raijin-server 0.2.6__py3-none-any.whl → 0.2.7__py3-none-any.whl

raijin_server/__init__.py

@@ -1,5 +1,5 @@
 """Pacote principal do CLI Raijin Server."""
 
-__version__ = "0.2.4"
+__version__ = "0.2.7"
 
 __all__ = ["__version__"]

raijin_server/cli.py

@@ -6,6 +6,8 @@ import os
 from pathlib import Path
 from typing import Callable, Dict, Optional
 
+import subprocess
+
 import typer
 from rich import box
 from rich.console import Console
@@ -42,7 +44,7 @@ from raijin_server.modules import (
     velero,
     vpn,
 )
-from raijin_server.utils import ExecutionContext, logger
+from raijin_server.utils import ExecutionContext, logger, active_log_file, available_log_files, page_text, ensure_tool
 from raijin_server.validators import validate_system_requirements, check_module_dependencies
 from raijin_server.healthchecks import run_health_check
 from raijin_server.config import ConfigManager
@@ -131,6 +133,19 @@ MODULE_DESCRIPTIONS: Dict[str, str] = {
 }
 
 
+def _capture_cmd(cmd: list[str], timeout: int = 30) -> str:
+    try:
+        result = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
+        if result.returncode == 0:
+            return result.stdout.strip() or "(sem saida)"
+        return (
+            f"✗ {' '.join(cmd)}\n"
+            f"{(result.stdout or '').strip()}\n{(result.stderr or '').strip()}".strip()
+        )
+    except Exception as exc:
+        return f"✗ {' '.join(cmd)} -> {exc}"
+
+
 def _run_module(ctx: typer.Context, name: str, skip_validation: bool = False) -> None:
     handler = MODULES.get(name)
     if handler is None:
@@ -542,6 +557,120 @@ def cert_list_issuers(ctx: typer.Context) -> None:
         pass
 
 
+# ============================================================================
+# Ferramentas de Depuração / Logs
+# ============================================================================
+debug_app = typer.Typer(help="Ferramentas de depuracao e investigacao de logs")
+app.add_typer(debug_app, name="debug")
+
+
+@debug_app.command(name="logs")
+def debug_logs(
+    lines: int = typer.Option(200, "--lines", "-n", help="Quantidade de linhas ao ler"),
+    follow: bool = typer.Option(False, "--follow", "-f", help="Segue o log com tail -F"),
+    pager: bool = typer.Option(True, "--pager/--no-pager", help="Exibe com less"),
+) -> None:
+    """Mostra logs do raijin-server com opcao de follow."""
+
+    logs = available_log_files()
+    if not logs:
+        typer.secho("Nenhum log encontrado", fg=typer.colors.YELLOW)
+        return
+
+    main_log = active_log_file()
+    typer.echo(f"Log ativo: {main_log}")
+
+    if follow:
+        subprocess.run(["tail", "-n", str(lines), "-F", str(main_log)])
+        return
+
+    chunks = []
+    for path in logs:
+        try:
+            data = path.read_text()
+        except Exception as exc:
+            data = f"[erro ao ler {path}: {exc}]"
+        chunks.append(f"===== {path} =====\n{data}")
+
+    output = "\n\n".join(chunks)
+    if pager:
+        page_text(output)
+    else:
+        typer.echo(output)
+
+
+@debug_app.command(name="kube")
+def debug_kube(
+    ctx: typer.Context,
+    events: int = typer.Option(200, "--events", "-e", help="Quantas linhas finais de eventos exibir"),
+    namespace: Optional[str] = typer.Option(None, "--namespace", "-n", help="Filtra pods/eventos por namespace"),
+    pager: bool = typer.Option(True, "--pager/--no-pager", help="Exibe com less"),
+) -> None:
+    """Snapshot rapido de nodes, pods e eventos do cluster."""
+
+    exec_ctx = ctx.obj or ExecutionContext()
+    ensure_tool("kubectl", exec_ctx)
+
+    sections = []
+    sections.append(("kubectl get nodes -o wide", _capture_cmd(["kubectl", "get", "nodes", "-o", "wide"])))
+
+    pods_cmd: list[str] = ["kubectl", "get", "pods"]
+    if namespace:
+        pods_cmd.extend(["-n", namespace])
+    else:
+        pods_cmd.append("-A")
+    pods_cmd.extend(["-o", "wide"])
+    sections.append(("kubectl get pods", _capture_cmd(pods_cmd)))
+
+    events_cmd: list[str] = ["kubectl", "get", "events"]
+    if namespace:
+        events_cmd.extend(["-n", namespace])
+    else:
+        events_cmd.append("-A")
+    events_cmd.extend(["--sort-by=.lastTimestamp"])
+    events_output = _capture_cmd(events_cmd)
+    if events_output and events > 0:
+        events_output = "\n".join(events_output.splitlines()[-events:])
+    sections.append(("kubectl get events", events_output))
+
+    combined = "\n\n".join([f"[{title}]\n{body}" for title, body in sections])
+    if pager:
+        page_text(combined)
+    else:
+        typer.echo(combined)
+
+
+@debug_app.command(name="journal")
+def debug_journal(
+    ctx: typer.Context,
+    service: str = typer.Option("kubelet", "--service", "-s", help="Unidade systemd para inspecionar"),
+    lines: int = typer.Option(200, "--lines", "-n", help="Linhas a exibir"),
+    follow: bool = typer.Option(False, "--follow", "-f", help="Segue o journal em tempo real"),
+    pager: bool = typer.Option(True, "--pager/--no-pager", help="Exibe com less"),
+) -> None:
+    """Mostra logs de services (ex.: kubelet) via journalctl."""
+
+    exec_ctx = ctx.obj or ExecutionContext()
+    ensure_tool("journalctl", exec_ctx)
+
+    cmd = ["journalctl", "-u", service, "-n", str(lines)]
+    if follow:
+        cmd.append("-f")
+        subprocess.run(cmd)
+        return
+
+    cmd.append("--no-pager")
+    output = _capture_cmd(cmd, timeout=60)
+    if lines > 0:
+        output = "\n".join(output.splitlines()[-lines:])
+
+    text = f"[journalctl -u {service} -n {lines}]\n{output}"
+    if pager:
+        page_text(text)
+    else:
+        typer.echo(text)
+
+
 # ============================================================================
 # Comandos Existentes
 # ============================================================================
@@ -554,8 +683,24 @@ def bootstrap_cmd(ctx: typer.Context) -> None:
 
 
 @app.command(name="full-install")
-def full_install_cmd(ctx: typer.Context) -> None:
+def full_install_cmd(
+    ctx: typer.Context,
+    steps: Optional[str] = typer.Option(None, "--steps", help="Lista de modulos, separado por virgula"),
+    confirm_each: bool = typer.Option(False, "--confirm-each", help="Pedir confirmacao antes de cada modulo"),
+    debug_mode: bool = typer.Option(False, "--debug-mode", help="Habilita snapshots e diagnose pos-modulo"),
+    snapshots: bool = typer.Option(False, "--snapshots", help="Habilita snapshots de cluster apos cada modulo"),
+    post_diagnose: bool = typer.Option(False, "--post-diagnose", help="Executa diagnose pos-modulo quando disponivel"),
+    select_steps: bool = typer.Option(False, "--select-steps", help="Pergunta quais modulos executar antes de iniciar"),
+) -> None:
     """Executa instalacao completa e automatizada do ambiente de producao."""
+    exec_ctx = ctx.obj or ExecutionContext()
+    if steps:
+        exec_ctx.selected_steps = [s.strip() for s in steps.split(",") if s.strip()]
+    exec_ctx.interactive_steps = select_steps
+    exec_ctx.confirm_each_step = confirm_each
+    exec_ctx.debug_snapshots = debug_mode or snapshots or exec_ctx.debug_snapshots
+    exec_ctx.post_diagnose = debug_mode or post_diagnose or exec_ctx.post_diagnose
+    ctx.obj = exec_ctx
     _run_module(ctx, "full_install")
 
 

raijin_server/modules/calico.py

@@ -1,7 +1,8 @@
 """Configuracao de Calico como CNI com CIDR customizado e policies opinativas."""
 
+import json
 from pathlib import Path
-from typing import Iterable
+from typing import Iterable, List
 
 import typer
 
@@ -16,6 +17,7 @@ from raijin_server.utils import (
 
 EGRESS_LABEL_KEY = "networking.raijin.dev/egress"
 EGRESS_LABEL_VALUE = "internet"
+DEFAULT_WORKLOAD_NAMESPACE = "apps"
 
 
 def _apply_policy(content: str, ctx: ExecutionContext, suffix: str) -> None:
@@ -25,6 +27,23 @@ def _apply_policy(content: str, ctx: ExecutionContext, suffix: str) -> None:
     path.unlink(missing_ok=True)
 
 
+def _ensure_namespace(namespace: str, ctx: ExecutionContext) -> None:
+    """Garante que um namespace de workloads exista com labels padrao."""
+    manifest = f"""apiVersion: v1
+kind: Namespace
+metadata:
+  name: {namespace}
+  labels:
+    raijin/workload-profile: production
+    networking.raijin.dev/default-egress: restricted
+"""
+
+    path = Path(f"/tmp/raijin-ns-{namespace}.yaml")
+    write_file(path, manifest, ctx)
+    kubectl_apply(str(path), ctx)
+    path.unlink(missing_ok=True)
+
+
 def _build_default_deny(namespace: str) -> str:
     return f"""apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -62,6 +81,43 @@ def _split_namespaces(raw_value: str) -> Iterable[str]:
     return [ns.strip() for ns in raw_value.split(",") if ns.strip()]
 
 
+def _list_workloads_without_egress(namespaces: List[str], ctx: ExecutionContext) -> None:
+    """Lista workloads sem label de egress e apenas avisa se falhar."""
+    if ctx.dry_run:
+        typer.echo("[dry-run] Skip listagem de workloads para liberação de egress")
+        return
+
+    typer.secho("\nWorkloads sem liberação de egress (adicione label para liberar internet):", fg=typer.colors.CYAN)
+    for ns in namespaces:
+        result = run_cmd(
+            ["kubectl", "get", "deploy,statefulset,daemonset", "-n", ns, "-o", "json"],
+            ctx,
+            check=False,
+        )
+        if result.returncode != 0:
+            msg = (result.stderr or result.stdout or "erro desconhecido").strip()
+            typer.secho(f"  Aviso: nao foi possivel listar workloads em '{ns}' ({msg})", fg=typer.colors.YELLOW)
+            continue
+
+        try:
+            data = json.loads(result.stdout or "{}")
+            items = data.get("items", [])
+            pending = []
+            for item in items:
+                meta = item.get("metadata", {})
+                labels = meta.get("labels", {}) or {}
+                if labels.get(EGRESS_LABEL_KEY) != EGRESS_LABEL_VALUE:
+                    pending.append(f"{meta.get('namespace', ns)}/{meta.get('name', 'desconhecido')}")
+
+            if pending:
+                for name in pending:
+                    typer.echo(f"  - {name}")
+            else:
+                typer.echo(f"  Nenhum workload pendente em '{ns}'")
+        except Exception as exc:
+            typer.secho(f"  Aviso: falha ao processar workloads em '{ns}': {exc}", fg=typer.colors.YELLOW)
+
+
 def _check_cluster_available(ctx: ExecutionContext) -> bool:
     """Verifica se o cluster Kubernetes esta acessivel."""
     if ctx.dry_run:
@@ -99,13 +155,19 @@ def run(ctx: ExecutionContext) -> None:
     typer.echo("Aplicando Calico como CNI...")
     pod_cidr = typer.prompt("Pod CIDR (Calico)", default="10.244.0.0/16")
 
+    typer.secho(
+        f"Criando namespace padrao de workloads '{DEFAULT_WORKLOAD_NAMESPACE}' (production-ready)...",
+        fg=typer.colors.CYAN,
+    )
+    _ensure_namespace(DEFAULT_WORKLOAD_NAMESPACE, ctx)
+
     manifest_url = "https://raw.githubusercontent.com/projectcalico/calico/v3.27.2/manifests/calico.yaml"
     cmd = f"curl -s {manifest_url} | sed 's#192.168.0.0/16#{pod_cidr}#' | kubectl apply -f -"
     run_cmd(cmd, ctx, use_shell=True)
 
     deny_namespaces_raw = typer.prompt(
         "Namespaces para aplicar default-deny (CSV)",
-        default="default",
+        default=DEFAULT_WORKLOAD_NAMESPACE,
     )
     for namespace in _split_namespaces(deny_namespaces_raw):
         typer.echo(f"Aplicando default-deny no namespace '{namespace}'...")
@@ -117,9 +179,12 @@ def run(ctx: ExecutionContext) -> None:
     ):
         allow_namespaces_raw = typer.prompt(
             "Namespaces com pods que precisam acessar APIs externas (CSV)",
-            default="default",
+            default=DEFAULT_WORKLOAD_NAMESPACE,
         )
         cidr = typer.prompt("CIDR liberado (ex.: 0.0.0.0/0)", default="0.0.0.0/0")
+        namespaces = list(_split_namespaces(allow_namespaces_raw))
+        if namespaces:
+            _list_workloads_without_egress(namespaces, ctx)
         for namespace in _split_namespaces(allow_namespaces_raw):
             typer.echo(
                 f"Criando policy allow-egress-internet em '{namespace}' para pods com "

raijin_server/modules/cert_manager.py

@@ -18,6 +18,8 @@ from enum import Enum
 from pathlib import Path
 from typing import Callable, Optional, List
 
+import os
+
 import typer
 
 from raijin_server.utils import (
@@ -34,11 +36,14 @@ CHART_REPO = "https://charts.jetstack.io"
 CHART_NAME = "cert-manager"
 NAMESPACE = "cert-manager"
 MANIFEST_PATH = Path("/tmp/raijin-cert-manager-issuer.yaml")
+HELM_DATA_DIR = Path("/tmp/raijin-helm")
+HELM_REPO_CONFIG = HELM_DATA_DIR / "repositories.yaml"
+HELM_REPO_CACHE = HELM_DATA_DIR / "cache"
 
-# Timeouts mais generosos para ambientes lentos
-WEBHOOK_READY_TIMEOUT = 600  # 10 minutos
-POD_READY_TIMEOUT = 300      # 5 minutos
-CRD_READY_TIMEOUT = 180      # 3 minutos
+# Timeouts enxutos (falha rápida em redes rápidas)
+WEBHOOK_READY_TIMEOUT = 240  # 4 minutos
+POD_READY_TIMEOUT = 180      # 3 minutos
+CRD_READY_TIMEOUT = 120      # 2 minutos
 
 
 class DNSProvider(str, Enum):
@@ -82,6 +87,17 @@ def _get_acme_server(staging: bool) -> str:
     return "https://acme-v02.api.letsencrypt.org/directory"
 
 
+def _helm_env() -> dict:
+    """Garante diretórios de cache/config do Helm isolados em /tmp para evitar erros de permissão."""
+    HELM_DATA_DIR.mkdir(parents=True, exist_ok=True)
+    HELM_REPO_CACHE.mkdir(parents=True, exist_ok=True)
+    return {
+        **os.environ,
+        "HELM_REPOSITORY_CONFIG": str(HELM_REPO_CONFIG),
+        "HELM_REPOSITORY_CACHE": str(HELM_REPO_CACHE),
+    }
+
+
 # =============================================================================
 # Builders de Manifests YAML
 # =============================================================================
@@ -519,6 +535,7 @@ def _add_helm_repo(ctx: ExecutionContext) -> bool:
             capture_output=True,
             text=True,
             timeout=60,
+            env=_helm_env(),
         )
         
         if result.returncode != 0:
@@ -539,6 +556,7 @@ def _add_helm_repo(ctx: ExecutionContext) -> bool:
             capture_output=True,
             text=True,
             timeout=120,
+            env=_helm_env(),
         )
         
         elapsed_update = time.time() - start
@@ -562,8 +580,8 @@ def _add_helm_repo(ctx: ExecutionContext) -> bool:
         return False
 
 
-def _run_helm_install(ctx: ExecutionContext) -> bool:
-    """Executa o helm upgrade --install."""
+def _run_helm_install(ctx: ExecutionContext, attempt: int = 1) -> bool:
+    """Executa o helm upgrade --install, com uma tentativa de retry para repo/config."""
     if ctx.dry_run:
         typer.echo("  [4/5] [dry-run] Executando helm upgrade --install...")
         return True
@@ -574,6 +592,7 @@ def _run_helm_install(ctx: ExecutionContext) -> bool:
     
     cmd = [
         "helm", "upgrade", "--install", "cert-manager", "jetstack/cert-manager",
+        "--repo", CHART_REPO,
         "-n", NAMESPACE,
         "--create-namespace",
         "--set", "installCRDs=true",
@@ -598,6 +617,7 @@ def _run_helm_install(ctx: ExecutionContext) -> bool:
             stdout=subprocess.PIPE,
             stderr=subprocess.STDOUT,
             text=True,
+            env=_helm_env(),
         )
         
         output_lines = []
@@ -628,7 +648,13 @@ def _run_helm_install(ctx: ExecutionContext) -> bool:
             output = "".join(output_lines[-20:])  # Últimas 20 linhas
             logger.error(f"Helm install falhou (código {return_code}): {output}")
             typer.secho(f"  ✗ Helm install falhou (código {return_code})", fg=typer.colors.RED)
-            
+
+            needs_repo_retry = "repo jetstack not found" in output.lower() or "repositories.yaml" in output.lower()
+            if needs_repo_retry and attempt == 1:
+                typer.echo("  → Reconfigurando repositório Helm e tentando novamente...")
+                if _add_helm_repo(ctx):
+                    return _run_helm_install(ctx, attempt=2)
+
             # Mostra as últimas linhas do erro
             typer.echo("\n  Últimas linhas do log:")
             for line in output_lines[-10:]:

raijin_server/modules/full_install.py

@@ -1,10 +1,13 @@
 """Instalacao completa e automatizada do ambiente produtivo."""
 
 import os
+import subprocess
+from typing import List
 
 import typer
 
 from raijin_server.utils import ExecutionContext, require_root
+from raijin_server.healthchecks import run_health_check
 from raijin_server.modules import (
     bootstrap,
     calico,
@@ -68,6 +71,196 @@ def _cert_manager_install_only(ctx: ExecutionContext) -> None:
         )
 
 
+def _confirm_colored(message: str, default: bool = True) -> bool:
+    """Confirmação com destaque visual."""
+    styled = typer.style(message, fg=typer.colors.YELLOW, bold=True)
+    return typer.confirm(styled, default=default)
+
+
+def _select_steps_interactively() -> List[str] | None:
+    typer.secho("Selecione passos (separados por vírgula) ou ENTER para todos:", fg=typer.colors.CYAN)
+    typer.echo("Exemplo: kubernetes,calico,cert_manager,traefik")
+    answer = typer.prompt("Passos", default="").strip()
+    if not answer:
+        return None
+    steps = [s.strip() for s in answer.split(",") if s.strip()]
+    return steps or None
+
+
+def _kube_snapshot(ctx: ExecutionContext, events: int = 100, namespace: str | None = None) -> None:
+    """Coleta snapshot rápido de cluster para debug (best-effort)."""
+    cmds = []
+    cmds.append(["kubectl", "get", "nodes", "-o", "wide"])
+
+    pods_cmd = ["kubectl", "get", "pods"]
+    if namespace:
+        pods_cmd += ["-n", namespace]
+    else:
+        pods_cmd.append("-A")
+    pods_cmd += ["-o", "wide"]
+    cmds.append(pods_cmd)
+
+    events_cmd = ["kubectl", "get", "events"]
+    if namespace:
+        events_cmd += ["-n", namespace]
+    else:
+        events_cmd.append("-A")
+    events_cmd += ["--sort-by=.lastTimestamp"]
+    cmds.append(events_cmd)
+
+    typer.secho("\n[DEBUG] Snapshot do cluster", fg=typer.colors.CYAN)
+    for cmd in cmds:
+        try:
+            result = subprocess.run(cmd, capture_output=True, text=True, timeout=30)
+            typer.echo(f"$ {' '.join(cmd)}")
+            if result.stdout:
+                lines = result.stdout.strip().splitlines()
+                if cmd is events_cmd:
+                    lines = lines[-events:]
+                typer.echo("\n".join(lines))
+            elif result.stderr:
+                typer.echo(result.stderr.strip())
+        except Exception as exc:
+            typer.secho(f"(snapshot falhou: {exc})", fg=typer.colors.YELLOW)
+
+
+def _run_cmd(title: str, cmd: List[str], ctx: ExecutionContext, tail: int | None = None) -> None:
+    """Executa comando kubectl/helm best-effort para diagnosticos rapidos."""
+    typer.secho(f"\n[diagnose] {title}", fg=typer.colors.CYAN)
+    if ctx.dry_run:
+        typer.echo("[dry-run] comando nao executado")
+        return
+
+    try:
+        result = subprocess.run(cmd, capture_output=True, text=True, timeout=40)
+        typer.echo(f"$ {' '.join(cmd)}")
+        output = result.stdout.strip() or result.stderr.strip()
+        if output:
+            lines = output.splitlines()
+            if tail:
+                lines = lines[-tail:]
+            typer.echo("\n".join(lines))
+        else:
+            typer.echo("(sem saida)")
+    except Exception as exc:
+        typer.secho(f"(falha ao executar: {exc})", fg=typer.colors.YELLOW)
+
+
+def _diag_namespace(ns: str, ctx: ExecutionContext, tail_events: int = 50) -> None:
+    _run_cmd(f"Pods em {ns}", ["kubectl", "get", "pods", "-n", ns, "-o", "wide"], ctx)
+    _run_cmd(f"Services em {ns}", ["kubectl", "get", "svc", "-n", ns], ctx)
+    _run_cmd(f"Deployments em {ns}", ["kubectl", "get", "deploy", "-n", ns], ctx)
+    _run_cmd(
+        f"Eventos em {ns}",
+        ["kubectl", "get", "events", "-n", ns, "--sort-by=.lastTimestamp"],
+        ctx,
+        tail=tail_events,
+    )
+
+
+def _diag_calico(ctx: ExecutionContext) -> None:
+    ns = "kube-system"
+    _run_cmd("Calico DaemonSets", ["kubectl", "get", "ds", "-n", ns, "-o", "wide"], ctx)
+    _run_cmd("Calico pods", ["kubectl", "get", "pods", "-n", ns, "-l", "k8s-app=calico-node", "-o", "wide"], ctx)
+    _run_cmd("Calico typha", ["kubectl", "get", "pods", "-n", ns, "-l", "k8s-app=calico-typha", "-o", "wide"], ctx)
+    _run_cmd("Calico events", ["kubectl", "get", "events", "-n", ns, "--sort-by=.lastTimestamp"], ctx, tail=50)
+
+
+def _diag_secrets(ctx: ExecutionContext) -> None:
+    _diag_namespace("kube-system", ctx)
+    _diag_namespace("external-secrets", ctx)
+
+
+def _diag_prometheus(ctx: ExecutionContext) -> None:
+    ns = "observability"
+    _run_cmd("Prometheus pods", ["kubectl", "get", "pods", "-n", ns, "-l", "app.kubernetes.io/name=prometheus"], ctx)
+    _diag_namespace(ns, ctx)
+
+
+def _diag_grafana(ctx: ExecutionContext) -> None:
+    ns = "observability"
+    _run_cmd("Grafana svc", ["kubectl", "get", "svc", "-n", ns, "-l", "app.kubernetes.io/name=grafana"], ctx)
+    _diag_namespace(ns, ctx)
+
+
+def _diag_loki(ctx: ExecutionContext) -> None:
+    ns = "observability"
+    _run_cmd("Loki statefulsets", ["kubectl", "get", "sts", "-n", ns, "-l", "app.kubernetes.io/name=loki"], ctx)
+    _diag_namespace(ns, ctx)
+
+
+def _diag_traefik(ctx: ExecutionContext) -> None:
+    ns = "traefik"
+    _run_cmd("Traefik ingress", ["kubectl", "get", "ingress", "-n", ns], ctx)
+    _diag_namespace(ns, ctx)
+
+
+def _diag_observability_ingress(ctx: ExecutionContext) -> None:
+    ns = "observability"
+    _run_cmd("Ingress objects", ["kubectl", "get", "ingress", "-n", ns], ctx)
+    _diag_namespace(ns, ctx)
+
+
+def _diag_observability_dashboards(ctx: ExecutionContext) -> None:
+    ns = "observability"
+    _run_cmd("ConfigMaps dashboards", ["kubectl", "get", "configmap", "-n", ns, "-l", "raijin/dashboards=true"], ctx)
+    _diag_namespace(ns, ctx)
+
+
+def _diag_minio(ctx: ExecutionContext) -> None:
+    ns = "minio"
+    _diag_namespace(ns, ctx)
+
+
+def _diag_kafka(ctx: ExecutionContext) -> None:
+    ns = "kafka"
+    _run_cmd("Kafka pods", ["kubectl", "get", "pods", "-n", ns, "-o", "wide"], ctx)
+    _diag_namespace(ns, ctx)
+
+
+def _diag_velero(ctx: ExecutionContext) -> None:
+    ns = "velero"
+    _diag_namespace(ns, ctx)
+
+
+def _diag_kong(ctx: ExecutionContext) -> None:
+    ns = "kong"
+    _diag_namespace(ns, ctx)
+
+
+DIAG_HANDLERS = {
+    "cert_manager": cert_manager.diagnose,
+    "calico": _diag_calico,
+    "secrets": _diag_secrets,
+    "prometheus": _diag_prometheus,
+    "grafana": _diag_grafana,
+    "loki": _diag_loki,
+    "traefik": _diag_traefik,
+    "observability_ingress": _diag_observability_ingress,
+    "observability_dashboards": _diag_observability_dashboards,
+    "minio": _diag_minio,
+    "kafka": _diag_kafka,
+    "velero": _diag_velero,
+    "kong": _diag_kong,
+}
+
+
+def _maybe_diagnose(name: str, ctx: ExecutionContext) -> None:
+    try:
+        if name in DIAG_HANDLERS:
+            DIAG_HANDLERS[name](ctx)
+            return
+
+        # fallback: health check se existir
+        ok = run_health_check(name, ctx)
+        if ok:
+            typer.secho(f"[diagnose] {name}: OK", fg=typer.colors.GREEN)
+        else:
+            typer.secho(f"[diagnose] {name}: falhou", fg=typer.colors.YELLOW)
+    except Exception as exc:
+        typer.secho(f"[diagnose] {name} falhou: {exc}", fg=typer.colors.YELLOW)
+
+
 # Ordem de execucao dos modulos para instalacao completa
 # Modulos marcados com skip_env podem ser pulados via variavel de ambiente
 INSTALL_SEQUENCE = [
@@ -108,12 +301,25 @@ def run(ctx: ExecutionContext) -> None:
         fg=typer.colors.CYAN,
     )
 
+    steps_override = ctx.selected_steps
+    if steps_override is None and ctx.interactive_steps:
+        steps_override = _select_steps_interactively()
+
+    # Debug/diagnose menu simples
+    if not ctx.debug_snapshots and not ctx.post_diagnose:
+        typer.secho("Ativar modo debug (snapshots + diagnose pos-modulo)?", fg=typer.colors.YELLOW)
+        if typer.confirm("Habilitar debug?", default=False):
+            ctx.debug_snapshots = True
+            ctx.post_diagnose = True
+
     # Mostra sequencia de instalacao
     typer.echo("Sequencia de instalacao:")
     for i, (name, _, desc, skip_env) in enumerate(INSTALL_SEQUENCE, 1):
         suffix = ""
         if skip_env and os.environ.get(skip_env, "").strip() in ("1", "true", "yes"):
             suffix = " [SKIP]"
+        if steps_override and name not in steps_override:
+            suffix = " [IGNORADO]"
         typer.echo(f"  {i:2}. {name:25} - {desc}{suffix}")
 
     typer.echo("")
@@ -126,7 +332,7 @@ def run(ctx: ExecutionContext) -> None:
     typer.echo("")
 
     if not ctx.dry_run:
-        if not typer.confirm("Deseja continuar com a instalacao completa?", default=True):
+        if not _confirm_colored("Deseja continuar com a instalacao completa?", default=True):
             typer.echo("Instalacao cancelada.")
             raise typer.Exit(code=0)
 
@@ -135,13 +341,25 @@ def run(ctx: ExecutionContext) -> None:
     succeeded = []
     skipped = []
 
+    cluster_ready = False
+
     for i, (name, handler, desc, skip_env) in enumerate(INSTALL_SEQUENCE, 1):
+        if steps_override and name not in steps_override:
+            skipped.append(name)
+            typer.secho(f"⏭ {name} ignorado (fora da lista selecionada)", fg=typer.colors.YELLOW)
+            continue
+
         # Verifica se modulo deve ser pulado via env
         if skip_env and os.environ.get(skip_env, "").strip() in ("1", "true", "yes"):
             skipped.append(name)
             typer.secho(f"⏭ {name} pulado via {skip_env}=1", fg=typer.colors.YELLOW)
             continue
 
+        if ctx.confirm_each_step:
+            if not _confirm_colored(f"Executar modulo '{name}' agora?", default=True):
+                skipped.append(name)
+                continue
+
         typer.secho(
             f"\n{'='*60}",
             fg=typer.colors.CYAN,
@@ -160,6 +378,15 @@ def run(ctx: ExecutionContext) -> None:
             handler(ctx)
             succeeded.append(name)
             typer.secho(f"✓ {name} concluido com sucesso", fg=typer.colors.GREEN)
+
+            if name == "kubernetes":
+                cluster_ready = True
+
+            if ctx.post_diagnose and cluster_ready:
+                _maybe_diagnose(name, ctx)
+
+            if ctx.debug_snapshots and cluster_ready:
+                _kube_snapshot(ctx, events=80)
         except KeyboardInterrupt:
             typer.secho(f"\n⚠ Instalacao interrompida pelo usuario no modulo '{name}'", fg=typer.colors.YELLOW)
             raise typer.Exit(code=130)

raijin_server/modules/prometheus.py

@@ -1,30 +1,115 @@
-"""Configuracao do Prometheus Stack via Helm."""
+"""Configuracao do Prometheus Stack via Helm (robust, production-ready)."""
+
+from __future__ import annotations
 
 import typer
 
-from raijin_server.utils import ExecutionContext, helm_upgrade_install, require_root
+from raijin_server.utils import (
+    ExecutionContext,
+    helm_upgrade_install,
+    kubectl_create_ns,
+    require_root,
+    run_cmd,
+)
+
+DEFAULT_NAMESPACE = "observability"
+
+
+def _get_default_storage_class(ctx: ExecutionContext) -> str:
+    if ctx.dry_run:
+        return ""
+    result = run_cmd(
+        [
+            "kubectl",
+            "get",
+            "storageclass",
+            "-o",
+            "jsonpath={.items[?(@.metadata.annotations['storageclass.kubernetes.io/is-default-class']=='true')].metadata.name}",
+        ],
+        ctx,
+        check=False,
+    )
+    return (result.stdout or "").strip()
+
+
+def _ensure_cluster_access(ctx: ExecutionContext) -> None:
+    if ctx.dry_run:
+        return
+    result = run_cmd(["kubectl", "cluster-info"], ctx, check=False)
+    if result.returncode != 0:
+        typer.secho("Cluster Kubernetes nao acessivel. Verifique kubeconfig/controle-plane.", fg=typer.colors.RED)
+        raise typer.Exit(code=1)
 
 
 def run(ctx: ExecutionContext) -> None:
     require_root(ctx)
+    _ensure_cluster_access(ctx)
+
     typer.echo("Instalando kube-prometheus-stack via Helm...")
 
+    namespace = typer.prompt("Namespace destino", default=DEFAULT_NAMESPACE)
+    kubectl_create_ns(namespace, ctx)
+
+    default_sc = _get_default_storage_class(ctx)
+    enable_persistence = typer.confirm(
+        "Habilitar PVC para Prometheus e Alertmanager?", default=bool(default_sc)
+    )
+
     values = [
         "grafana.enabled=false",
         "prometheus.prometheusSpec.retention=15d",
         "prometheus.prometheusSpec.enableAdminAPI=true",
         "prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false",
-        "prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage=20Gi",
-        "alertmanager.alertmanagerSpec.storage.volumeClaimTemplate.spec.resources.requests.storage=10Gi",
+        "prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false",
         "defaultRules.create=true",
     ]
 
+    extra_args = ["--wait", "--timeout", "5m", "--atomic"]
+
+    chart_version = typer.prompt(
+        "Versao do chart (vazio para latest)",
+        default="",
+    ).strip()
+    if chart_version:
+        extra_args.extend(["--version", chart_version])
+
+    if enable_persistence:
+        storage_class = typer.prompt(
+            "StorageClass para PVC",
+            default=default_sc or "",
+        ).strip()
+        prom_size = typer.prompt("Tamanho PVC Prometheus", default="20Gi")
+        alert_size = typer.prompt("Tamanho PVC Alertmanager", default="10Gi")
+
+        if storage_class:
+            values.extend(
+                [
+                    f"prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.storageClassName={storage_class}",
+                    f"alertmanager.alertmanagerSpec.storage.volumeClaimTemplate.spec.storageClassName={storage_class}",
+                ]
+            )
+
+        values.extend(
+            [
+                f"prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage={prom_size}",
+                f"alertmanager.alertmanagerSpec.storage.volumeClaimTemplate.spec.resources.requests.storage={alert_size}",
+            ]
+        )
+    else:
+        typer.secho(
+            "PVC desativado: Prometheus/Alertmanager usarao volumes efemeros (sem retenção apos restart).",
+            fg=typer.colors.YELLOW,
+        )
+
     helm_upgrade_install(
         release="kube-prometheus-stack",
         chart="kube-prometheus-stack",
-        namespace="observability",
+        namespace=namespace,
         repo="prometheus-community",
         repo_url="https://prometheus-community.github.io/helm-charts",
         ctx=ctx,
         values=values,
+        extra_args=extra_args,
     )
+
+    typer.secho("kube-prometheus-stack instalado com sucesso.", fg=typer.colors.GREEN)

raijin_server/scripts/install.sh

@@ -38,7 +38,7 @@ echo "Escolha o tipo de instalação:"
 echo "  1) Global (requer sudo, todos os usuários)"
 echo "  2) Virtual env (recomendado para desenvolvimento)"
 echo "  3) User install (apenas usuário atual)"
-read -p "Opção [2]: " INSTALL_TYPE
+read -r -p "Opção [2]: " INSTALL_TYPE
 INSTALL_TYPE=${INSTALL_TYPE:-2}
 
 echo ""
@@ -51,6 +51,7 @@ case $INSTALL_TYPE in
     2)
         echo -e "${YELLOW}Criando virtual environment...${NC}"
         python3 -m venv .venv
+        # shellcheck disable=SC1091
         source .venv/bin/activate
         pip install --upgrade pip
         pip install -e .
@@ -73,7 +74,7 @@ EOF
         
         # Adicionar ao PATH se necessário
         if [[ ":$PATH:" != *":$HOME/.local/bin:"* ]]; then
-            echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc
+            echo "export PATH=\"$HOME/.local/bin:$PATH\"" >> ~/.bashrc
             echo -e "${YELLOW}⚠${NC} Adicionado $HOME/.local/bin ao PATH"
             echo "Execute: source ~/.bashrc"
         fi

raijin_server/scripts/log_size_metric.sh

@@ -11,21 +11,25 @@ OUTPUT=${RAIJIN_METRIC_FILE:-/var/lib/node_exporter/textfile_collector/raijin_lo
 # Calcula soma de todos os logs (principal + rotações)
 TOTAL_BYTES=0
 shopt -s nullglob
+
+METRICS_TMP=$(mktemp)
+trap 'rm -f "$METRICS_TMP"' EXIT
+
 for f in "$LOG_DIR"/$LOG_PATTERN; do
   size=$(stat -c%s "$f" 2>/dev/null || echo 0)
   TOTAL_BYTES=$((TOTAL_BYTES + size))
   if [[ "$f" =~ raijin-server\.log(\.\d+)?$ ]]; then
-    printf "raijin_log_size_bytes{file=\"%s\"} %d\n" "$(basename "$f")" "$size"
+    printf "raijin_log_size_bytes{file=\"%s\"} %d\n" "$(basename "$f")" "$size" >> "$METRICS_TMP"
   fi
-done | {
-  # Escreve métricas no arquivo final
-  mkdir -p "$(dirname "$OUTPUT")"
-  {
-    echo "# HELP raijin_log_size_bytes Tamanho dos logs do raijin-server (bytes)"
-    echo "# TYPE raijin_log_size_bytes gauge"
-    cat
-    echo "# HELP raijin_log_size_total_bytes Soma dos logs do raijin-server (bytes)"
-    echo "# TYPE raijin_log_size_total_bytes gauge"
-    echo "raijin_log_size_total_bytes ${TOTAL_BYTES}"
-  } > "$OUTPUT"
-}
+done
+
+# Escreve métricas no arquivo final
+mkdir -p "$(dirname "$OUTPUT")"
+{
+  echo "# HELP raijin_log_size_bytes Tamanho dos logs do raijin-server (bytes)"
+  echo "# TYPE raijin_log_size_bytes gauge"
+  cat "$METRICS_TMP"
+  echo "# HELP raijin_log_size_total_bytes Soma dos logs do raijin-server (bytes)"
+  echo "# TYPE raijin_log_size_total_bytes gauge"
+  echo "raijin_log_size_total_bytes ${TOTAL_BYTES}"
+} > "$OUTPUT"

raijin_server/scripts/pre-deploy-check.sh

@@ -49,6 +49,7 @@ fi
 echo ""
 echo "2. Verificando Sistema Operacional..."
 if [ -f /etc/os-release ]; then
+    # shellcheck disable=SC1091
     . /etc/os-release
     if [[ "$ID" == "ubuntu" ]]; then
         VERSION_NUM=$(echo "$VERSION_ID" | cut -d. -f1)
@@ -152,7 +153,7 @@ STATE_DIRS=("/var/lib/raijin-server/state" "$HOME/.local/share/raijin-server/sta
 FOUND_STATE=0
 for dir in "${STATE_DIRS[@]}"; do
     if [[ -d "$dir" ]]; then
-        MODULE_COUNT=$(ls -1 "$dir"/*.done 2>/dev/null | wc -l)
+        MODULE_COUNT=$(find "$dir" -maxdepth 1 -name '*.done' -type f 2>/dev/null | wc -l)
         if [[ $MODULE_COUNT -gt 0 ]]; then
             check_pass "$MODULE_COUNT modulos concluidos (em $dir)"
             FOUND_STATE=1

raijin_server/utils.py

@@ -29,9 +29,38 @@ BACKUP_COUNT = int(os.environ.get("RAIJIN_LOG_BACKUP_COUNT", 5))
 logger = logging.getLogger("raijin-server")
 logger.setLevel(logging.INFO)
 
-file_handler = RotatingFileHandler(LOG_FILE, maxBytes=MAX_LOG_BYTES, backupCount=BACKUP_COUNT)
+
+def _build_file_handler() -> RotatingFileHandler:
+    """Cria handler com fallback para $HOME quando /var/log exige root."""
+    try:
+        return RotatingFileHandler(LOG_FILE, maxBytes=MAX_LOG_BYTES, backupCount=BACKUP_COUNT)
+    except PermissionError:
+        fallback = Path.home() / ".raijin-server.log"
+        fallback.parent.mkdir(parents=True, exist_ok=True)
+        return RotatingFileHandler(fallback, maxBytes=MAX_LOG_BYTES, backupCount=BACKUP_COUNT)
+
+
+file_handler = _build_file_handler()
 stream_handler = logging.StreamHandler()
 
+
+def active_log_file() -> Path:
+    return Path(getattr(file_handler, "baseFilename", LOG_FILE))
+
+
+def available_log_files() -> list[Path]:
+    base = active_log_file()
+    pattern = base.name + "*"
+    return [p for p in sorted(base.parent.glob(pattern)) if p.is_file()]
+
+
+def page_text(content: str) -> None:
+    pager = shutil.which("less")
+    if pager:
+        subprocess.run([pager, "-R"], input=content, text=True, check=False)
+    else:
+        typer.echo(content)
+
 formatter = logging.Formatter("%(asctime)s - %(name)s - %(levelname)s - %(message)s")
 file_handler.setFormatter(formatter)
 stream_handler.setFormatter(formatter)
@@ -57,6 +86,13 @@ class ExecutionContext:
     timeout: int = 600  # 10 min for slow connections
     errors: list = field(default_factory=list)
     warnings: list = field(default_factory=list)
+    # Controle interativo/diagnostico
+    selected_steps: list[str] | None = None
+    confirm_each_step: bool = False
+    debug_snapshots: bool = False
+    post_diagnose: bool = False
+    color_prompts: bool = True
+    interactive_steps: bool = False
 
 
 def resolve_script_path(script_name: str) -> Path:

{raijin_server-0.2.6.dist-info → raijin_server-0.2.7.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: raijin-server
-Version: 0.2.6
+Version: 0.2.7
 Summary: CLI para automacao de setup e hardening de servidores Ubuntu Server.
 Home-page: https://example.com/raijin-server
 Author: Equipe Raijin
@@ -61,52 +61,29 @@ CLI em Python (Typer) para automatizar setup e hardening de servidores Ubuntu Se
 
 ## Requisitos
 
-- Python >= 3.9
-- Ubuntu Server 20.04+ (testado em 24.04)
-- Permissões root/sudo
-- Conectividade com internet
-- Mínimo 4GB RAM, 20GB disco livre
-- Ferramentas: `curl`, `apt-get`, `systemctl`
+## Instalação (sempre em venv midgard)
 
-Ferramentas adicionais (instaladas pelos módulos quando necessário):
-- `helm` (>=3.8 para OCI)
-- `kubectl`, `kubeadm`
-- `velero`, `istioctl`
-
-## Instalacao
-
-Sem venv (global):
+Use apenas o venv `~/.venvs/midgard` para padronizar ambiente e logs.
 
 ```bash
-python -m pip install .
-```
-
-Com venv (recomendado para desenvolvimento):
-
-```bash
-python -m venv .venv
-source .venv/bin/activate
-python -m pip install -e .
-```
+# 1) Criar/reativar venv midgard
+python3 -m venv ~/.venvs/midgard
+source ~/.venvs/midgard/bin/activate
+pip install -U pip setuptools
 
-### Instalação em Produção (Recomendado)
+# 2) Instalar a partir do source (dev)
+pip install -U raijin-server
 
-Para servidores em produção, use um venv isolado e execute com sudo preservando o ambiente:
+# 3) Uso com sudo preservando o venv
+sudo -E ~/.venvs/midgard/bin/raijin-server --version
+sudo -E ~/.venvs/midgard/bin/raijin-server validate
+sudo -E ~/.venvs/midgard/bin/raijin-server full-install
 
-```bash
-# 1. Sair do venv atual (se estiver ativo)
+# 4) Quando terminar
 deactivate
+```
 
-# 2. (Opcional) Remover venv antigo
-rm -rf ~/.venvs/raijin
-
-# 3. Criar venv novo
-python3 -m venv ~/.venvs/raijin
-source ~/.venvs/raijin/bin/activate
-pip install -U pip setuptools
-
-# 4. Instalar a versão mais recente
-pip install -U raijin-server
+> Dica: se precisar reinstalar, remova o venv (`rm -rf ~/.venvs/midgard`), recrie e repita o passo 2. O `-E` no sudo mantém o venv ativo para o Python.
 
 # 5. Rodar usando root preservando o venv
 sudo -E ~/.venvs/raijin/bin/raijin-server --version
@@ -124,30 +101,70 @@ deactivate
 ### Validar Sistema
 ```bash
 # Verifica se o sistema atende pré-requisitos
-sudo raijin-server validate
+sudo -E ~/.venvs/midgard/bin/raijin-server validate
 ```
 
 ### Menu Interativo
 ```bash
-# Menu visual com stautils.py`: Funções utilitárias com retry, timeout e logging.
-- `src/raijin_server/validators.py`: Validações de pré-requisitos e dependências.
-- `src/raijin_server/healthchecks.py`: Health checks pós-instalação.
-- `src/raijin_server/config.py`: Gerenciamento de configuração via arquivo.
-- `src/raijin_server/modules/`: Automações por tópico (hardening, network, essentials, firewall, kubernetes, calico, istio, traefik, kong, minio, prometheus, grafana, loki, harness, velero, kafka).
-- `src/raijin_server/scripts/`: Shells empacotados usados pelos módulos e scripts auxiliares.
-- `ARCHITECTURE.md`: Visão do desenho técnico.
-- `AUDIT.md`: Relatório completo de auditoria e melhorias.
-- `SECURITY.md`: Como reportar vulnerabilidades
+# Menu visual com atalho para módulos
+sudo -E ~/.venvs/midgard/bin/raijin-server menu
+```
+
 ### Execução Direta de Módulos
 ```bash
 # Executar módulo específico
-sudo raijin-server kubernetes
+sudo -E ~/.venvs/midgard/bin/raijin-server kubernetes
 
 # Dry-run (simula sem aplicar)
-sudo raijin-server --dry-run kubernetes
+sudo -E ~/.venvs/midgard/bin/raijin-server --dry-run kubernetes
 
 # Pular validações (não recomendado)
-sudo raijin-server --skip-validation kubernetes
+sudo -E ~/.venvs/midgard/bin/raijin-server --skip-validation kubernetes
+```
+
+### Instalação Completa com seleção de passos
+```bash
+# Rodar tudo (padrão)
+sudo -E ~/.venvs/midgard/bin/raijin-server full-install
+
+# Escolher passos antes de rodar
+sudo -E ~/.venvs/midgard/bin/raijin-server full-install --select-steps
+
+# Definir lista fixa (ordem original preservada)
+sudo -E ~/.venvs/midgard/bin/raijin-server full-install --steps "kubernetes,calico,cert_manager,traefik"
+
+# Pedir confirmação a cada módulo
+sudo -E ~/.venvs/midgard/bin/raijin-server full-install --confirm-each
+
+# Modo debug: snapshots + diagnose pós-módulo
+sudo -E ~/.venvs/midgard/bin/raijin-server full-install --debug-mode
+
+# Apenas snapshots após cada módulo (pós-kubernetes)
+sudo -E ~/.venvs/midgard/bin/raijin-server full-install --snapshots
+
+# Apenas diagnose pós-módulo (ex.: cert-manager)
+sudo -E ~/.venvs/midgard/bin/raijin-server full-install --post-diagnose
+```
+
+### Depuração e Logs (pós-Kubernetes)
+```bash
+# Ver todos os logs do CLI com pager (less)
+sudo -E ~/.venvs/midgard/bin/raijin-server debug logs --lines 400
+
+# Seguir logs em tempo real
+sudo -E ~/.venvs/midgard/bin/raijin-server debug logs --follow
+
+# Snapshot do cluster: nodes, pods e eventos (últimos 200)
+sudo -E ~/.venvs/midgard/bin/raijin-server debug kube --events 200
+
+# Focar em um namespace (ex.: cert-manager)
+sudo -E ~/.venvs/midgard/bin/raijin-server debug kube --namespace cert-manager --events 150
+
+# Consultar logs do kubelet via journalctl
+sudo -E ~/.venvs/midgard/bin/raijin-server debug journal --service kubelet --lines 300
+
+# Consultar outro serviço systemd (ex.: containerd)
+sudo -E ~/.venvs/midgard/bin/raijin-server debug journal --service containerd --lines 200
 ```
 
 ### Automação via Arquivo de Configuração
@@ -161,41 +178,41 @@ sudo raijin-server --skip-validation kubernetes
 
 ```bash
 # 1. Validar sistema
-sudo raijin-server validate
+sudo -E ~/.venvs/midgard/bin/raijin-server validate
 
 # 2. Base do sistema
-sudo raijin-server essentials
-sudo raijin-server hardening
-sudo raijin-server network   # OPCIONAL: pule se IP já configurado via provedor ISP
-sudo raijin-server firewall
+sudo -E ~/.venvs/midgard/bin/raijin-server essentials
+sudo -E ~/.venvs/midgard/bin/raijin-server hardening
+sudo -E ~/.venvs/midgard/bin/raijin-server network   # OPCIONAL: pule se IP já configurado via provedor ISP
+sudo -E ~/.venvs/midgard/bin/raijin-server firewall
 
 # 3. Kubernetes
-sudo raijin-server kubernetes
-sudo raijin-server calico
-sudo raijin-server secrets
-sudo raijin-server cert-manager
+sudo -E ~/.venvs/midgard/bin/raijin-server kubernetes
+sudo -E ~/.venvs/midgard/bin/raijin-server calico
+sudo -E ~/.venvs/midgard/bin/raijin-server secrets
+sudo -E ~/.venvs/midgard/bin/raijin-server cert-manager
 
 # 4. Ingress (escolha um)
-sudo raijin-server traefik
+sudo -E ~/.venvs/midgard/bin/raijin-server traefik
 # OU
-sudo raijin-server kong
+sudo -E ~/.venvs/midgard/bin/raijin-server kong
 
 # 5. Observabilidade
-sudo raijin-server prometheus
-sudo raijin-server grafana
-sudo raijin-server observability-ingress
-sudo raijin-server observability-dashboards
-sudo raijin-server loki
+sudo -E ~/.venvs/midgard/bin/raijin-server prometheus
+sudo -E ~/.venvs/midgard/bin/raijin-server grafana
+sudo -E ~/.venvs/midgard/bin/raijin-server observability-ingress
+sudo -E ~/.venvs/midgard/bin/raijin-server observability-dashboards
+sudo -E ~/.venvs/midgard/bin/raijin-server loki
 
 # 6. Storage e Mensageria (opcional)
-sudo raijin-server minio
-sudo raijin-server kafka
+sudo -E ~/.venvs/midgard/bin/raijin-server minio
+sudo -E ~/.venvs/midgard/bin/raijin-server kafka
 
 # 7. Backup
-sudo raijin-server velero
+sudo -E ~/.venvs/midgard/bin/raijin-server velero
 
 # 8. Service Mesh (opcional)
-sudo raijin-server istio
+sudo -E ~/.venvs/midgard/bin/raijin-server istio
 ```
 
 ### IP Estático (pular se já configurado)
@@ -208,7 +225,7 @@ O módulo `network` é **opcional** quando:
 Para pular automaticamente em automações:
 ```bash
 export RAIJIN_SKIP_NETWORK=1
-sudo raijin-server full-install
+sudo -E ~/.venvs/midgard/bin/raijin-server full-install
 ```
 
 O módulo detecta automaticamente se já existe um Netplan com IP estático e pergunta
@@ -222,12 +239,12 @@ se deseja pular. Se executar manualmente, basta responder "não" quando pergunta
 ### Comandos Úteis
 ```bash
 # Versão (flag ou comando)
-raijin-server --version
-raijin-server -V
-raijin-server version
+~/.venvs/midgard/bin/raijin-server --version
+~/.venvs/midgard/bin/raijin-server -V
+~/.venvs/midgard/bin/raijin-server version
 
 # Monitorar logs
-tail -f /var/log/raijin-server/raijin-server.log
+sudo -E ~/.venvs/midgard/bin/raijin-server debug logs --follow
 
 # Rotacao de logs (default: 20MB, 5 backups)
 # Ajuste via env:
@@ -317,7 +334,7 @@ O helper garante o caminho absoluto correto independentemente de onde o pacote f
 O módulo [src/raijin_server/modules/apokolips_demo.py](src/raijin_server/modules/apokolips_demo.py) cria um namespace dedicado, ConfigMap com HTML, Deployment NGINX, Service e Ingress Traefik com uma landing page "Apokolips" para validar o tráfego externo.
 
 ```bash
-sudo raijin-server apokolips-demo
+sudo -E ~/.venvs/midgard/bin/raijin-server apokolips-demo
 ```
 
 Personalização rápida:
@@ -364,7 +381,7 @@ Isso permite manter o isolamento padrão enquanto libera acesso seletivo para in
 Execute o modulo `secrets` para instalar os controladores:
 
 ```bash
-sudo raijin-server secrets
+sudo -E ~/.venvs/midgard/bin/raijin-server secrets
 ```
 
 Passos realizados:

{raijin_server-0.2.6.dist-info → raijin_server-0.2.7.dist-info}/RECORD

@@ -1,17 +1,17 @@
-raijin_server/__init__.py,sha256=7-69Vj-HYrv98hWrKmwDqDQ-ehtTqJebx1JeP4St6Q4,94
-raijin_server/cli.py,sha256=PfuIXc-pw1yZtJzCrxDVSWSsPAVBt9wqZBF-dWh6mwo,19274
+raijin_server/__init__.py,sha256=30PUXP9hr-N0U9chGsPaORRkJKEeGnKMrcXhWTwR054,94
+raijin_server/cli.py,sha256=aQxew8FCN-mZoN-ghBasm97gLk5WkOaIcpeucTpXpXY,24821
 raijin_server/config.py,sha256=Dta2CS1d6RgNiQ84P6dTXk98boFrjzuvhs_fCdlm0I4,4810
 raijin_server/healthchecks.py,sha256=BJyWyUDtEswEblvGwWMejtMnsUb8kJcULVdS9iycrcc,14565
-raijin_server/utils.py,sha256=Gs182mcLVM3ClCADFIK9Qi1fQA7BfunaTu0ie-8pAvo,19692
+raijin_server/utils.py,sha256=9RnGnPoUTYOpMVRLNa4P4lIQrJNQLkSkPUxycZRGv78,20827
 raijin_server/validators.py,sha256=qOZMHgwjHogVf17UPlxfUCpQd9qAGQW7tycd8mUvnEs,9404
 raijin_server/modules/__init__.py,sha256=e_IbkhLGPcF8to9QUmIESP6fpcTOYcIhaXLKIvqRJMY,920
 raijin_server/modules/apokolips_demo.py,sha256=8ltsXRbVDwlDwLMIvh02NG-FeAfBWw_v6lh7IGOyNqs,13725
 raijin_server/modules/bootstrap.py,sha256=oVIGNRW_JbgY8zXNHGAIP0vGbbHNHyQexthxo5zhbcw,9762
-raijin_server/modules/calico.py,sha256=a8N7YYv7NoaspPKdhRtwHy3V2mM4cP5xA1H8BwslB18,4139
-raijin_server/modules/cert_manager.py,sha256=Kb8N60j3BDjkNS8t8aTsdsKy5syRWobccP3PBpv-Q8E,45887
+raijin_server/modules/calico.py,sha256=TTPF1bLFdAKb3IVOqFqRxNblULkRmMMRylsIBp4w8I8,6700
+raijin_server/modules/cert_manager.py,sha256=YvqInfnI06VLFEgau4H0koyBxarFh6vwxvhv7HuQ4Z0,46961
 raijin_server/modules/essentials.py,sha256=2xUXCyCQtFGd2DnCKV81N1R6bEJqH8zaet8mLovtQ1I,689
 raijin_server/modules/firewall.py,sha256=h6AISqiZeTinVT7BjmQIS872qRAFZJLg7meqlth3cfw,757
-raijin_server/modules/full_install.py,sha256=aR3yOuD7y0KLI20eMrxuFBNrWWn7JMpI4HFKNizEF3o,7464
+raijin_server/modules/full_install.py,sha256=xiKe2GLuZ97c4YdTmhP-kwDVuJJ9Xq3dlgcLlqSPeYM,15518
 raijin_server/modules/grafana.py,sha256=zxYpWBM-fD8vTgoJ2Hmb9P66wz_JuiidO6_cGK3jG30,1809
 raijin_server/modules/hardening.py,sha256=4hz3ifkMhPlXa2n7gPxN0gitQgzALZ-073vuU3LM4RI,1616
 raijin_server/modules/harness.py,sha256=dhZ89YIhlkuxiRU1deN6wXVWnXm0xeI03PwYf_qgfak,1527
@@ -24,7 +24,7 @@ raijin_server/modules/minio.py,sha256=BVvsEaJlJUV92_ep7pKsBhSYPjWZrDOB3J6XAWYAHY
 raijin_server/modules/network.py,sha256=bwVljaVvTc6FbbD-XtDpqqNL-fXMB9-iWVWsXToBvt4,4804
 raijin_server/modules/observability_dashboards.py,sha256=fVz0WEOQrUTF5rJ__Nu_onyBuwL_exFmysWMmg8AE9w,7319
 raijin_server/modules/observability_ingress.py,sha256=Fh1rlFWueBNHnOkHuoHYyhILmpO-iQXINybSUYbYsHQ,5738
-raijin_server/modules/prometheus.py,sha256=Et-Tj6LrM7WDyoYRSY464E67TrEHbRe2G8T8obagC48,1066
+raijin_server/modules/prometheus.py,sha256=Rs9BREmaoKlyteNdAQZnSIeJfsRO0RQKyyL2gTnXyCw,3716
 raijin_server/modules/sanitize.py,sha256=eytL_mCYF57qnjf6g752VRC4Yl27dDJ0OQP2rjxaR70,4523
 raijin_server/modules/secrets.py,sha256=xpV3gIMnwQdAI2j69Ck5daIK4wlYJA_1rkWTtSfVNk0,3715
 raijin_server/modules/ssh_hardening.py,sha256=oQdk-EVnEHNMKIWvoFuZzI4jK0nNO8IAY4hkB4pj8zw,4025
@@ -33,12 +33,12 @@ raijin_server/modules/velero.py,sha256=_CV0QQnWr5L-CWXDOiD9Ef4J7GaQT-s9yNBwqp_FL
 raijin_server/modules/vpn.py,sha256=hF-0vA17VKTxhQLDBSEeqI5aPQpiaaj4IpUf9l6lr64,8297
 raijin_server/scripts/__init__.py,sha256=deduGfHf8BMVWred4ux5LfBDT2NJ5XYeJAt2sDEU4qs,53
 raijin_server/scripts/checklist.sh,sha256=j6E0Kmk1EfjLvKK1VpCqzXJAXI_7Bm67LK4ndyCxWh0,1842
-raijin_server/scripts/install.sh,sha256=IZOTujOSGmKpznwgL59picsQNVzYkai6FtfFS3Klf34,3908
-raijin_server/scripts/log_size_metric.sh,sha256=rC2Ck4xnYVJV4Qymu24-indC8bkzfZs4FBqqxGPRl1I,1143
-raijin_server/scripts/pre-deploy-check.sh,sha256=naPUgKjnKgsh-eGDH2623C7zcr9VjDEw1H0lfYaXW8c,4853
-raijin_server-0.2.6.dist-info/licenses/LICENSE,sha256=kJsMCjOiRZE0AQNtxWqBa32z9kMAaF4EUxyHj3hKaJo,1105
-raijin_server-0.2.6.dist-info/METADATA,sha256=KXv3RV6GSO2qQJ85n_SFJP6h10rbph0WbTJ611fG-M4,18925
-raijin_server-0.2.6.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-raijin_server-0.2.6.dist-info/entry_points.txt,sha256=3ZvxDX4pvcjkIRsXAJ69wIfVmKa78LKo-C3QhqN2KVM,56
-raijin_server-0.2.6.dist-info/top_level.txt,sha256=Yz1xneCRtsZOzbPIcTAcrSxd-1p80pohMXYAZ74dpok,14
-raijin_server-0.2.6.dist-info/RECORD,,
+raijin_server/scripts/install.sh,sha256=Y1ickbQ4siQ0NIPs6UgrqUr8WWy7U0LHmaTQbEgavoI,3949
+raijin_server/scripts/log_size_metric.sh,sha256=Iv4SsX8AuCYRou-klYn32mX41xB6j0xJGLBO6riw4rU,1208
+raijin_server/scripts/pre-deploy-check.sh,sha256=XqMo7IMIpwUHF17YEmU0-cVmTDMoCGMBFnmS39FidI4,4912
+raijin_server-0.2.7.dist-info/licenses/LICENSE,sha256=kJsMCjOiRZE0AQNtxWqBa32z9kMAaF4EUxyHj3hKaJo,1105
+raijin_server-0.2.7.dist-info/METADATA,sha256=YpgpUhp0TYGWYwEkKd8nDpCLY0MfyWsCWPq7D0zTrJQ,20362
+raijin_server-0.2.7.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+raijin_server-0.2.7.dist-info/entry_points.txt,sha256=3ZvxDX4pvcjkIRsXAJ69wIfVmKa78LKo-C3QhqN2KVM,56
+raijin_server-0.2.7.dist-info/top_level.txt,sha256=Yz1xneCRtsZOzbPIcTAcrSxd-1p80pohMXYAZ74dpok,14
+raijin_server-0.2.7.dist-info/RECORD,,