username], ctx)
+    run_cmd(["passwd", "-l", username], ctx, check=False)
+
+
+def _write_authorized_keys(username: str, content: str, ctx: ExecutionContext) -> None:
+    ssh_dir = Path("/home") / username / ".ssh"
+    auth_file = ssh_dir / "authorized_keys"
+
+    if ctx.dry_run:
+        typer.echo(f"[dry-run] escrever {auth_file} com chave publica")
+        return
+
+    ssh_dir.mkdir(parents=True, exist_ok=True)
+    os.chmod(ssh_dir, 0o700)
+    auth_file.write_text(AUTHORIZED_KEYS_TEMPLATE.format(key=content.strip()))
+    os.chmod(auth_file, 0o600)
+    run_cmd(["chown", "-R", f"{username}:{username}", str(ssh_dir)], ctx)
+
+
+def _load_public_key(path_input: str) -> str:
+    path = Path(path_input).expanduser()
+    if path.exists():
+        return path.read_text().strip()
+    typer.echo("Arquivo nao encontrado. Cole a chave publica completa (ssh-ed25519...).")
+    key = typer.prompt("Chave publica", default="")
+    if not key:
+        raise typer.BadParameter("Nenhuma chave publica fornecida.")
+    return key.strip()
+
+
+def run(ctx: ExecutionContext) -> None:
+    """Configura SSH seguro com usuario dedicado e chaves publicas."""
+    require_root(ctx)
+
+    typer.echo("Hardening de SSH em andamento...")
+    apt_install(["openssh-server", "fail2ban"], ctx)
+
+    username = typer.prompt("Usuario administrativo para SSH", default="adminops")
+    ssh_port = typer.prompt("Porta SSH", default="22")
+    sudo_access = typer.confirm("Adicionar usuario ao grupo sudo?", default=True)
+    pubkey_path = typer.prompt(
+        "Arquivo com chave publica (ENTER para ~/.ssh/id_ed25519.pub)",
+        default=str(Path.home() / ".ssh/id_ed25519.pub"),
+    )
+
+    public_key = _load_public_key(pubkey_path)
+
+    _ensure_user(username, ctx)
+    if sudo_access:
+        run_cmd(["usermod", "-aG", "sudo", username], ctx)
+
+    _write_authorized_keys(username, public_key, ctx)
+
+    config = f"""
+# Arquivo gerenciado pelo raijin-server
+Port {ssh_port}
+Protocol 2
+PermitRootLogin no
+PasswordAuthentication no
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+UsePAM yes
+AllowUsers {username}
+AuthenticationMethods publickey
+X11Forwarding no
+ClientAliveInterval 300
+ClientAliveCountMax 2
+MaxAuthTries 3
+""".strip() + "\n"
+
+    write_file(SSHD_DROPIN, config, ctx)
+
+    fail2ban_jail = f"""
+[sshd-raijin]
+enabled = true
+port    = {ssh_port}
+filter  = sshd
+logpath = /var/log/auth.log
+maxretry = 5
+findtime = 600
+bantime  = 3600
+""".strip() + "\n"
+    write_file(FAIL2BAN_JAIL, fail2ban_jail, ctx)
+
+    run_cmd(["sshd", "-t"], ctx)
+    run_cmd(["systemctl", "enable", "ssh"], ctx)
+    run_cmd(["systemctl", "restart", "ssh"], ctx)
+    run_cmd(["systemctl", "restart", "fail2ban"], ctx, check=False)
+
+    if ssh_port != "22":
+        run_cmd(["ufw", "allow", ssh_port], ctx, check=False)
+        run_cmd(["ufw", "delete", "allow", "22"], ctx, check=False)
+
+    typer.secho("\n✓ SSH hardening concluido com sucesso!", fg=typer.colors.GREEN, bold=True)
+    typer.echo(f"Usuario permitido: {username}")
+    typer.echo(f"Porta configurada: {ssh_port}")
+    typer.echo("Certifique-se de testar a nova sessao antes de encerrar conexoes atuais.")

raijin_server/modules/traefik.py

@@ -22,7 +22,7 @@ def run(ctx: ExecutionContext) -> None:
         "certificatesResolvers.letsencrypt.acme.storage=/data/acme.json",
         "certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=web",
         "logs.general.level=INFO",
-        f"providers.kubernetesIngress.ingressClass=traefik",
+        "providers.kubernetesIngress.ingressClass=traefik",
     ]
 
     if dashboard_host:

raijin_server/modules/vpn.py

@@ -4,6 +4,7 @@ from __future__ import annotations
 
 import ipaddress
 import os
+import platform
 import subprocess
 import textwrap
 from pathlib import Path
@@ -24,6 +25,37 @@ CLIENTS_DIR = WIREGUARD_DIR / "clients"
 SYSCTL_FILE = Path("/etc/sysctl.d/99-wireguard.conf")
 
 
+def _is_secure_boot_enabled() -> bool:
+    """Retorna True se Secure Boot estiver ativo (EFI)."""
+
+    try:
+        sb_path = Path("/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c")
+        if not sb_path.exists():
+            return False
+        data = sb_path.read_bytes()
+        # Estrutura: atributos (4 bytes) + valor (1 byte)
+        return len(data) >= 5 and data[4] == 1
+    except Exception:
+        return False
+
+
+def _kernel_headers_present() -> bool:
+    """Verifica se os headers do kernel atual estao instalados."""
+
+    release = platform.uname().release
+    return Path(f"/lib/modules/{release}/build").exists()
+
+
+def _modprobe_check(module: str) -> bool:
+    """Tenta carregar o modulo em modo dry-run para validar disponibilidade."""
+
+    try:
+        result = subprocess.run(["modprobe", "-n", module], capture_output=True, text=True, timeout=5)
+        return result.returncode == 0
+    except Exception:
+        return False
+
+
 def _generate_keypair(
     label: str,
     private_path: Path,
@@ -69,6 +101,40 @@ def run(ctx: ExecutionContext) -> None:
     require_root(ctx)
     typer.echo("Configurando WireGuard (VPN site-to-site)...")
 
+    if _is_secure_boot_enabled():
+        typer.secho(
+            "Secure Boot detectado: modulos DKMS (wireguard) podem exigir assinatura.\n"
+            "Se o modulo nao carregar, assine-o ou desabilite Secure Boot temporariamente.",
+            fg=typer.colors.YELLOW,
+        )
+
+    # NIC offload pode interferir em VPN/perf em alguns hardwares; aviso leve
+    typer.secho(
+        "Considere desabilitar offloads problemáticos em NICs (tso/gso/gro) se notar latência ou perda.",
+        fg=typer.colors.YELLOW,
+    )
+
+    if not _kernel_headers_present():
+        typer.secho(
+            "Headers do kernel nao encontrados; instalando linux-headers-$(uname -r) para suportar WireGuard.",
+            fg=typer.colors.YELLOW,
+        )
+        release = platform.uname().release
+        header_pkg = f"linux-headers-{release}"
+        apt_install([header_pkg], ctx)
+        if not _kernel_headers_present():
+            typer.secho(
+                f"Headers ainda ausentes apos tentar instalar {header_pkg}. Verifique repos ou kernel custom.",
+                fg=typer.colors.RED,
+            )
+            raise typer.Exit(code=1)
+
+    if not _modprobe_check("wireguard"):
+        typer.secho(
+            "Aviso: modulo wireguard pode nao estar disponivel (modprobe -n wireguard falhou).",
+            fg=typer.colors.YELLOW,
+        )
+
     apt_install(["wireguard", "wireguard-tools", "qrencode"], ctx)
 
     interface = typer.prompt("Interface WireGuard", default="wg0")
@@ -146,7 +212,6 @@ def run(ctx: ExecutionContext) -> None:
     typer.secho("\n✓ WireGuard configurado com sucesso!", fg=typer.colors.GREEN, bold=True)
     typer.echo(f"Configuracao do servidor: {server_conf_path}")
     typer.echo(f"Cliente inicial salvo em: {client_conf_path}")
-    typer.echo("Para gerar QR code no terminal: qrencode -t ansiutf8 < {client_conf_path}")
+    typer.echo("Para gerar QR code no terminal: qrencode -t ansiutf8 < caminho-do-cliente.conf")
     typer.echo("Para novos clientes, gere chaves com 'wg genkey' e adicione entradas em ambos os arquivos.")
-    typer.echo("Clientes Linux/macOS: sudo wg-quick up ./cliente.conf | Windows: importe o arquivo no app WireGuard.")
-```}```} CPU? Need to ensure string quotes? there is newline with braces? we used f string in echo referencing braces? we inserted literal braces within string? `typer.echo(
+    typer.echo("Clientes Linux/macOS: sudo wg-quick up ./cliente.conf | Windows: importe o arquivo no app WireGuard.")

raijin_server/scripts/__init__.py

@@ -0,0 +1 @@
+"""Shell helpers empacotados com o raijin-server."""

raijin_server/scripts/checklist.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Checklist/smoke tests basicos para um nodo provisionado pelo raijin-server.
+# Execute como root (ou sudo) em um nodo control-plane ou worker.
+
+log() { printf "[%s] %s\n" "$(date +%H:%M:%S)" "$*"; }
+
+require_cmd() {
+  command -v "$1" >/dev/null 2>&1 || { echo "Falta comando: $1"; exit 1; }
+}
+
+log "Verificando comandos basicos"
+for c in kubectl helm ufw curl jq; do require_cmd "$c"; done
+
+log "Verificando conectividade basica"
+ping -c1 1.1.1.1 >/dev/null && log "Ping OK para 1.1.1.1" || echo "Ping falhou"
+
+log "Status de data/hora"
+timedatectl status | head -n 5
+
+log "Status fail2ban"
+systemctl is-active --quiet fail2ban && echo "fail2ban ativo" || echo "fail2ban inativo"
+
+log "Status firewall (ufw)"
+ufw status numbered || true
+
+log "Sysctl rede (hardening)"
+sysctl net.ipv4.conf.all.rp_filter net.ipv4.conf.default.rp_filter net.ipv4.conf.all.accept_redirects net.ipv4.conf.default.accept_redirects net.ipv4.conf.all.send_redirects net.ipv4.ip_forward
+
+log "Kubernetes: nodes"
+kubectl get nodes -o wide || true
+
+log "Kubernetes: pods principais"
+kubectl get pods -A | head -n 40 || true
+
+log "Calico: pods"
+kubectl get pods -n kube-system -l k8s-app=calico-node -o wide || true
+
+log "Ingress (Traefik): serviços"
+kubectl get svc -n traefik || true
+
+log "Prometheus/Grafana/Loki: pods"
+kubectl get pods -n observability || true
+
+log "Velero: backups"
+velero backup get || true
+
+log "MinIO: serviço"
+kubectl get svc -n minio || true
+
+log "Kafka: serviços"
+kubectl get svc -n kafka || true
+
+log "Teste HTTP interno (se ingress exposto)"
+if kubectl get svc -n traefik traefik >/dev/null 2>&1; then
+  kubectl run curltest --rm -i --restart=Never --image=curlimages/curl -- curl -s -o /dev/null -w "%{http_code}\n" http://traefik.traefik.svc.cluster.local || true
+fi
+
+log "Checklist finalizado"

raijin_server/scripts/install.sh

@@ -0,0 +1,134 @@
+#!/bin/bash
+# Script de instalacao rapida do Raijin Server CLI
+# Para Ubuntu Server 20.04+
+
+set -euo pipefail
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+NC='\033[0m' # No Color
+
+echo -e "${CYAN}=========================================${NC}"
+echo -e "${CYAN}  Raijin Server - Instalação Rápida${NC}"
+echo -e "${CYAN}=========================================${NC}"
+echo ""
+
+# Verificar Python
+if ! command -v python3 &> /dev/null; then
+    echo -e "${RED}✗ Python3 não encontrado${NC}"
+    echo "Instale com: sudo apt install python3 python3-pip python3-venv"
+    exit 1
+fi
+
+PY_VERSION=$(python3 --version | awk '{print $2}')
+echo -e "${GREEN}✓${NC} Python $PY_VERSION encontrado"
+
+# Verificar se está no diretório do projeto
+if [ ! -f "setup.cfg" ]; then
+    echo -e "${RED}✗ Não está no diretório do projeto raijin-server${NC}"
+    echo "Execute este script no diretório raiz do projeto"
+    exit 1
+fi
+
+# Perguntar tipo de instalação
+echo ""
+echo "Escolha o tipo de instalação:"
+echo "  1) Global (requer sudo, todos os usuários)"
+echo "  2) Virtual env (recomendado para desenvolvimento)"
+echo "  3) User install (apenas usuário atual)"
+read -p "Opção [2]: " INSTALL_TYPE
+INSTALL_TYPE=${INSTALL_TYPE:-2}
+
+echo ""
+case $INSTALL_TYPE in
+    1)
+        echo -e "${YELLOW}Instalando globalmente...${NC}"
+        sudo python3 -m pip install .
+        BIN_PATH=$(which raijin-server)
+        ;;
+    2)
+        echo -e "${YELLOW}Criando virtual environment...${NC}"
+        python3 -m venv .venv
+        source .venv/bin/activate
+        pip install --upgrade pip
+        pip install -e .
+        BIN_PATH=".venv/bin/raijin-server"
+        
+        # Criar wrapper
+        cat > raijin-server-run.sh << 'EOF'
+#!/bin/bash
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/.venv/bin/activate"
+raijin-server "$@"
+EOF
+        chmod +x raijin-server-run.sh
+        echo -e "${GREEN}✓${NC} Wrapper criado: ./raijin-server-run.sh"
+        ;;
+    3)
+        echo -e "${YELLOW}Instalando para usuário atual...${NC}"
+        python3 -m pip install --user .
+        BIN_PATH="$HOME/.local/bin/raijin-server"
+        
+        # Adicionar ao PATH se necessário
+        if [[ ":$PATH:" != *":$HOME/.local/bin:"* ]]; then
+            echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc
+            echo -e "${YELLOW}⚠${NC} Adicionado $HOME/.local/bin ao PATH"
+            echo "Execute: source ~/.bashrc"
+        fi
+        ;;
+    *)
+        echo -e "${RED}✗ Opção inválida${NC}"
+        exit 1
+        ;;
+esac
+
+echo ""
+echo -e "${GREEN}✓ Instalação concluída!${NC}"
+echo ""
+
+# Testar instalação
+echo "Testando instalação..."
+if [ "$INSTALL_TYPE" -eq 2 ]; then
+    VERSION=$($BIN_PATH version)
+else
+    VERSION=$(raijin-server version)
+fi
+echo -e "${GREEN}✓${NC} $VERSION"
+
+# Mostrar próximos passos
+echo ""
+echo -e "${CYAN}=========================================${NC}"
+echo -e "${CYAN}  Próximos Passos${NC}"
+echo -e "${CYAN}=========================================${NC}"
+echo ""
+
+case $INSTALL_TYPE in
+    2)
+        echo "Para usar o CLI:"
+        echo "  source .venv/bin/activate"
+        echo "  sudo raijin-server validate"
+        echo ""
+        echo "Ou use o wrapper:"
+        echo "  sudo ./raijin-server-run.sh validate"
+        ;;
+    *)
+        echo "Para validar o sistema:"
+        echo "  sudo raijin-server validate"
+        echo ""
+        echo "Para ver o menu interativo:"
+        echo "  sudo raijin-server"
+        echo ""
+        echo "Para gerar configuração:"
+        echo "  raijin-server generate-config -o production.yaml"
+        ;;
+esac
+
+echo ""
+echo "Documentação:"
+echo "  README.md         - Guia principal"
+echo "  AUDIT.md          - Relatório de auditoria"
+echo "  EXAMPLES.md       - Exemplos práticos"
+echo ""
+echo -e "${GREEN}Instalação bem-sucedida!${NC} 🚀"

raijin_server/scripts/log_size_metric.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# Gera metricas em formato Prometheus para tamanho dos logs do raijin-server.
+# Pode ser usado com node_exporter textfile collector.
+
+set -euo pipefail
+
+LOG_DIR=${RAIJIN_LOG_DIR:-/var/log/raijin-server}
+LOG_PATTERN=${RAIJIN_LOG_PATTERN:-raijin-server.log*}
+OUTPUT=${RAIJIN_METRIC_FILE:-/var/lib/node_exporter/textfile_collector/raijin_log_size.prom}
+
+# Calcula soma de todos os logs (principal + rotações)
+TOTAL_BYTES=0
+shopt -s nullglob
+for f in "$LOG_DIR"/$LOG_PATTERN; do
+  size=$(stat -c%s "$f" 2>/dev/null || echo 0)
+  TOTAL_BYTES=$((TOTAL_BYTES + size))
+  if [[ "$f" =~ raijin-server\.log(\.\d+)?$ ]]; then
+    printf "raijin_log_size_bytes{file=\"%s\"} %d\n" "$(basename "$f")" "$size"
+  fi
+done | {
+  # Escreve métricas no arquivo final
+  mkdir -p "$(dirname "$OUTPUT")"
+  {
+    echo "# HELP raijin_log_size_bytes Tamanho dos logs do raijin-server (bytes)"
+    echo "# TYPE raijin_log_size_bytes gauge"
+    cat
+    echo "# HELP raijin_log_size_total_bytes Soma dos logs do raijin-server (bytes)"
+    echo "# TYPE raijin_log_size_total_bytes gauge"
+    echo "raijin_log_size_total_bytes ${TOTAL_BYTES}"
+  } > "$OUTPUT"
+}

raijin_server/scripts/pre-deploy-check.sh

@@ -0,0 +1,183 @@
+#!/bin/bash
+# Checklist de validacao pre-deploy Raijin Server
+# Versao auditada com verificacoes completas
+
+set -euo pipefail
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+NC='\033[0m' # No Color
+
+echo -e "${CYAN}==========================================${NC}"
+echo -e "${CYAN}  Raijin Server - Checklist Pre-Deploy${NC}"
+echo -e "${CYAN}==========================================${NC}"
+echo ""
+
+# Funcao auxiliar para checks
+check_pass() {
+    echo -e "${GREEN}✓${NC} $1"
+}
+
+check_fail() {
+    echo -e "${RED}✗${NC} $1"
+}
+
+check_warn() {
+    echo -e "${YELLOW}⚠${NC} $1"
+}
+
+FAILED=0
+
+# 1. Verificar Python
+echo "1. Verificando Python..."
+if command -v python3 &> /dev/null; then
+    PY_VERSION=$(python3 --version | awk '{print $2}')
+    if [[ $(echo "$PY_VERSION 3.9" | awk '{print ($1 >= $2)}') -eq 1 ]]; then
+        check_pass "Python $PY_VERSION >= 3.9"
+    else
+        check_fail "Python $PY_VERSION < 3.9"
+        FAILED=1
+    fi
+else
+    check_fail "Python3 nao encontrado"
+    FAILED=1
+fi
+
+# 2. Verificar OS
+echo ""
+echo "2. Verificando Sistema Operacional..."
+if [ -f /etc/os-release ]; then
+    . /etc/os-release
+    if [[ "$ID" == "ubuntu" ]]; then
+        VERSION_NUM=$(echo "$VERSION_ID" | cut -d. -f1)
+        if [[ "$VERSION_NUM" -ge 20 ]]; then
+            check_pass "Ubuntu $VERSION_ID"
+        else
+            check_warn "Ubuntu $VERSION_ID (recomendado >= 20.04)"
+        fi
+    else
+        check_warn "Sistema nao e Ubuntu: $ID"
+    fi
+else
+    check_fail "/etc/os-release nao encontrado"
+    FAILED=1
+fi
+
+# 3. Verificar root/sudo
+echo ""
+echo "3. Verificando permissoes..."
+if [[ $EUID -eq 0 ]]; then
+    check_pass "Executando como root"
+elif groups | grep -q sudo; then
+    check_pass "Usuario no grupo sudo"
+else
+    check_fail "Usuario nao tem permissoes sudo"
+    FAILED=1
+fi
+
+# 4. Verificar espaco em disco
+echo ""
+echo "4. Verificando espaco em disco..."
+DISK_AVAIL=$(df / | tail -1 | awk '{print $4}')
+DISK_AVAIL_GB=$((DISK_AVAIL / 1024 / 1024))
+if [[ $DISK_AVAIL_GB -ge 20 ]]; then
+    check_pass "Espaco disponivel: ${DISK_AVAIL_GB}GB"
+else
+    check_fail "Espaco insuficiente: ${DISK_AVAIL_GB}GB (minimo: 20GB)"
+    FAILED=1
+fi
+
+# 5. Verificar memoria
+echo ""
+echo "5. Verificando memoria RAM..."
+MEM_TOTAL=$(grep MemTotal /proc/meminfo | awk '{print $2}')
+MEM_TOTAL_GB=$((MEM_TOTAL / 1024 / 1024))
+if [[ $MEM_TOTAL_GB -ge 4 ]]; then
+    check_pass "Memoria RAM: ${MEM_TOTAL_GB}GB"
+else
+    check_fail "Memoria insuficiente: ${MEM_TOTAL_GB}GB (minimo: 4GB)"
+    FAILED=1
+fi
+
+# 6. Verificar conectividade
+echo ""
+echo "6. Verificando conectividade..."
+if ping -c 1 8.8.8.8 &> /dev/null; then
+    check_pass "Conectividade com internet OK"
+else
+    check_fail "Sem conectividade com internet"
+    FAILED=1
+fi
+
+# 7. Verificar comandos essenciais
+echo ""
+echo "7. Verificando comandos essenciais..."
+COMMANDS=("curl" "wget" "apt-get" "systemctl" "gpg")
+for cmd in "${COMMANDS[@]}"; do
+    if command -v "$cmd" &> /dev/null; then
+        check_pass "$cmd instalado"
+    else
+        check_fail "$cmd nao encontrado"
+        FAILED=1
+    fi
+done
+
+# 8. Verificar instalacao raijin-server
+echo ""
+echo "8. Verificando instalacao raijin-server..."
+if command -v raijin-server &> /dev/null; then
+    RAIJIN_VERSION=$(raijin-server version)
+    check_pass "$RAIJIN_VERSION instalado"
+else
+    check_warn "raijin-server nao instalado (instale com: pip install .)"
+fi
+
+# 9. Verificar logs
+echo ""
+echo "9. Verificando diretorio de logs..."
+if [[ -d /var/log/raijin-server ]]; then
+    check_pass "Diretorio de logs: /var/log/raijin-server"
+elif [[ -f ~/.raijin-server.log ]]; then
+    check_warn "Usando fallback: ~/.raijin-server.log"
+else
+    check_warn "Nenhum log encontrado ainda"
+fi
+
+# 10. Verificar estado
+echo ""
+echo "10. Verificando estado dos modulos..."
+STATE_DIRS=("/var/lib/raijin-server/state" "$HOME/.local/share/raijin-server/state")
+FOUND_STATE=0
+for dir in "${STATE_DIRS[@]}"; do
+    if [[ -d "$dir" ]]; then
+        MODULE_COUNT=$(ls -1 "$dir"/*.done 2>/dev/null | wc -l)
+        if [[ $MODULE_COUNT -gt 0 ]]; then
+            check_pass "$MODULE_COUNT modulos concluidos (em $dir)"
+            FOUND_STATE=1
+            break
+        fi
+    fi
+done
+if [[ $FOUND_STATE -eq 0 ]]; then
+    check_warn "Nenhum modulo executado ainda"
+fi
+
+# Resumo
+echo ""
+echo -e "${CYAN}==========================================${NC}"
+if [[ $FAILED -eq 0 ]]; then
+    echo -e "${GREEN}✓ Sistema pronto para executar raijin-server${NC}"
+    echo ""
+    echo "Proximos passos:"
+    echo "  1. sudo raijin-server validate"
+    echo "  2. sudo raijin-server"
+    echo "  3. Ou: raijin-server generate-config -o production.yaml"
+    exit 0
+else
+    echo -e "${RED}✗ Sistema NAO atende pre-requisitos${NC}"
+    echo ""
+    echo "Corrija os problemas acima antes de prosseguir."
+    exit 1
+fi