raijin-server 0.2.7__py3-none-any.whl → 0.2.10__py3-none-any.whl

raijin_server/__init__.py

@@ -1,5 +1,5 @@
 """Pacote principal do CLI Raijin Server."""
 
-__version__ = "0.2.7"
+__version__ = "0.2.10"
 
 __all__ = ["__version__"]

raijin_server/cli.py

@@ -45,7 +45,7 @@ from raijin_server.modules import (
     vpn,
 )
 from raijin_server.utils import ExecutionContext, logger, active_log_file, available_log_files, page_text, ensure_tool
-from raijin_server.validators import validate_system_requirements, check_module_dependencies
+from raijin_server.validators import validate_system_requirements, check_module_dependencies, MODULE_DEPENDENCIES
 from raijin_server.healthchecks import run_health_check
 from raijin_server.config import ConfigManager
 
@@ -85,9 +85,9 @@ MODULES: Dict[str, Callable[[ExecutionContext], None]] = {
     "vpn": vpn.run,
     "kubernetes": kubernetes.run,
     "calico": calico.run,
+    "traefik": traefik.run,  # mover antes do cert_manager para refletir dependencia
     "cert_manager": cert_manager.run,
     "istio": istio.run,
-    "traefik": traefik.run,
     "kong": kong.run,
     "minio": minio.run,
     "prometheus": prometheus.run,
@@ -103,6 +103,11 @@ MODULES: Dict[str, Callable[[ExecutionContext], None]] = {
     "full_install": full_install.run,
 }
 
+# Rollbacks sao opcionais; por padrao apenas removem marcador de conclusao e avisam
+ROLLBACK_HANDLERS: Dict[str, Callable[[ExecutionContext], None]] = {
+    # Exemplos para futuras customizacoes: "traefik": traefik.rollback
+}
+
 MODULE_DESCRIPTIONS: Dict[str, str] = {
     "sanitize": "Remove instalacoes antigas de Kubernetes e prepara ambiente",
     "bootstrap": "Instala ferramentas: helm, kubectl, istioctl, velero, containerd",
@@ -253,6 +258,79 @@ def _is_completed(name: str) -> bool:
     return _state_file(name).exists()
 
 
+def _clear_completed(name: str) -> None:
+    try:
+        path = _state_file(name)
+        if path.exists():
+            path.unlink()
+            typer.secho(f"Estado removido: {name}", fg=typer.colors.YELLOW)
+    except Exception as exc:
+        console.print(f"[yellow]Nao foi possivel limpar estado de {name}: {exc}[/yellow]")
+
+
+def _dependents_of(module: str) -> list[str]:
+    dependents = []
+    for mod, deps in MODULE_DEPENDENCIES.items():
+        if module in deps:
+            dependents.append(mod)
+    return dependents
+
+
+def _default_rollback(exec_ctx: ExecutionContext, name: str) -> None:
+    """Rollback padrao: nao aplica alteracoes, apenas sinaliza ausencia de implementacao."""
+    if exec_ctx.dry_run:
+        typer.secho(f"[dry-run] Rollback para '{name}' nao automatizado (necessario reverter manualmente).", fg=typer.colors.YELLOW)
+    else:
+        typer.secho(
+            f"Rollback para '{name}' ainda nao foi automatizado. Reverta recursos manualmente e reexecute se necessario.",
+            fg=typer.colors.YELLOW,
+        )
+
+
+def _get_rollback_handler(name: str) -> Callable[[ExecutionContext], None]:
+    return ROLLBACK_HANDLERS.get(name, lambda ctx: _default_rollback(ctx, name))
+
+
+def _rollback_module(
+    ctx: typer.Context,
+    name: str,
+    *,
+    cascade_prompt: bool = True,
+    visited: set[str] | None = None,
+) -> None:
+    handler = _get_rollback_handler(name)
+    exec_ctx = ctx.obj or ExecutionContext()
+
+    visited = visited or set()
+    if name in visited:
+        return
+    visited.add(name)
+
+    dependents = _dependents_of(name)
+    completed_dependents = [dep for dep in dependents if _is_completed(dep)]
+
+    if completed_dependents and cascade_prompt:
+        typer.secho(
+            "Dependencias detectadas apos este modulo: " + ", ".join(completed_dependents),
+            fg=typer.colors.YELLOW,
+        )
+        typer.secho(
+            "Rollback em cascata vai tentar reverter esses modulos primeiro para evitar estado inconsistente.",
+            fg=typer.colors.YELLOW,
+        )
+        if not typer.confirm("Prosseguir com rollback em cascata?", default=False):
+            typer.secho("Rollback cancelado.", fg=typer.colors.RED)
+            return
+
+        for dep in completed_dependents:
+            _rollback_module(ctx, dep, cascade_prompt=False, visited=visited)
+
+    typer.secho(f"\n[ROLLBACK] {name}", fg=typer.colors.CYAN, bold=True)
+    handler(exec_ctx)
+    _clear_completed(name)
+    typer.secho(f"Rollback finalizado (best-effort) para {name}\n", fg=typer.colors.GREEN)
+
+
 def _render_menu(dry_run: bool) -> int:
     table = Table(
         title="Selecione um modulo para executar",
@@ -326,9 +404,21 @@ def interactive_menu(ctx: typer.Context) -> None:
             console.print("[red]Opcao invalida[/red]")
             continue
 
+        action = Prompt.ask(
+            "Acao (e=executar, r=rollback, c=cancelar)",
+            choices=["e", "r", "c"],
+            default="e",
+        )
+
         exec_ctx = ExecutionContext(dry_run=current_dry_run)
         ctx.obj = exec_ctx
-        _run_module(ctx, name)
+
+        if action == "e":
+            _run_module(ctx, name)
+        elif action == "r":
+            _rollback_module(ctx, name)
+        else:
+            console.print("[yellow]Acao cancelada[/yellow]")
         # Loop continua e menu eh re-renderizado, refletindo status atualizado quando nao eh dry-run.
 
 
@@ -375,6 +465,21 @@ def menu(ctx: typer.Context) -> None:
     interactive_menu(ctx)
 
 
+@app.command()
+def rollback(
+    ctx: typer.Context,
+    module: str = typer.Argument(..., help="Modulo a reverter"),
+    cascade: bool = typer.Option(
+        True,
+        "--cascade/--no-cascade",
+        help="Quando habilitado, pergunta e aplica rollback em dependentes concluidos primeiro",
+    ),
+) -> None:
+    """Executa rollback best-effort de um modulo (com aviso sobre dependencias)."""
+
+    _rollback_module(ctx, module, cascade_prompt=cascade)
+
+
 @app.command()
 def hardening(ctx: typer.Context) -> None:
     _run_module(ctx, "hardening")

raijin_server/config.py

@@ -78,15 +78,15 @@ class ConfigManager:
             "modules": {
                 "network": {
                     "interface": "ens18",
-                    "address": "192.168.0.10/24",
-                    "gateway": "192.168.0.1",
-                    "dns": "1.1.1.1,8.8.8.8",
+                    "address": "192.168.1.81/24",
+                    "gateway": "192.168.1.254",
+                    "dns": "177.128.80.44,177.128.80.45",
                 },
                 "kubernetes": {
                     "pod_cidr": "10.244.0.0/16",
                     "service_cidr": "10.96.0.0/12",
                     "cluster_name": "raijin",
-                    "advertise_address": "0.0.0.0",
+                    "advertise_address": "192.168.1.81",
                 },
                 "calico": {
                     "pod_cidr": "10.244.0.0/16",

raijin_server/healthchecks.py

@@ -124,6 +124,21 @@ def check_k8s_pods_in_namespace(namespace: str, ctx: ExecutionContext, timeout:
     )
 
 
+def check_swap_disabled(ctx: ExecutionContext) -> tuple[bool, str]:
+    """Confirma que nao ha swap ativa (requisito kubeadm/kubelet)."""
+    if ctx.dry_run:
+        return True, "dry-run"
+    try:
+        with open("/proc/swaps") as f:
+            lines = f.read().strip().splitlines()
+        # /proc/swaps tem header + linhas; se so header, swap esta off
+        if len(lines) <= 1:
+            return True, "swap desativada"
+        return False, "swap ativa (remova entradas do fstab e execute swapoff -a)"
+    except Exception as exc:
+        return False, f"falha ao verificar swap: {exc}"
+
+
 def check_helm_release(release: str, namespace: str, ctx: ExecutionContext) -> Tuple[bool, str]:
     """Verifica status de um release Helm."""
     if ctx.dry_run:
@@ -217,6 +232,13 @@ def verify_kubernetes(ctx: ExecutionContext) -> bool:
     services = ["kubelet", "containerd"]
     all_ok = True
 
+    swap_ok, swap_msg = check_swap_disabled(ctx)
+    if swap_ok:
+        typer.secho(f"  ✓ Swap: {swap_msg}", fg=typer.colors.GREEN)
+    else:
+        typer.secho(f"  ✗ Swap: {swap_msg}", fg=typer.colors.RED)
+        all_ok = False
+
     for service in services:
         ok, status = check_systemd_service(service, ctx)
         if ok:

raijin_server/modules/kubernetes.py

@@ -17,6 +17,12 @@ from raijin_server.utils import (
 )
 
 
+CALICO_VERSION = "v3.28.0"
+CALICO_URL = f"https://raw.githubusercontent.com/projectcalico/calico/{CALICO_VERSION}/manifests/calico.yaml"
+DEFAULT_CNI = os.environ.get("RAIJIN_CNI", "calico").lower()  # calico|none
+FORCE_CNI = os.environ.get("RAIJIN_FORCE_CNI", "0") == "1"
+
+
 def _cleanup_old_repo(ctx: ExecutionContext) -> None:
     """Remove repo legado apt.kubernetes.io se existir para evitar erro 404."""
 
@@ -49,6 +55,69 @@ def _reset_cluster(ctx: ExecutionContext) -> None:
     typer.secho("✓ Limpeza concluida.", fg=typer.colors.GREEN)
 
 
+def _cni_present(ctx: ExecutionContext) -> bool:
+    """Detecta se ja existe um CNI aplicado (qualquer DaemonSet tipico)."""
+
+    result = run_cmd(
+        [
+            "kubectl",
+            "get",
+            "daemonset",
+            "-n",
+            "kube-system",
+            "-o",
+            "jsonpath={.items[*].metadata.name}",
+        ],
+        ctx,
+        check=False,
+    )
+    if result.returncode != 0:
+        return False
+    names = (result.stdout or "").split()
+    for name in names:
+        if any(token in name for token in ("calico", "cilium", "flannel", "weave", "canal")):
+            return True
+    return False
+
+
+def _apply_calico(pod_cidr: str, ctx: ExecutionContext) -> None:
+    """Aplica Calico com CIDR alinhado ao podSubnet informado."""
+
+    typer.echo(f"Aplicando Calico ({CALICO_VERSION}) com pod CIDR {pod_cidr}...")
+
+    if ctx.dry_run:
+        typer.echo("[dry-run] kubectl apply -f <calico.yaml>")
+        return
+
+    cmd = (
+        f"curl -fsSL --retry 3 --retry-delay 2 {CALICO_URL} "
+        f"| sed 's#192.168.0.0/16#{pod_cidr}#g' "
+        f"| kubectl apply -f -"
+    )
+    run_cmd(cmd, ctx, use_shell=True)
+
+    # Aguarda o daemonset subir para evitar Node NotReady por falta de CNI
+    run_cmd(
+        ["kubectl", "-n", "kube-system", "rollout", "status", "daemonset/calico-node", "--timeout", "300s"],
+        ctx,
+        check=False,
+    )
+    run_cmd(
+        [
+            "kubectl",
+            "-n",
+            "kube-system",
+            "rollout",
+            "status",
+            "deployment/calico-kube-controllers",
+            "--timeout",
+            "300s",
+        ],
+        ctx,
+        check=False,
+    )
+
+
 def run(ctx: ExecutionContext) -> None:
     require_root(ctx)
     typer.echo("Instalando e preparando Kubernetes (kubeadm/kubelet/kubectl)...")
@@ -146,6 +215,11 @@ def run(ctx: ExecutionContext) -> None:
     enable_service("containerd", ctx)
     enable_service("kubelet", ctx)
 
+    # Garante swap off antes de prosseguir (requisito kubeadm)
+    typer.echo("Desabilitando swap (requisito Kubernetes)...")
+    run_cmd(["swapoff", "-a"], ctx, check=False)
+    run_cmd("sed -i '/swap/d' /etc/fstab", ctx, use_shell=True, check=False)
+
     # kubeadm exige ip_forward=1; sobrepoe ajuste de hardening para fase de cluster.
     # Desabilita IPv6 completamente para evitar erros de preflight e simplificar rede
     sysctl_k8s = """# Kubernetes network settings
@@ -164,7 +238,19 @@ net.ipv6.conf.lo.disable_ipv6=1
     pod_cidr = typer.prompt("Pod CIDR", default="10.244.0.0/16")
     service_cidr = typer.prompt("Service CIDR", default="10.96.0.0/12")
     cluster_name = typer.prompt("Nome do cluster", default="raijin")
-    advertise_address = typer.prompt("API advertise address", default="0.0.0.0")
+    default_adv = "192.168.1.81"
+    advertise_address = typer.prompt("API advertise address", default=default_adv)
+    if advertise_address != default_adv:
+        typer.secho(
+            f"⚠ Para ambiente atual use {default_adv} (IP LAN, evita NAT).", fg=typer.colors.YELLOW
+        )
+        if not typer.confirm(f"Deseja forcar {default_adv}?", default=True):
+            typer.secho(
+                f"Usando valor informado: {advertise_address}. Certifique-se que todos os nos alcancem esse IP.",
+                fg=typer.colors.YELLOW,
+            )
+        else:
+            advertise_address = default_adv
 
     kubeadm_config = f"""apiVersion: kubeadm.k8s.io/v1beta3
 kind: ClusterConfiguration
@@ -221,3 +307,27 @@ cgroupDriver: systemd
 
     typer.echo("Comando de join para workers:")
     run_cmd(["kubeadm", "token", "create", "--print-join-command"], ctx, check=False)
+
+    # CNI padrao: Calico (pode ser desabilitado via RAIJIN_CNI=none)
+    cni_choice = DEFAULT_CNI
+    if cni_choice == "none":
+        typer.secho(
+            "CNI nao aplicado (RAIJIN_CNI=none). Node permanecera NotReady ate aplicar um CNI manual.",
+            fg=typer.colors.YELLOW,
+        )
+    else:
+        if _cni_present(ctx) and not FORCE_CNI:
+            typer.secho("CNI ja detectado em kube-system; pulando aplicacao automatica (defina RAIJIN_FORCE_CNI=1 para reaplicar).", fg=typer.colors.YELLOW)
+        else:
+            _apply_calico(pod_cidr, ctx)
+
+    # Pequeno health check basico para sinalizar ao usuario
+    typer.echo("Validando node apos CNI...")
+    run_cmd([
+        "kubectl",
+        "wait",
+        "--for=condition=Ready",
+        "nodes",
+        "--all",
+        "--timeout=180s",
+    ], ctx, check=False)

raijin_server/modules/network.py

@@ -124,9 +124,9 @@ def run(ctx: ExecutionContext) -> None:
         )
 
     iface = typer.prompt("Interface", default="ens18")
-    address = typer.prompt("Endereco CIDR", default="192.168.0.10/24")
-    gateway = typer.prompt("Gateway", default="192.168.0.1")
-    dns = typer.prompt("DNS (separe por virgula)", default="1.1.1.1,8.8.8.8")
+    address = typer.prompt("Endereco CIDR", default="192.168.1.81/24")
+    gateway = typer.prompt("Gateway", default="192.168.1.254")
+    dns = typer.prompt("DNS (separe por virgula)", default="177.128.80.44,177.128.80.45")
 
     dns_list = ",".join([item.strip() for item in dns.split(",") if item.strip()])
     netplan_content = f"""network:

raijin_server/modules/sanitize.py

@@ -7,7 +7,14 @@ from pathlib import Path
 
 import typer
 
-from raijin_server.utils import ExecutionContext, require_root, run_cmd
+from raijin_server.utils import ExecutionContext, require_root, run_cmd, write_file
+
+# Defaults alinhados com configuracao de rede solicitada
+NETPLAN_IFACE = "ens18"
+NETPLAN_ADDRESS = "192.168.1.81/24"
+NETPLAN_GATEWAY = "192.168.1.254"
+NETPLAN_DNS = "177.128.80.44,177.128.80.45"
+NETPLAN_PATH = Path("/etc/netplan/01-raijin-static.yaml")
 
 SYSTEMD_SERVICES = [
     "kubelet",
@@ -48,6 +55,44 @@ APT_MARKERS = [
 ]
 
 
+def _ensure_netplan(ctx: ExecutionContext) -> None:
+    """Garante que o netplan esteja com IP fixo esperado; se ja estiver, mostra OK."""
+
+    desired = f"""network:
+  version: 2
+  renderer: networkd
+  ethernets:
+    {NETPLAN_IFACE}:
+      dhcp4: false
+      addresses: [{NETPLAN_ADDRESS}]
+      gateway4: {NETPLAN_GATEWAY}
+      nameservers:
+        addresses: [{NETPLAN_DNS}]
+"""
+
+    existing = None
+    if NETPLAN_PATH.exists():
+        try:
+            existing = NETPLAN_PATH.read_text()
+        except Exception:
+            existing = None
+
+    if existing and all(x in existing for x in (NETPLAN_ADDRESS, NETPLAN_GATEWAY, NETPLAN_DNS)):
+        typer.secho(
+            f"\n✓ Netplan ja configurado com {NETPLAN_ADDRESS} / gw {NETPLAN_GATEWAY} / dns {NETPLAN_DNS}",
+            fg=typer.colors.GREEN,
+        )
+        return
+
+    typer.echo("Aplicando netplan padrao antes da limpeza...")
+    write_file(NETPLAN_PATH, desired, ctx)
+    run_cmd(["netplan", "apply"], ctx, check=False)
+    typer.secho(
+        f"✓ Netplan ajustado para {NETPLAN_ADDRESS} (gw {NETPLAN_GATEWAY}, dns {NETPLAN_DNS})",
+        fg=typer.colors.GREEN,
+    )
+
+
 def _stop_services(ctx: ExecutionContext) -> None:
     typer.echo("Parando serviços relacionados (kubelet, containerd)...")
     for service in SYSTEMD_SERVICES:
@@ -131,6 +176,9 @@ def run(ctx: ExecutionContext) -> None:
             typer.echo("Sanitizacao cancelada pelo usuario.")
             return
 
+    # Primeiro passo: garantir netplan consistente, sem quebrar ao limpar
+    _ensure_netplan(ctx)
+
     _stop_services(ctx)
     _kubeadm_reset(ctx)
     _flush_iptables(ctx)

raijin_server/modules/traefik.py

@@ -15,8 +15,7 @@ def run(ctx: ExecutionContext) -> None:
     values = [
         "ingressClass.enabled=true",
         "ingressClass.isDefaultClass=true",
-        "ports.web.redirectTo=websecure=true",
-        "ports.websecure.tls.enabled=true",
+        "ports.web.redirectTo=websecure",  # valor esperado é o nome da porta de destino
         "service.type=LoadBalancer",
         f"certificatesResolvers.letsencrypt.acme.email={acme_email}",
         "certificatesResolvers.letsencrypt.acme.storage=/data/acme.json",

raijin_server/validators.py

@@ -15,6 +15,27 @@ import typer
 
 from raijin_server.utils import ExecutionContext, logger
 
+# Grafo de dependencias entre modulos (usado por validacoes e funcoes de rollback)
+MODULE_DEPENDENCIES = {
+    "kubernetes": ["essentials", "network", "firewall"],
+    "calico": ["kubernetes"],
+    "cert_manager": ["kubernetes", "traefik"],
+    "istio": ["kubernetes", "calico"],
+    "traefik": ["kubernetes"],
+    "kong": ["kubernetes"],
+    "minio": ["kubernetes"],
+    "prometheus": ["kubernetes"],
+    "grafana": ["kubernetes", "prometheus"],
+    "loki": ["kubernetes"],
+    "secrets": ["kubernetes"],
+    "harness": ["kubernetes"],
+    "velero": ["kubernetes"],
+    "kafka": ["kubernetes"],
+    "observability_ingress": ["traefik", "prometheus", "grafana"],
+    "observability_dashboards": ["prometheus", "grafana"],
+    "apokolips_demo": ["kubernetes", "traefik"],
+}
+
 
 class ValidationError(Exception):
     """Erro de validacao de pre-requisitos."""
@@ -215,30 +236,10 @@ def check_module_dependencies(module: str, ctx: ExecutionContext) -> bool:
     Returns:
         True se todas as dependencias foram satisfeitas
     """
-    dependencies = {
-        "kubernetes": ["essentials", "network", "firewall"],
-        "calico": ["kubernetes"],
-        "cert_manager": ["kubernetes", "traefik"],
-        "istio": ["kubernetes", "calico"],
-        "traefik": ["kubernetes"],
-        "kong": ["kubernetes"],
-        "minio": ["kubernetes"],
-        "prometheus": ["kubernetes"],
-        "grafana": ["kubernetes", "prometheus"],
-        "loki": ["kubernetes"],
-        "secrets": ["kubernetes"],
-        "harness": ["kubernetes"],
-        "velero": ["kubernetes"],
-        "kafka": ["kubernetes"],
-        "observability_ingress": ["traefik", "prometheus", "grafana"],
-        "observability_dashboards": ["prometheus", "grafana"],
-        "apokolips_demo": ["kubernetes", "traefik"],
-    }
-
-    if module not in dependencies:
+    if module not in MODULE_DEPENDENCIES:
         return True
 
-    required = dependencies[module]
+    required = MODULE_DEPENDENCIES[module]
     missing = []
 
     # Verifica arquivos de estado

{raijin_server-0.2.7.dist-info → raijin_server-0.2.10.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: raijin-server
-Version: 0.2.7
+Version: 0.2.10
 Summary: CLI para automacao de setup e hardening de servidores Ubuntu Server.
 Home-page: https://example.com/raijin-server
 Author: Equipe Raijin
@@ -44,6 +44,8 @@ CLI em Python (Typer) para automatizar setup e hardening de servidores Ubuntu Se
 - Arquitetura: [ARCHITECTURE.md](ARCHITECTURE.md)
 - Auditoria: [AUDIT.md](AUDIT.md)
 - Segurança: [SECURITY.md](SECURITY.md)
+- Acesso SSH (Windows): [docs/SSH_WINDOWS.md](docs/SSH_WINDOWS.md)
+- VPN para acesso remoto (WireGuard): [docs/VPN_REMOTE_ACCESS.md](docs/VPN_REMOTE_ACCESS.md)
 
 ## Destaques
 
@@ -60,6 +62,12 @@ CLI em Python (Typer) para automatizar setup e hardening de servidores Ubuntu Se
 - ✅ **Modo Dry-run**: Simula execução sem aplicar mudanças
 
 ## Requisitos
+ Ubuntu Server 20.04+ com Python 3 disponível. Se precisar instalar/atualizar no host alvo:
+
+ ```bash
+ sudo apt update
+ sudo apt install -y python3 python3-venv python3-pip
+ ```
 
 ## Instalação (sempre em venv midgard)
 
@@ -110,6 +118,10 @@ sudo -E ~/.venvs/midgard/bin/raijin-server validate
 sudo -E ~/.venvs/midgard/bin/raijin-server menu
 ```
 
+### Rollback de módulos
+- No menu, após escolher o módulo, selecione `r` para rollback; se houver dependentes já executados, será pedido confirmacao para rollback em cascata dos dependentes antes.
+- Linha de comando: `sudo -E ~/.venvs/midgard/bin/raijin-server rollback <modulo> --cascade/--no-cascade` (best-effort; alguns módulos podem exigir limpeza manual). Caso seja apenas para revisar o efeito, use `-n/--dry-run` no comando principal para não aplicar.
+
 ### Execução Direta de Módulos
 ```bash
 # Executar módulo específico
@@ -173,6 +185,9 @@ sudo -E ~/.venvs/midgard/bin/raijin-server debug journal --service containerd --
 - **[AUDIT.md](AUDIT.md)**: Relatório completo de auditoria e melhorias implementadas
 - **[ARCHITECTURE.md](ARCHITECTURE.md)**: Arquitetura técnica do ambiente
 - **[SECURITY.md](SECURITY.md)**: Políticas de segurança e reporte de vulnerabilidades
+- **Publicação PyPI**: ver seção "Publicar no PyPI" abaixo
+- **CNI automático**: Calico aplicado automaticamente no passo Kubernetes (override com `RAIJIN_CNI=none`)
+	- Para reaplicar CNI (forçar mesmo se já houver): `RAIJIN_FORCE_CNI=1`
 
 ## Fluxo de Execução Recomendado
 
@@ -329,6 +344,46 @@ bash "$SCRIPT_PATH"
 
 O helper garante o caminho absoluto correto independentemente de onde o pacote foi instalado.
 
+## Publicar no PyPI
+
+Use o venv local do repositório (`.venv`) para garantir dependências corretas:
+
+```bash
+cd /home/rafael/github/raijin-server
+python3 -m venv .venv
+source .venv/bin/activate
+python -m pip install -U pip build twine
+```
+
+Gerar artefatos limpos:
+
+```bash
+rm -rf dist build
+python -m build --sdist --wheel --outdir dist
+```
+
+Publicar no PyPI (requere token):
+
+```bash
+export TWINE_USERNAME="__token__"
+export TWINE_PASSWORD="pypi-xxxxx"  # token do PyPI
+python -m twine upload dist/*
+```
+
+Opcional: validar no TestPyPI antes de publicar (precisa token de TestPyPI):
+
+```bash
+export TWINE_USERNAME="__token__"
+export TWINE_PASSWORD="pypi-xxxxx"  # token do TestPyPI
+python -m twine upload --repository testpypi dist/*
+```
+
+Depois de publicar, atualize/instale:
+
+```bash
+pip install -U raijin-server
+```
+
 ## Teste de ingress (Apokolips)
 
 O módulo [src/raijin_server/modules/apokolips_demo.py](src/raijin_server/modules/apokolips_demo.py) cria um namespace dedicado, ConfigMap com HTML, Deployment NGINX, Service e Ingress Traefik com uma landing page "Apokolips" para validar o tráfego externo.
@@ -437,17 +492,18 @@ O Twine é a ferramenta oficial para enviar pacotes Python ao PyPI com upload se
 Passo a passo:
 ```bash
 # 1) Gere artefatos
-python -m build --sdist --wheel --outdir dist/
+python3 -m pip install --user build
+python3 -m build --sdist --wheel --outdir dist/
 
 # 2) Configure o token (crie em https://pypi.org/manage/account/token/)
 export TWINE_USERNAME=__token__
 export TWINE_PASSWORD="<seu-token>"
 
 # 3) Envie para o PyPI
-python -m twine upload dist/*
+python3 -m twine upload dist/*
 
 # 4) Verifique instalação
-python -m pip install -U raijin-server
+python3 -m pip install -U raijin-server
 raijin-server --version
 ```
 

{raijin_server-0.2.7.dist-info → raijin_server-0.2.10.dist-info}/RECORD

@@ -1,9 +1,9 @@
-raijin_server/__init__.py,sha256=30PUXP9hr-N0U9chGsPaORRkJKEeGnKMrcXhWTwR054,94
-raijin_server/cli.py,sha256=aQxew8FCN-mZoN-ghBasm97gLk5WkOaIcpeucTpXpXY,24821
-raijin_server/config.py,sha256=Dta2CS1d6RgNiQ84P6dTXk98boFrjzuvhs_fCdlm0I4,4810
-raijin_server/healthchecks.py,sha256=BJyWyUDtEswEblvGwWMejtMnsUb8kJcULVdS9iycrcc,14565
+raijin_server/__init__.py,sha256=xZWt85TH3yzTcBTI8N0qtHFiSRHQ8nXGICr5curtX6E,95
+raijin_server/cli.py,sha256=DwzUP5Ps-vgiOwXRjACukgHWFo-7FAnDrILbgWhs2ys,28475
+raijin_server/config.py,sha256=QNiEVvrbW56XgvNn5-h3bkJm46Xc8mjNqPbvixXD8N0,4829
+raijin_server/healthchecks.py,sha256=lzXdFw6S0hOYbUKbqksh4phb04lXgXdTspP1Dsz4dx8,15401
 raijin_server/utils.py,sha256=9RnGnPoUTYOpMVRLNa4P4lIQrJNQLkSkPUxycZRGv78,20827
-raijin_server/validators.py,sha256=qOZMHgwjHogVf17UPlxfUCpQd9qAGQW7tycd8mUvnEs,9404
+raijin_server/validators.py,sha256=-V3BX1hF_i2on7v-7Gu6u4ilhQaVJX4jTnwqvR3uEng,9432
 raijin_server/modules/__init__.py,sha256=e_IbkhLGPcF8to9QUmIESP6fpcTOYcIhaXLKIvqRJMY,920
 raijin_server/modules/apokolips_demo.py,sha256=8ltsXRbVDwlDwLMIvh02NG-FeAfBWw_v6lh7IGOyNqs,13725
 raijin_server/modules/bootstrap.py,sha256=oVIGNRW_JbgY8zXNHGAIP0vGbbHNHyQexthxo5zhbcw,9762
@@ -18,17 +18,17 @@ raijin_server/modules/harness.py,sha256=dhZ89YIhlkuxiRU1deN6wXVWnXm0xeI03PwYf_qg
 raijin_server/modules/istio.py,sha256=761FOGEzEXWlTLYApQxUWY8l4cnEbnIXbIHK3itk_AQ,522
 raijin_server/modules/kafka.py,sha256=bp8k_IhuAIO6dL0IpK1UxxLZoGih6nJp0ZnzwmiZEj8,950
 raijin_server/modules/kong.py,sha256=2EZKYBmBhm_7Nduw9PWrvrekp0VCxQbc2gElpAJqKfg,491
-raijin_server/modules/kubernetes.py,sha256=zHbgCYzzdJJwUGsxJoiyT4HCeJz2HmDSeBR88KP-v4Y,8286
+raijin_server/modules/kubernetes.py,sha256=waSf2cCVnLicN5o3M47MzMzmHHtvKeFXm1__8ynQzA0,11871
 raijin_server/modules/loki.py,sha256=erwFfSiSFOv-Ul3nFdrI2RElPYuqqBPBBa_MJAwyLys,676
 raijin_server/modules/minio.py,sha256=BVvsEaJlJUV92_ep7pKsBhSYPjWZrDOB3J6XAWYAHYg,486
-raijin_server/modules/network.py,sha256=bwVljaVvTc6FbbD-XtDpqqNL-fXMB9-iWVWsXToBvt4,4804
+raijin_server/modules/network.py,sha256=QRlYdcryCCPAWG3QQ_W7ld9gJgETI7H8gwntOU7UqFE,4818
 raijin_server/modules/observability_dashboards.py,sha256=fVz0WEOQrUTF5rJ__Nu_onyBuwL_exFmysWMmg8AE9w,7319
 raijin_server/modules/observability_ingress.py,sha256=Fh1rlFWueBNHnOkHuoHYyhILmpO-iQXINybSUYbYsHQ,5738
 raijin_server/modules/prometheus.py,sha256=Rs9BREmaoKlyteNdAQZnSIeJfsRO0RQKyyL2gTnXyCw,3716
-raijin_server/modules/sanitize.py,sha256=eytL_mCYF57qnjf6g752VRC4Yl27dDJ0OQP2rjxaR70,4523
+raijin_server/modules/sanitize.py,sha256=_RnWn1DUuNrzx3NnKEbMvf5iicgjiN_ubwT59e0rYWY,6040
 raijin_server/modules/secrets.py,sha256=xpV3gIMnwQdAI2j69Ck5daIK4wlYJA_1rkWTtSfVNk0,3715
 raijin_server/modules/ssh_hardening.py,sha256=oQdk-EVnEHNMKIWvoFuZzI4jK0nNO8IAY4hkB4pj8zw,4025
-raijin_server/modules/traefik.py,sha256=DCyh9dOvryoPR8qKzvvvvZcMTBYsiTtcKXdselto9gQ,1412
+raijin_server/modules/traefik.py,sha256=e7Rog5fQvbCHI4WkljUUa6g0Alx2V5ZiVZboHWmMCxY,1411
 raijin_server/modules/velero.py,sha256=_CV0QQnWr5L-CWXDOiD9Ef4J7GaQT-s9yNBwqp_FLOY,1395
 raijin_server/modules/vpn.py,sha256=hF-0vA17VKTxhQLDBSEeqI5aPQpiaaj4IpUf9l6lr64,8297
 raijin_server/scripts/__init__.py,sha256=deduGfHf8BMVWred4ux5LfBDT2NJ5XYeJAt2sDEU4qs,53
@@ -36,9 +36,9 @@ raijin_server/scripts/checklist.sh,sha256=j6E0Kmk1EfjLvKK1VpCqzXJAXI_7Bm67LK4ndy
 raijin_server/scripts/install.sh,sha256=Y1ickbQ4siQ0NIPs6UgrqUr8WWy7U0LHmaTQbEgavoI,3949
 raijin_server/scripts/log_size_metric.sh,sha256=Iv4SsX8AuCYRou-klYn32mX41xB6j0xJGLBO6riw4rU,1208
 raijin_server/scripts/pre-deploy-check.sh,sha256=XqMo7IMIpwUHF17YEmU0-cVmTDMoCGMBFnmS39FidI4,4912
-raijin_server-0.2.7.dist-info/licenses/LICENSE,sha256=kJsMCjOiRZE0AQNtxWqBa32z9kMAaF4EUxyHj3hKaJo,1105
-raijin_server-0.2.7.dist-info/METADATA,sha256=YpgpUhp0TYGWYwEkKd8nDpCLY0MfyWsCWPq7D0zTrJQ,20362
-raijin_server-0.2.7.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-raijin_server-0.2.7.dist-info/entry_points.txt,sha256=3ZvxDX4pvcjkIRsXAJ69wIfVmKa78LKo-C3QhqN2KVM,56
-raijin_server-0.2.7.dist-info/top_level.txt,sha256=Yz1xneCRtsZOzbPIcTAcrSxd-1p80pohMXYAZ74dpok,14
-raijin_server-0.2.7.dist-info/RECORD,,
+raijin_server-0.2.10.dist-info/licenses/LICENSE,sha256=kJsMCjOiRZE0AQNtxWqBa32z9kMAaF4EUxyHj3hKaJo,1105
+raijin_server-0.2.10.dist-info/METADATA,sha256=_oOzaANRnNg3d3SIcyKxk0rMzwwdbhcMPNs2c7Oyptg,22276
+raijin_server-0.2.10.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+raijin_server-0.2.10.dist-info/entry_points.txt,sha256=3ZvxDX4pvcjkIRsXAJ69wIfVmKa78LKo-C3QhqN2KVM,56
+raijin_server-0.2.10.dist-info/top_level.txt,sha256=Yz1xneCRtsZOzbPIcTAcrSxd-1p80pohMXYAZ74dpok,14
+raijin_server-0.2.10.dist-info/RECORD,,