raijin-server 0.1.0__py3-none-any.whl

raijin_server/modules/full_install.py

@@ -0,0 +1,131 @@
+"""Instalacao completa e automatizada do ambiente produtivo."""
+
+import typer
+
+from raijin_server.utils import ExecutionContext, require_root
+from raijin_server.modules import (
+    bootstrap,
+    essentials,
+    hardening,
+    network,
+    firewall,
+    kubernetes,
+    calico,
+    prometheus,
+    grafana,
+    loki,
+    traefik,
+)
+
+
+# Ordem de execucao dos modulos para instalacao completa
+INSTALL_SEQUENCE = [
+    ("bootstrap", bootstrap.run, "Instalacao de ferramentas (helm, kubectl, containerd, etc.)"),
+    ("essentials", essentials.run, "Pacotes essenciais e NTP"),
+    ("hardening", hardening.run, "Seguranca do sistema (fail2ban, sysctl, auditd)"),
+    ("network", network.run, "Configuracao de rede (IP fixo)"),
+    ("firewall", firewall.run, "Firewall UFW"),
+    ("kubernetes", kubernetes.run, "Cluster Kubernetes (kubeadm)"),
+    ("calico", calico.run, "CNI Calico + NetworkPolicy"),
+    ("prometheus", prometheus.run, "Monitoramento Prometheus"),
+    ("grafana", grafana.run, "Dashboards Grafana"),
+    ("loki", loki.run, "Logs centralizados Loki"),
+    ("traefik", traefik.run, "Ingress Controller Traefik"),
+]
+
+
+def run(ctx: ExecutionContext) -> None:
+    """Executa instalacao completa do ambiente produtivo."""
+    require_root(ctx)
+
+    typer.secho(
+        "\n" + "=" * 60,
+        fg=typer.colors.CYAN,
+    )
+    typer.secho(
+        "  RAIJIN SERVER - Instalacao Completa Automatizada",
+        fg=typer.colors.CYAN,
+        bold=True,
+    )
+    typer.secho(
+        "=" * 60 + "\n",
+        fg=typer.colors.CYAN,
+    )
+
+    # Mostra sequencia de instalacao
+    typer.echo("Sequencia de instalacao:")
+    for i, (name, _, desc) in enumerate(INSTALL_SEQUENCE, 1):
+        typer.echo(f"  {i:2}. {name:15} - {desc}")
+
+    typer.echo("")
+
+    if not ctx.dry_run:
+        if not typer.confirm("Deseja continuar com a instalacao completa?", default=True):
+            typer.echo("Instalacao cancelada.")
+            raise typer.Exit(code=0)
+
+    total = len(INSTALL_SEQUENCE)
+    failed = []
+    succeeded = []
+
+    for i, (name, handler, desc) in enumerate(INSTALL_SEQUENCE, 1):
+        typer.secho(
+            f"\n{'='*60}",
+            fg=typer.colors.CYAN,
+        )
+        typer.secho(
+            f"[{i}/{total}] {name.upper()}: {desc}",
+            fg=typer.colors.CYAN,
+            bold=True,
+        )
+        typer.secho(
+            f"{'='*60}\n",
+            fg=typer.colors.CYAN,
+        )
+
+        try:
+            handler(ctx)
+            succeeded.append(name)
+            typer.secho(f"✓ {name} concluido com sucesso", fg=typer.colors.GREEN)
+        except KeyboardInterrupt:
+            typer.secho(f"\n⚠ Instalacao interrompida pelo usuario no modulo '{name}'", fg=typer.colors.YELLOW)
+            raise typer.Exit(code=130)
+        except Exception as e:
+            failed.append((name, str(e)))
+            typer.secho(f"✗ {name} falhou: {e}", fg=typer.colors.RED)
+
+            if not ctx.dry_run:
+                if not typer.confirm("Continuar com os proximos modulos?", default=True):
+                    break
+
+    # Resumo final
+    typer.echo("\n" + "=" * 60)
+    typer.secho("RESUMO DA INSTALACAO", fg=typer.colors.CYAN, bold=True)
+    typer.echo("=" * 60)
+
+    if succeeded:
+        typer.secho(f"\n✓ Modulos instalados com sucesso ({len(succeeded)}):", fg=typer.colors.GREEN)
+        for name in succeeded:
+            typer.echo(f"    - {name}")
+
+    if failed:
+        typer.secho(f"\n✗ Modulos com falha ({len(failed)}):", fg=typer.colors.RED)
+        for name, error in failed:
+            typer.echo(f"    - {name}: {error}")
+
+    if not failed:
+        typer.secho(
+            "\n✓ INSTALACAO COMPLETA COM SUCESSO!",
+            fg=typer.colors.GREEN,
+            bold=True,
+        )
+        typer.echo("\nProximos passos:")
+        typer.echo("  1. Verifique o cluster: kubectl get nodes")
+        typer.echo("  2. Acesse Grafana: kubectl port-forward svc/grafana 3000:80 -n observability")
+        typer.echo("  3. Adicione workers: kubeadm token create --print-join-command")
+    else:
+        typer.secho(
+            f"\n⚠ Instalacao concluida com {len(failed)} erro(s). Verifique os logs.",
+            fg=typer.colors.YELLOW,
+            bold=True,
+        )

raijin_server/modules/grafana.py

@@ -0,0 +1,69 @@
+"""Configuracao do Grafana via Helm com datasource e dashboards provisionados."""
+
+from pathlib import Path
+
+import typer
+
+from raijin_server.utils import ExecutionContext, helm_upgrade_install, require_root, write_file
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    typer.echo("Instalando Grafana via Helm...")
+
+    admin_password = typer.prompt("Senha admin do Grafana", default="admin")
+    ingress_host = typer.prompt("Host para acessar o Grafana", default="grafana.local")
+    ingress_class = typer.prompt("IngressClass", default="traefik")
+    tls_secret = typer.prompt("Secret TLS (cert-manager)", default="grafana-tls")
+
+    values_yaml = f"""adminPassword: {admin_password}
+service:
+  type: ClusterIP
+ingress:
+  enabled: true
+  ingressClassName: {ingress_class}
+  hosts:
+    - {ingress_host}
+  tls:
+    - secretName: {tls_secret}
+      hosts:
+        - {ingress_host}
+persistence:
+  enabled: true
+  size: 10Gi
+datasources:
+  datasources.yaml:
+    apiVersion: 1
+    datasources:
+      - name: Prometheus
+        type: prometheus
+        access: proxy
+        url: http://kube-prometheus-stack-prometheus.observability.svc:9090
+        isDefault: true
+        jsonData:
+          timeInterval: 30s
+dashboards:
+  default:
+    kubernetes:
+      gnetId: 6417
+      revision: 1
+      datasource: Prometheus
+    node-exporter:
+      gnetId: 1860
+      revision: 27
+      datasource: Prometheus
+"""
+
+    values_path = Path("/tmp/raijin-grafana-values.yaml")
+    write_file(values_path, values_yaml, ctx)
+
+    helm_upgrade_install(
+        release="grafana",
+        chart="grafana",
+        namespace="observability",
+        repo="grafana",
+        repo_url="https://grafana.github.io/helm-charts",
+        ctx=ctx,
+        values=[],
+        extra_args=["-f", str(values_path)],
+    )

raijin_server/modules/hardening.py

@@ -0,0 +1,47 @@
+"""Tarefas de hardening do sistema."""
+
+import subprocess
+
+import typer
+
+from raijin_server.utils import ExecutionContext, apt_install, apt_update, enable_service, require_root, run_cmd
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    typer.echo("Aplicando hardening basico...")
+
+    apt_update(ctx)
+    apt_install(["fail2ban", "unattended-upgrades", "auditd"], ctx)
+
+    enable_service("fail2ban", ctx)
+    # Tenta iniciar auditd mas nao falha o fluxo se o kernel estiver sem auditing.
+    run_cmd(["systemctl", "enable", "--now", "auditd"], ctx, check=False)
+    if not ctx.dry_run:
+        status = subprocess.run(
+            ["systemctl", "is-active", "auditd"],
+            capture_output=True,
+            text=True,
+        )
+        if status.returncode != 0 or status.stdout.strip() != "active":
+            typer.secho(
+                "auditd nao ficou ativo. Verifique se o kernel esta com auditing habilitado (audit=1 no boot).",
+                fg=typer.colors.YELLOW,
+            )
+    run_cmd(
+        ["dpkg-reconfigure", "--priority=low", "unattended-upgrades"],
+        ctx,
+        env={"DEBIAN_FRONTEND": "noninteractive"},
+    )
+
+    # Reforca parametros de rede em tempo de execucao. Ajuste conforme necessidade.
+    sysctls = [
+        "net.ipv4.conf.all.rp_filter=1",
+        "net.ipv4.conf.default.rp_filter=1",
+        "net.ipv4.conf.all.accept_redirects=0",
+        "net.ipv4.conf.default.accept_redirects=0",
+        "net.ipv4.conf.all.send_redirects=0",
+        "net.ipv4.ip_forward=0",
+    ]
+    for param in sysctls:
+        run_cmd(["sysctl", "-w", param], ctx)

raijin_server/modules/harness.py

@@ -0,0 +1,47 @@
+"""Instalacao do Harness Delegate via Helm."""
+
+import typer
+
+from raijin_server.utils import ExecutionContext, ensure_tool, require_root, run_cmd
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    ensure_tool("helm", ctx, install_hint="Instale helm para implantar o delegate.")
+
+    typer.echo("Instalando Harness Delegate via Helm...")
+    account_id = typer.prompt("Harness accountId")
+    org_id = typer.prompt("Org ID", default="default")
+    project_id = typer.prompt("Project ID", default="default")
+    delegate_name = typer.prompt("Delegate name", default="raijin-delegate")
+    namespace = typer.prompt("Namespace", default="harness-delegate")
+    delegate_token = typer.prompt("Delegate token", hide_input=True)
+
+    run_cmd(
+        ["helm", "repo", "add", "harness", "https://app.harness.io/storage/harness-download/delegate-helm-chart/"],
+        ctx,
+    )
+    run_cmd(["helm", "repo", "update"], ctx)
+
+    cmd = [
+        "helm",
+        "upgrade",
+        "--install",
+        delegate_name,
+        "harness/harness-delegate-ng",
+        "-n",
+        namespace,
+        "--create-namespace",
+        "--set",
+        f"delegateName={delegate_name}",
+        "--set",
+        f"accountId={account_id}",
+        "--set",
+        f"delegateToken={delegate_token}",
+        "--set",
+        f"orgId={org_id}",
+        "--set",
+        f"projectId={project_id}",
+    ]
+
+    run_cmd(cmd, ctx, mask_output=True, display_override="helm upgrade --install <delegate> harness/harness-delegate-ng ...")

raijin_server/modules/istio.py

@@ -0,0 +1,13 @@
+"""Instalacao do Istio usando istioctl."""
+
+import typer
+
+from raijin_server.utils import ExecutionContext, ensure_tool, require_root, run_cmd
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    ensure_tool("istioctl", ctx, install_hint="Instale o binario do Istio CLI.")
+    typer.echo("Instalando Istio (perfil raijin)...")
+    run_cmd(["istioctl", "install", "--set", "profile=raijin", "-y"], ctx)
+    run_cmd(["kubectl", "label", "namespace", "default", "istio-injection=enabled", "--overwrite"], ctx)

raijin_server/modules/kafka.py

@@ -0,0 +1,34 @@
+"""Deploy do Apache Kafka via Helm (Bitnami OCI)."""
+
+import typer
+
+from raijin_server.utils import ExecutionContext, helm_upgrade_install, require_root
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    typer.echo("Instalando Kafka (Bitnami) via Helm OCI...")
+
+    replicas = typer.prompt("Numero de brokers", default="3")
+    disk_size = typer.prompt("Storage por broker", default="20Gi")
+
+    # Bitnami charts migraram para OCI. Usamos a referencia OCI diretamente.
+    chart_ref = "oci://registry-1.docker.io/bitnamicharts/kafka"
+
+    values = [
+        f"replicaCount={replicas}",
+        "zookeeper.enabled=true",
+        f"persistence.size={disk_size}",
+        "metrics.kafka.enabled=true",
+        "metrics.jmx.enabled=true",
+    ]
+
+    helm_upgrade_install(
+        release="kafka",
+        chart=chart_ref,
+        namespace="kafka",
+        repo=None,
+        repo_url=None,
+        ctx=ctx,
+        values=values,
+    )

raijin_server/modules/kong.py

@@ -0,0 +1,19 @@
+"""Configuracao do Kong via Helm."""
+
+import typer
+
+from raijin_server.utils import ExecutionContext, helm_upgrade_install, require_root
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    typer.echo("Instalando Kong via Helm...")
+    helm_upgrade_install(
+        release="kong",
+        chart="kong",
+        namespace="kong",
+        repo="kong",
+        repo_url="https://charts.konghq.com",
+        ctx=ctx,
+        values=["ingressController.installCRDs=false"],
+    )

raijin_server/modules/kubernetes.py

@@ -0,0 +1,187 @@
+"""Preparacao de cluster Kubernetes com kubeadm."""
+
+import os
+from pathlib import Path
+
+import typer
+
+from raijin_server.utils import (
+    ExecutionContext,
+    apt_install,
+    apt_update,
+    enable_service,
+    ensure_tool,
+    require_root,
+    run_cmd,
+    write_file,
+)
+
+
+def _cleanup_old_repo(ctx: ExecutionContext) -> None:
+    """Remove repo legado apt.kubernetes.io se existir para evitar erro 404."""
+
+    repo_file = Path("/etc/apt/sources.list.d/kubernetes.list")
+    if ctx.dry_run:
+        typer.echo("[dry-run] checando repos antigos em /etc/apt/sources.list.d/kubernetes.list")
+        return
+
+    if repo_file.exists():
+        try:
+            content = repo_file.read_text()
+            if "apt.kubernetes.io" in content:
+                repo_file.unlink()
+                typer.echo("Repo antigo apt.kubernetes.io removido.")
+        except Exception:
+            typer.echo("Nao foi possivel ler/remover repo antigo apt.kubernetes.io (ok prosseguir).")
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    typer.echo("Instalando e preparando Kubernetes (kubeadm/kubelet/kubectl)...")
+
+    # Verifica se cluster ja foi inicializado
+    kubeconfig_exists = Path("/etc/kubernetes/admin.conf").exists()
+    if kubeconfig_exists and not ctx.dry_run:
+        typer.secho("⚠ Cluster Kubernetes ja parece estar inicializado.", fg=typer.colors.YELLOW)
+        if not typer.confirm("Deseja continuar mesmo assim? (pode causar problemas)"):
+            typer.echo("Operacao cancelada pelo usuario.")
+            return
+
+    _cleanup_old_repo(ctx)
+    apt_update(ctx)
+    apt_install(
+        [
+            "apt-transport-https",
+            "ca-certificates",
+            "curl",
+            "gnupg",
+            "lsb-release",
+            "containerd",
+        ],
+        ctx,
+    )
+
+    # Novo repo oficial (pkgs.k8s.io) substitui apt.kubernetes.io, que nao tem Release em distros recentes.
+    repo_version = "v1.30"
+    key_url = f"https://pkgs.k8s.io/core:/stable:/{repo_version}/deb/Release.key"
+    key_tmp = Path("/tmp/kubernetes-release.key")
+    key_path = Path("/etc/apt/keyrings/kubernetes-apt-keyring.gpg")
+    repo_entry = f"deb [signed-by={key_path}] https://pkgs.k8s.io/core:/stable:/{repo_version}/deb/ /"
+
+    # Verifica se ja tem a chave instalada
+    if not key_path.exists() or ctx.dry_run:
+        typer.echo("Baixando chave GPG do Kubernetes (pkgs.k8s.io)...")
+        run_cmd(
+            [
+                "curl",
+                "-fsSL",
+                "--retry",
+                "3",
+                "--retry-delay",
+                "2",
+                "-o",
+                str(key_tmp),
+                key_url,
+            ],
+            ctx,
+        )
+
+        run_cmd(["mkdir", "-p", "/etc/apt/keyrings"], ctx)
+
+        if not ctx.dry_run:
+            if not key_tmp.exists() or key_tmp.stat().st_size == 0:
+                typer.secho("Falha ao baixar chave GPG do Kubernetes. Verifique conectividade.", fg=typer.colors.RED)
+                raise typer.Exit(code=1)
+            run_cmd(["gpg", "--yes", "--dearmor", "-o", str(key_path), str(key_tmp)], ctx)
+            if not key_path.exists() or key_path.stat().st_size == 0:
+                typer.secho("Chave GPG nao foi gravada corretamente.", fg=typer.colors.RED)
+                raise typer.Exit(code=1)
+            key_tmp.unlink(missing_ok=True)
+    else:
+        typer.echo("Chave GPG do Kubernetes ja existe, pulando download.")
+
+    repo_file = Path("/etc/apt/sources.list.d/kubernetes.list")
+    if not repo_file.exists() or ctx.dry_run:
+        run_cmd(
+            f'echo "{repo_entry}" | tee /etc/apt/sources.list.d/kubernetes.list',
+            ctx,
+            use_shell=True,
+        )
+
+    apt_update(ctx)
+    apt_install(["kubelet", "kubeadm", "kubectl"], ctx)
+
+    # Hold das versoes para evitar upgrades automaticos
+    run_cmd(["apt-mark", "hold", "kubelet", "kubeadm", "kubectl"], ctx, check=False)
+
+    # Configura containerd com SystemdCgroup.
+    run_cmd(["mkdir", "-p", "/etc/containerd"], ctx)
+    
+    # Verifica se config do containerd ja existe
+    containerd_config = Path("/etc/containerd/config.toml")
+    if not containerd_config.exists() or ctx.dry_run:
+        run_cmd("containerd config default > /etc/containerd/config.toml", ctx, use_shell=True)
+    
+    # Aplica SystemdCgroup
+    run_cmd("sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml", ctx, use_shell=True)
+    run_cmd(["systemctl", "restart", "containerd"], ctx, check=False)
+
+    enable_service("containerd", ctx)
+    enable_service("kubelet", ctx)
+
+    # kubeadm exige ip_forward=1; sobrepoe ajuste de hardening para fase de cluster.
+    write_file(Path("/etc/sysctl.d/99-kubernetes.conf"), "net.ipv4.ip_forward=1\n", ctx)
+    run_cmd(["sysctl", "-w", "net.ipv4.ip_forward=1"], ctx, check=False)
+
+    # Prompts de configuracao
+    pod_cidr = typer.prompt("Pod CIDR", default="10.244.0.0/16")
+    service_cidr = typer.prompt("Service CIDR", default="10.96.0.0/12")
+    cluster_name = typer.prompt("Nome do cluster", default="raijin")
+    advertise_address = typer.prompt("API advertise address", default="0.0.0.0")
+
+    kubeadm_config = f"""apiVersion: kubeadm.k8s.io/v1beta3
+kind: ClusterConfiguration
+clusterName: {cluster_name}
+kubernetesVersion: stable
+controlPlaneEndpoint: {advertise_address}:6443
+networking:
+  podSubnet: {pod_cidr}
+  serviceSubnet: {service_cidr}
+apiServer:
+  extraArgs:
+    authorization-mode: Node,RBAC
+  timeoutForControlPlane: 4m0s
+controllerManager: {{}}
+scheduler: {{}}
+---
+apiVersion: kubeproxy.config.k8s.io/v1alpha1
+kind: KubeProxyConfiguration
+mode: ipvs
+---
+apiVersion: kubelet.config.k8s.io/v1beta1
+kind: KubeletConfiguration
+cgroupDriver: systemd
+"""
+
+    cfg_path = Path("/etc/kubernetes/kubeadm-config.yaml")
+    write_file(cfg_path, kubeadm_config, ctx)
+
+    ensure_tool("kubeadm", ctx, install_hint="Instale kubeadm (apt install kubeadm).")
+    run_cmd(["kubeadm", "config", "images", "pull"], ctx, check=False)
+    run_cmd(["kubeadm", "init", "--config", str(cfg_path), "--upload-certs"], ctx)
+
+    # Configura kubeconfig para root e sudoer.
+    run_cmd(["mkdir", "-p", "/root/.kube"], ctx)
+    run_cmd(["cp", "/etc/kubernetes/admin.conf", "/root/.kube/config"], ctx)
+    run_cmd("chown $(id -u):$(id -g) /root/.kube/config", ctx, use_shell=True)
+
+    sudo_user = os.environ.get("SUDO_USER")
+    if sudo_user:
+        user_home = Path(f"/home/{sudo_user}")
+        kube_dir = user_home / ".kube"
+        run_cmd(["mkdir", "-p", str(kube_dir)], ctx)
+        run_cmd(["cp", "/etc/kubernetes/admin.conf", str(kube_dir / "config")], ctx)
+        run_cmd(["chown", f"{sudo_user}:{sudo_user}", str(kube_dir / "config")], ctx)
+
+    typer.echo("Comando de join para workers:")
+    run_cmd(["kubeadm", "token", "create", "--print-join-command"], ctx, check=False)

raijin_server/modules/loki.py

@@ -0,0 +1,27 @@
+"""Configuracao do Loki via Helm."""
+
+import typer
+
+from raijin_server.utils import ExecutionContext, helm_upgrade_install, require_root
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    typer.echo("Instalando Loki Stack via Helm...")
+
+    values = [
+        "promtail.enabled=true",
+        "loki.persistence.enabled=true",
+        "loki.persistence.size=20Gi",
+        "loki.retentionPeriod=168h",  # 7 dias
+    ]
+
+    helm_upgrade_install(
+        release="loki",
+        chart="loki-stack",
+        namespace="observability",
+        repo="grafana",
+        repo_url="https://grafana.github.io/helm-charts",
+        ctx=ctx,
+        values=values,
+    )

raijin_server/modules/minio.py

@@ -0,0 +1,19 @@
+"""Deploy do MinIO via Helm."""
+
+import typer
+
+from raijin_server.utils import ExecutionContext, helm_upgrade_install, require_root
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    typer.echo("Instalando MinIO via Helm (modo standalone)...")
+    helm_upgrade_install(
+        release="minio",
+        chart="minio",
+        namespace="minio",
+        repo="minio",
+        repo_url="https://charts.min.io/",
+        ctx=ctx,
+        values=["mode=standalone"],
+    )

raijin_server/modules/network.py

@@ -0,0 +1,57 @@
+"""Configuracao de rede (IP fixo) via Netplan."""
+
+import os
+from pathlib import Path
+
+import typer
+
+from raijin_server.utils import ExecutionContext, require_root, run_cmd, write_file
+
+
+def _is_wsl() -> bool:
+    if os.environ.get("WSL_DISTRO_NAME"):
+        return True
+    try:
+        data = Path("/proc/version").read_text().lower()
+        return "microsoft" in data or "wsl" in data
+    except OSError:
+        return False
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    typer.echo("Configurando IP fixo (Netplan)...")
+
+    wsl = _is_wsl()
+    if wsl:
+        typer.secho(
+            "Ambiente WSL detectado: netplan pode nao ter efeito ou quebrar rede. Use apenas para gerar arquivo.",
+            fg=typer.colors.YELLOW,
+        )
+
+    iface = typer.prompt("Interface", default="ens18")
+    address = typer.prompt("Endereco CIDR", default="192.168.0.10/24")
+    gateway = typer.prompt("Gateway", default="192.168.0.1")
+    dns = typer.prompt("DNS (separe por virgula)", default="1.1.1.1,8.8.8.8")
+
+    dns_list = ",".join([item.strip() for item in dns.split(",") if item.strip()])
+    netplan_content = f"""network:
+  version: 2
+  renderer: networkd
+  ethernets:
+    {iface}:
+      dhcp4: false
+      addresses: [{address}]
+      gateway4: {gateway}
+      nameservers:
+        addresses: [{dns_list}]
+"""
+
+    target = Path("/etc/netplan/01-raijin-static.yaml")
+    write_file(target, netplan_content, ctx)
+
+    apply_now = typer.confirm("Aplicar netplan agora?", default=not wsl)
+    if apply_now:
+        run_cmd(["netplan", "apply"], ctx)
+    else:
+        typer.echo("Netplan nao aplicado (apenas arquivo gerado).")