raijin-server 0.1.0__py3-none-any.whl

raijin_server/modules/prometheus.py

@@ -0,0 +1,30 @@
+"""Configuracao do Prometheus Stack via Helm."""
+
+import typer
+
+from raijin_server.utils import ExecutionContext, helm_upgrade_install, require_root
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    typer.echo("Instalando kube-prometheus-stack via Helm...")
+
+    values = [
+        "grafana.enabled=false",
+        "prometheus.prometheusSpec.retention=15d",
+        "prometheus.prometheusSpec.enableAdminAPI=true",
+        "prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false",
+        "prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage=20Gi",
+        "alertmanager.alertmanagerSpec.storage.volumeClaimTemplate.spec.resources.requests.storage=10Gi",
+        "defaultRules.create=true",
+    ]
+
+    helm_upgrade_install(
+        release="kube-prometheus-stack",
+        chart="kube-prometheus-stack",
+        namespace="observability",
+        repo="prometheus-community",
+        repo_url="https://prometheus-community.github.io/helm-charts",
+        ctx=ctx,
+        values=values,
+    )

raijin_server/modules/traefik.py

@@ -0,0 +1,40 @@
+"""Configuracao do Traefik via Helm com TLS/ACME e ingressClass."""
+
+import typer
+
+from raijin_server.utils import ExecutionContext, helm_upgrade_install, require_root
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    typer.echo("Instalando Traefik via Helm...")
+
+    acme_email = typer.prompt("Email para ACME/Let's Encrypt", default="admin@example.com")
+    dashboard_host = typer.prompt("Host para dashboard (opcional)", default="traefik.local")
+
+    values = [
+        "ingressClass.enabled=true",
+        "ingressClass.isDefaultClass=true",
+        "ports.web.redirectTo=websecure=true",
+        "ports.websecure.tls.enabled=true",
+        "service.type=LoadBalancer",
+        f"certificatesResolvers.letsencrypt.acme.email={acme_email}",
+        "certificatesResolvers.letsencrypt.acme.storage=/data/acme.json",
+        "certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=web",
+        "logs.general.level=INFO",
+        f"providers.kubernetesIngress.ingressClass=traefik",
+    ]
+
+    if dashboard_host:
+        values.append("ingressRoute.dashboard.enabled=true")
+        values.append(f"ingressRoute.dashboard.match=Host(`{dashboard_host}`)")
+
+    helm_upgrade_install(
+        release="traefik",
+        chart="traefik",
+        namespace="traefik",
+        repo="traefik",
+        repo_url="https://traefik.github.io/charts",
+        ctx=ctx,
+        values=values,
+    )

raijin_server/modules/velero.py

@@ -0,0 +1,47 @@
+"""Backup e restore com Velero."""
+
+import typer
+
+from raijin_server.utils import ExecutionContext, ensure_tool, require_root, run_cmd
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    ensure_tool("velero", ctx, install_hint="Instale o binario do Velero.")
+
+    typer.echo("Instalando Velero no cluster...")
+    provider = typer.prompt("Provider", default="aws")
+    bucket = typer.prompt("Bucket", default="velero-backups")
+    region = typer.prompt("Region", default="us-east-1")
+    s3_url = typer.prompt("S3 URL", default="https://s3.amazonaws.com")
+    secret_file = typer.prompt("Arquivo de credenciais (secret-file)", default="/etc/velero/credentials")
+    schedule = typer.prompt("Schedule cron para backups (ex: '0 2 * * *')", default="0 2 * * *")
+
+    run_cmd(
+        [
+            "velero",
+            "install",
+            "--provider",
+            provider,
+            "--bucket",
+            bucket,
+            "--secret-file",
+            secret_file,
+            "--backup-location-config",
+            f"region={region},s3Url={s3_url}",
+            "--use-restic",
+        ],
+        ctx,
+    )
+
+    typer.echo("Criando schedule de backup padrao...")
+    run_cmd([
+        "velero",
+        "create",
+        "schedule",
+        "raijin-daily",
+        "--schedule",
+        schedule,
+        "--include-namespaces",
+        "*",
+    ], ctx, check=False)

raijin_server/modules/vpn.py

@@ -0,0 +1,152 @@
+"""Configuracao de servidor WireGuard e cliente inicial."""
+
+from __future__ import annotations
+
+import ipaddress
+import os
+import subprocess
+import textwrap
+from pathlib import Path
+
+import typer
+
+from raijin_server.utils import (
+    ExecutionContext,
+    apt_install,
+    logger,
+    require_root,
+    run_cmd,
+    write_file,
+)
+
+WIREGUARD_DIR = Path("/etc/wireguard")
+CLIENTS_DIR = WIREGUARD_DIR / "clients"
+SYSCTL_FILE = Path("/etc/sysctl.d/99-wireguard.conf")
+
+
+def _generate_keypair(
+    label: str,
+    private_path: Path,
+    public_path: Path,
+    ctx: ExecutionContext,
+) -> tuple[str, str]:
+    """Gera (ou reutiliza) chaves WireGuard, respeitando dry-run."""
+
+    if ctx.dry_run:
+        typer.echo(f"[dry-run] Geraria chaves WireGuard para {label}")
+        return ("DRY_RUN_PRIVATE_KEY", "DRY_RUN_PUBLIC_KEY")
+
+    if private_path.exists() and public_path.exists():
+        return (private_path.read_text().strip(), public_path.read_text().strip())
+
+    try:
+        result = subprocess.run(["wg", "genkey"], capture_output=True, text=True, check=True)
+        private_key = result.stdout.strip()
+        pub_result = subprocess.run(
+            ["wg", "pubkey"],
+            input=private_key,
+            capture_output=True,
+            text=True,
+            check=True,
+        )
+        public_key = pub_result.stdout.strip()
+    except subprocess.CalledProcessError as exc:
+        msg = f"Falha ao gerar chaves WireGuard ({label}): {exc.stderr or exc}"
+        ctx.errors.append(msg)
+        raise typer.Exit(code=1) from exc
+
+    private_path.parent.mkdir(parents=True, exist_ok=True)
+    private_path.write_text(private_key + "\n")
+    public_path.write_text(public_key + "\n")
+    os.chmod(private_path, 0o600)
+    os.chmod(public_path, 0o600)
+    logger.info("Chaves WireGuard gravadas em %s e %s", private_path, public_path)
+
+    return private_key, public_key
+
+
+def run(ctx: ExecutionContext) -> None:
+    require_root(ctx)
+    typer.echo("Configurando WireGuard (VPN site-to-site)...")
+
+    apt_install(["wireguard", "wireguard-tools", "qrencode"], ctx)
+
+    interface = typer.prompt("Interface WireGuard", default="wg0")
+    vpn_cidr = typer.prompt("Rede VPN (CIDR)", default="10.8.0.0/24")
+    network = ipaddress.ip_network(vpn_cidr)
+    hosts = list(network.hosts())
+    default_server_ip = str(hosts[0]) if hosts else str(network.network_address + 1)
+    default_client_ip = str(hosts[1]) if len(hosts) > 1 else str(network.network_address + 2)
+
+    server_ip = typer.prompt("IP do servidor na VPN", default=default_server_ip)
+    server_address = f"{server_ip}/{network.prefixlen}"
+    client_name = typer.prompt("Nome do cliente inicial", default="admin")
+    client_ip = typer.prompt("IP do cliente inicial", default=default_client_ip)
+    client_address = typer.prompt("Endereco/CIDR do cliente", default=f"{client_ip}/32")
+
+    listen_port = typer.prompt("Porta WireGuard", default="51820")
+    public_endpoint = typer.prompt("IP/Dominio publico de acesso", default="vpn.example.com")
+    egress_iface = typer.prompt("Interface de saida (para NAT)", default="eth0")
+    dns_servers = typer.prompt("DNS entregues aos clientes", default="1.1.1.1,8.8.8.8")
+    keepalive = typer.prompt("PersistentKeepalive (segundos)", default="25")
+
+    server_private_path = WIREGUARD_DIR / f"{interface}.key"
+    server_public_path = WIREGUARD_DIR / f"{interface}.pub"
+    client_private_path = CLIENTS_DIR / f"{client_name}.key"
+    client_public_path = CLIENTS_DIR / f"{client_name}.pub"
+
+    server_private, server_public = _generate_keypair("servidor", server_private_path, server_public_path, ctx)
+    client_private, client_public = _generate_keypair("cliente", client_private_path, client_public_path, ctx)
+
+    server_conf_path = WIREGUARD_DIR / f"{interface}.conf"
+    client_conf_path = CLIENTS_DIR / f"{client_name}.conf"
+
+    server_config = textwrap.dedent(
+        f"""
+        [Interface]
+        Address = {server_address}
+        ListenPort = {listen_port}
+        PrivateKey = {server_private}
+        SaveConfig = true
+        PostUp = iptables -A FORWARD -i {interface} -j ACCEPT; iptables -A FORWARD -o {interface} -j ACCEPT; iptables -t nat -A POSTROUTING -o {egress_iface} -j MASQUERADE
+        PostDown = iptables -D FORWARD -i {interface} -j ACCEPT; iptables -D FORWARD -o {interface} -j ACCEPT; iptables -t nat -D POSTROUTING -o {egress_iface} -j MASQUERADE
+
+        [Peer]
+        # {client_name}
+        PublicKey = {client_public}
+        AllowedIPs = {client_address}
+        """
+    ).strip() + "\n"
+
+    client_config = textwrap.dedent(
+        f"""
+        [Interface]
+        PrivateKey = {client_private}
+        Address = {client_address}
+        DNS = {dns_servers}
+
+        [Peer]
+        PublicKey = {server_public}
+        AllowedIPs = {network.with_prefixlen}
+        Endpoint = {public_endpoint}:{listen_port}
+        PersistentKeepalive = {keepalive}
+        """
+    ).strip() + "\n"
+
+    sysctl_content = "net.ipv4.ip_forward=1\nnet.ipv6.conf.all.forwarding=1\n"
+
+    write_file(server_conf_path, server_config, ctx, mode=0o600)
+    write_file(client_conf_path, client_config, ctx, mode=0o600)
+    write_file(SYSCTL_FILE, sysctl_content, ctx)
+
+    run_cmd(["sysctl", "-p", str(SYSCTL_FILE)], ctx)
+    run_cmd(["ufw", "allow", f"{listen_port}/udp"], ctx, check=False)
+    run_cmd(["systemctl", "enable", "--now", f"wg-quick@{interface}"], ctx)
+
+    typer.secho("\n✓ WireGuard configurado com sucesso!", fg=typer.colors.GREEN, bold=True)
+    typer.echo(f"Configuracao do servidor: {server_conf_path}")
+    typer.echo(f"Cliente inicial salvo em: {client_conf_path}")
+    typer.echo("Para gerar QR code no terminal: qrencode -t ansiutf8 < {client_conf_path}")
+    typer.echo("Para novos clientes, gere chaves com 'wg genkey' e adicione entradas em ambos os arquivos.")
+    typer.echo("Clientes Linux/macOS: sudo wg-quick up ./cliente.conf | Windows: importe o arquivo no app WireGuard.")
+```}```} CPU? Need to ensure string quotes? there is newline with braces? we used f string in echo referencing braces? we inserted literal braces within string? `typer.echo(

raijin_server/utils.py

@@ -0,0 +1,241 @@
+"""Utilitarios compartilhados para execucao dos modulos."""
+
+from __future__ import annotations
+
+import json
+import logging
+import os
+import platform
+import shlex
+import shutil
+import subprocess
+import time
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Iterable, Mapping, MutableMapping, Sequence
+
+import typer
+
+# Configuracao de logging estruturado
+LOG_DIR = Path("/var/log/raijin-server")
+try:
+    LOG_DIR.mkdir(parents=True, exist_ok=True)
+    LOG_FILE = LOG_DIR / "raijin-server.log"
+except PermissionError:
+    LOG_FILE = Path.home() / ".raijin-server.log"
+
+logging.basicConfig(
+    level=logging.INFO,
+    format='%(asctime)s - %(name)s - %(levelname)s - %(message)s',
+    handlers=[
+        logging.FileHandler(LOG_FILE),
+        logging.StreamHandler()
+    ]
+)
+logger = logging.getLogger('raijin-server')
+
+
+@dataclass
+class ExecutionContext:
+    """Contexto de execucao compartilhado entre modulos."""
+
+    dry_run: bool = False
+    assume_yes: bool = True
+    max_retries: int = 3
+    retry_delay: int = 5
+    timeout: int = 300
+    errors: list = field(default_factory=list)
+    warnings: list = field(default_factory=list)
+
+
+def _format_cmd(cmd: Sequence[str] | str) -> str:
+    if isinstance(cmd, str):
+        return cmd
+    return " ".join(shlex.quote(str(part)) for part in cmd)
+
+
+def run_cmd(
+    cmd: Sequence[str] | str,
+    ctx: ExecutionContext,
+    *,
+    env: Mapping[str, str] | None = None,
+    cwd: str | None = None,
+    check: bool = True,
+    use_shell: bool = False,
+    mask_output: bool = False,
+    display_override: str | None = None,
+    retries: int | None = None,
+) -> subprocess.CompletedProcess:
+    """Executa comando exibindo (ou mascarando) a linha usada.
+
+    Quando `dry_run` esta ativo, apenas mostra a linha sem executar.
+    Suporta retry automatico para comandos que podem falhar temporariamente.
+    """
+
+    display = display_override or _format_cmd(cmd)
+    prefix = "[dry-run] " if ctx.dry_run else ""
+    if mask_output:
+        logger.info("Executando comando com argumentos sensiveis (masked)")
+        typer.echo(f"{prefix}[masked] comando executado (argumentos sensiveis ocultos)")
+    else:
+        logger.info(f"Executando: {display}")
+        typer.echo(f"{prefix}$ {display}")
+
+    if ctx.dry_run:
+        return subprocess.CompletedProcess(args=cmd, returncode=0)
+
+    merged_env: MutableMapping[str, str] = os.environ.copy()
+    if env:
+        merged_env.update(env)
+
+    max_attempts = retries if retries is not None else (ctx.max_retries if check else 1)
+    last_error = None
+
+    for attempt in range(1, max_attempts + 1):
+        try:
+            result = subprocess.run(
+                cmd,
+                shell=use_shell,
+                check=check,
+                cwd=cwd,
+                env=merged_env,
+                timeout=ctx.timeout,
+                capture_output=True,
+                text=True,
+            )
+            if result.returncode == 0 or not check:
+                return result
+        except subprocess.TimeoutExpired as e:
+            last_error = e
+            msg = f"Comando timeout apos {ctx.timeout}s (tentativa {attempt}/{max_attempts})"
+            logger.warning(msg)
+            ctx.warnings.append(msg)
+            if attempt < max_attempts:
+                time.sleep(ctx.retry_delay)
+        except subprocess.CalledProcessError as e:
+            last_error = e
+            msg = f"Comando falhou com codigo {e.returncode} (tentativa {attempt}/{max_attempts})"
+            logger.error(f"{msg}: {e.stderr if hasattr(e, 'stderr') else ''}")
+            if attempt < max_attempts:
+                typer.secho(f"Tentando novamente em {ctx.retry_delay}s...", fg=typer.colors.YELLOW)
+                time.sleep(ctx.retry_delay)
+            else:
+                ctx.errors.append(msg)
+                if check:
+                    raise
+        except Exception as e:
+            last_error = e
+            msg = f"Erro inesperado: {type(e).__name__}: {e}"
+            logger.error(msg)
+            ctx.errors.append(msg)
+            if check:
+                raise
+
+    if check and last_error:
+        raise last_error
+
+    return subprocess.CompletedProcess(args=cmd, returncode=1)
+
+
+def require_root(ctx: ExecutionContext) -> None:
+    """Encerra se o usuario atual nao for root."""
+
+    if ctx.dry_run:
+        typer.echo("[dry-run] Validacao de root ignorada.")
+        return
+    if os.geteuid() != 0:
+        typer.secho("Este comando precisa ser executado como root (sudo).", fg=typer.colors.RED)
+        raise typer.Exit(code=1)
+
+
+def ensure_tool(name: str, ctx: ExecutionContext, install_hint: str = "") -> None:
+    """Valida que um binario esta disponivel no PATH (ignora quando dry-run)."""
+
+    if ctx.dry_run:
+        return
+    if shutil.which(name) is None:
+        hint = f" {install_hint}" if install_hint else ""
+        typer.secho(f"Ferramenta '{name}' nao encontrada.{hint}", fg=typer.colors.RED)
+        raise typer.Exit(code=1)
+
+
+def apt_update(ctx: ExecutionContext) -> None:
+    run_cmd(["apt-get", "update"], ctx)
+
+
+def apt_install(packages: Iterable[str], ctx: ExecutionContext) -> None:
+    pkgs = list(packages)
+    if not pkgs:
+        return
+    run_cmd(
+        ["apt-get", "install", "-y", *pkgs],
+        ctx,
+        env={"DEBIAN_FRONTEND": "noninteractive"},
+    )
+
+
+def enable_service(name: str, ctx: ExecutionContext) -> None:
+    run_cmd(["systemctl", "enable", "--now", name], ctx)
+
+
+def write_file(path: Path, content: str, ctx: ExecutionContext, *, mode: int = 0o644) -> None:
+    """Escreve conteudo em arquivo respeitando dry-run."""
+
+    if ctx.dry_run:
+        typer.echo(f"[dry-run] escrever {path} (mode {oct(mode)}):\n{content}")
+        return
+
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(content)
+    os.chmod(path, mode)
+    typer.echo(f"Arquivo escrito: {path}")
+
+
+def helm_repo_add(name: str, url: str, ctx: ExecutionContext) -> None:
+    run_cmd(["helm", "repo", "add", name, url], ctx)
+
+
+def helm_repo_update(ctx: ExecutionContext) -> None:
+    run_cmd(["helm", "repo", "update"], ctx)
+
+
+def helm_upgrade_install(
+    release: str,
+    chart: str,
+    namespace: str,
+    ctx: ExecutionContext,
+    *,
+    repo: str | None = None,
+    repo_url: str | None = None,
+    values: list[str] | None = None,
+    create_namespace: bool = True,
+    extra_args: list[str] | None = None,
+) -> None:
+    """Executa helm upgrade --install com opcoes comuns."""
+
+    ensure_tool("helm", ctx, install_hint="Instale helm ou habilite dry-run para so visualizar.")
+    if repo and repo_url:
+        helm_repo_add(repo, repo_url, ctx)
+        helm_repo_update(ctx)
+        chart_ref = f"{repo}/{chart}"
+    else:
+        chart_ref = chart
+
+    cmd = ["helm", "upgrade", "--install", release, chart_ref, "-n", namespace]
+    if create_namespace:
+        cmd.append("--create-namespace")
+    for value in values or []:
+        cmd.extend(["--set", value])
+    if extra_args:
+        cmd.extend(extra_args)
+    run_cmd(cmd, ctx)
+
+
+def kubectl_apply(target: str, ctx: ExecutionContext) -> None:
+    ensure_tool("kubectl", ctx, install_hint="Instale kubectl ou habilite dry-run.")
+    run_cmd(["kubectl", "apply", "-f", target], ctx)
+
+
+def kubectl_create_ns(namespace: str, ctx: ExecutionContext) -> None:
+    ensure_tool("kubectl", ctx, install_hint="Instale kubectl ou habilite dry-run.")
+    run_cmd(["kubectl", "create", "namespace", namespace], ctx, check=False)