raijin-server 0.3.2__py3-none-any.whl → 0.3.4__py3-none-any.whl

raijin_server/__init__.py

@@ -1,5 +1,5 @@
 """Pacote principal do CLI Raijin Server."""
 
-__version__ = "0.3.2"
+__version__ = "0.3.3"
 
 __all__ = ["__version__"]

raijin_server/modules/grafana.py

@@ -393,9 +393,18 @@ def run(ctx: ExecutionContext) -> None:
 
     admin_password = typer.prompt("Senha admin do Grafana", default="admin")
     
+    # NodePort para acesso via VPN (recomendado)
+    enable_nodeport = typer.confirm(
+        "Habilitar NodePort para acesso via VPN?",
+        default=True
+    )
+    nodeport_port = 30030
+    if enable_nodeport:
+        nodeport_port = int(typer.prompt("Porta NodePort", default="30030"))
+    
     # Ingress público não é recomendado para ferramentas de observabilidade
     enable_ingress = typer.confirm(
-        "Habilitar ingress público? (NÃO recomendado - use VPN + port-forward)",
+        "Habilitar ingress público? (NÃO recomendado - use VPN + NodePort)",
         default=False
     )
     
@@ -439,9 +448,16 @@ def run(ctx: ExecutionContext) -> None:
             persistence_yaml += f"""
   storageClassName: {storage_class}"""
     
+    service_type = "NodePort" if enable_nodeport else "ClusterIP"
     values_yaml = f"""adminPassword: {admin_password}
 service:
-  type: ClusterIP
+  type: {service_type}"""
+    
+    if enable_nodeport:
+        values_yaml += f"""
+  nodePort: {nodeport_port}"""
+    
+    values_yaml += f"""
 ingress:
   enabled: {str(enable_ingress).lower()}"""
     
@@ -540,15 +556,18 @@ dashboards:
     
     if enable_ingress:
         typer.echo(f"\nAcesse: https://{ingress_host}")
-    else:
-        typer.secho("\n🔒 Acesso Seguro via VPN + Port-Forward:", fg=typer.colors.CYAN, bold=True)
+    elif enable_nodeport:
+        typer.secho("\n🔒 Acesso via VPN + NodePort:", fg=typer.colors.CYAN, bold=True)
         typer.echo("\n1. Configure VPN (se ainda não tiver):")
         typer.echo("   sudo raijin vpn")
         typer.echo("\n2. Conecte via WireGuard no seu Windows/Mac")
-        typer.echo("\n3. Faça port-forward local:")
-        typer.echo("   kubectl -n observability port-forward svc/grafana 3000:80")
-        typer.echo("\n4. Acesse no navegador:")
-        typer.echo("   http://localhost:3000")
+        typer.echo("\n3. Acesse no navegador (IP da VPN):")
+        typer.echo(f"   http://<VPN_SERVER_IP>:{nodeport_port}")
+        typer.echo("\n   Exemplo: http://10.8.0.1:{}".format(nodeport_port))
+    else:
+        typer.secho("\n🔒 Acesso via Port-Forward:", fg=typer.colors.CYAN, bold=True)
+        typer.echo("\n  kubectl -n observability port-forward svc/grafana 3000:80")
+        typer.echo("\n  Acesse: http://localhost:3000")
     
     typer.echo("\nUsuario: admin")
     typer.echo(f"Senha: {admin_password}")

raijin_server/modules/loki.py

@@ -103,6 +103,15 @@ def run(ctx: ExecutionContext) -> None:
 
     retention_hours = typer.prompt("Retencao de logs em horas", default="168")
     persistence_size = typer.prompt("Tamanho do storage", default="20Gi")
+    
+    # NodePort para acesso via VPN
+    enable_nodeport = typer.confirm(
+        "Habilitar NodePort para acesso via VPN?",
+        default=True
+    )
+    nodeport_port = 30310
+    if enable_nodeport:
+        nodeport_port = int(typer.prompt("Porta NodePort", default="30310"))
 
     node_name = _detect_node_name(ctx)
 
@@ -147,6 +156,15 @@ promtail:
       memory: 256Mi
 """
 
+    # Adiciona NodePort se habilitado
+    if enable_nodeport:
+        values_yaml += f"""
+loki:
+  service:
+    type: NodePort
+    nodePort: {nodeport_port}
+"""
+
     values_path = Path("/tmp/raijin-loki-values.yaml")
     write_file(values_path, values_yaml, ctx)
 
@@ -167,7 +185,13 @@ promtail:
         _wait_for_loki_ready(ctx)
 
     typer.secho("\n✓ Loki Stack instalado com sucesso.", fg=typer.colors.GREEN, bold=True)
-    typer.echo("\nPara acessar Loki via port-forward:")
-    typer.echo("  kubectl -n observability port-forward svc/loki 3100:3100")
-    typer.echo("\nPara verificar logs:")
-    typer.echo("  curl http://localhost:3100/ready")
+    
+    if enable_nodeport:
+        typer.secho("\n🔒 Acesso via VPN + NodePort:", fg=typer.colors.CYAN, bold=True)
+        typer.echo(f"\n  curl http://<VPN_SERVER_IP>:{nodeport_port}/ready")
+        typer.echo(f"\n  Exemplo: curl http://10.8.0.1:{nodeport_port}/ready")
+    else:
+        typer.echo("\nPara acessar Loki via port-forward:")
+        typer.echo("  kubectl -n observability port-forward svc/loki 3100:3100")
+        typer.echo("\nPara verificar logs:")
+        typer.echo("  curl http://localhost:3100/ready")

raijin_server/modules/minio.py

@@ -449,6 +449,18 @@ def run(ctx: ExecutionContext) -> None:
     
     enable_console = typer.confirm("Habilitar Console Web?", default=True)
     
+    # NodePort para acesso via VPN
+    enable_nodeport = typer.confirm(
+        "Habilitar NodePort para acesso via VPN?",
+        default=True
+    )
+    api_nodeport = 30900
+    console_nodeport = 30901
+    if enable_nodeport:
+        api_nodeport = int(typer.prompt("Porta NodePort para API S3", default="30900"))
+        if enable_console:
+            console_nodeport = int(typer.prompt("Porta NodePort para Console", default="30901"))
+    
     node_name = _detect_node_name(ctx)
     
     values = [
@@ -486,13 +498,27 @@ def run(ctx: ExecutionContext) -> None:
     if is_distributed:
         values.append(f"replicas={replicas}")
     
-    # Console
-    if enable_console:
+    # Service type (NodePort ou ClusterIP)
+    if enable_nodeport:
         values.extend([
-            "consoleService.type=ClusterIP",
-            "consoleIngress.enabled=false",
+            "service.type=NodePort",
+            f"service.nodePort={api_nodeport}",
         ])
     
+    # Console
+    if enable_console:
+        if enable_nodeport:
+            values.extend([
+                "consoleService.type=NodePort",
+                f"consoleService.nodePort={console_nodeport}",
+                "consoleIngress.enabled=false",
+            ])
+        else:
+            values.extend([
+                "consoleService.type=ClusterIP",
+                "consoleIngress.enabled=false",
+            ])
+    
     helm_upgrade_install(
         release="minio",
         chart="minio",
@@ -514,14 +540,21 @@ def run(ctx: ExecutionContext) -> None:
     typer.echo(f"  Root Password: {root_password}")
     
     if enable_console:
-        typer.secho("\n🔒 Acesso Seguro ao MinIO Console via VPN:", fg=typer.colors.CYAN, bold=True)
-        typer.echo("\n1. Configure VPN (se ainda não tiver):")
-        typer.echo("   sudo raijin vpn")
-        typer.echo("\n2. Conecte via WireGuard")
-        typer.echo("\n3. Faça port-forward:")
-        typer.echo("   kubectl -n minio port-forward svc/minio-console 9001:9001")
-        typer.echo("\n4. Acesse no navegador:")
-        typer.echo("   http://localhost:9001")
-    
-    typer.echo("\nPara acessar a API S3 (port-forward):")
-    typer.echo("  kubectl -n minio port-forward svc/minio 9000:9000")
+        if enable_nodeport:
+            typer.secho("\n🔒 Acesso ao MinIO Console via VPN:", fg=typer.colors.CYAN, bold=True)
+            typer.echo("\n1. Configure VPN (se ainda não tiver):")
+            typer.echo("   sudo raijin vpn")
+            typer.echo("\n2. Conecte via WireGuard")
+            typer.echo("\n3. Acesse no navegador (IP da VPN):")
+            typer.echo(f"   http://<VPN_SERVER_IP>:{console_nodeport}")
+            typer.echo("\n   Exemplo: http://10.8.0.1:{}".format(console_nodeport))
+        else:
+            typer.secho("\n🔒 Acesso via Port-Forward:", fg=typer.colors.CYAN, bold=True)
+            typer.echo("\n  kubectl -n minio port-forward svc/minio-console 9001:9001")
+            typer.echo("\n  Acesse: http://localhost:9001")
+    
+    if enable_nodeport:
+        typer.echo(f"\nAPI S3 via VPN: http://<VPN_SERVER_IP>:{api_nodeport}")
+    else:
+        typer.echo("\nPara acessar a API S3 (port-forward):")
+        typer.echo("  kubectl -n minio port-forward svc/minio 9000:9000")

raijin_server/modules/prometheus.py

@@ -428,6 +428,17 @@ def run(ctx: ExecutionContext) -> None:
     enable_persistence = typer.confirm(
         "Habilitar PVC para Prometheus e Alertmanager?", default=bool(default_sc)
     )
+    
+    # NodePort para acesso via VPN
+    enable_nodeport = typer.confirm(
+        "Habilitar NodePort para acesso via VPN?",
+        default=True
+    )
+    prometheus_nodeport = 30090
+    alertmanager_nodeport = 30093
+    if enable_nodeport:
+        prometheus_nodeport = int(typer.prompt("Porta NodePort para Prometheus", default="30090"))
+        alertmanager_nodeport = int(typer.prompt("Porta NodePort para Alertmanager", default="30093"))
 
     # Se habilitou PVC, garante que existe StorageClass disponivel
     if enable_persistence:
@@ -442,31 +453,42 @@ def run(ctx: ExecutionContext) -> None:
         "prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues=false",
         "prometheus.prometheusSpec.podMonitorSelectorNilUsesHelmValues=false",
         "defaultRules.create=true",
-        # Tolerations for control-plane nodes
+        # Tolerations for control-plane nodes - Prometheus
         "prometheus.prometheusSpec.tolerations[0].key=node-role.kubernetes.io/control-plane",
         "prometheus.prometheusSpec.tolerations[0].operator=Exists",
         "prometheus.prometheusSpec.tolerations[0].effect=NoSchedule",
         "prometheus.prometheusSpec.tolerations[1].key=node-role.kubernetes.io/master",
         "prometheus.prometheusSpec.tolerations[1].operator=Exists",
         "prometheus.prometheusSpec.tolerations[1].effect=NoSchedule",
+        # Tolerations - Alertmanager
         "alertmanager.alertmanagerSpec.tolerations[0].key=node-role.kubernetes.io/control-plane",
         "alertmanager.alertmanagerSpec.tolerations[0].operator=Exists",
         "alertmanager.alertmanagerSpec.tolerations[0].effect=NoSchedule",
         "alertmanager.alertmanagerSpec.tolerations[1].key=node-role.kubernetes.io/master",
         "alertmanager.alertmanagerSpec.tolerations[1].operator=Exists",
         "alertmanager.alertmanagerSpec.tolerations[1].effect=NoSchedule",
+        # Tolerations - Prometheus Operator
         "prometheusOperator.tolerations[0].key=node-role.kubernetes.io/control-plane",
         "prometheusOperator.tolerations[0].operator=Exists",
         "prometheusOperator.tolerations[0].effect=NoSchedule",
         "prometheusOperator.tolerations[1].key=node-role.kubernetes.io/master",
         "prometheusOperator.tolerations[1].operator=Exists",
         "prometheusOperator.tolerations[1].effect=NoSchedule",
+        # Tolerations - Admission Webhooks (Jobs que criam/atualizam webhooks)
+        "prometheusOperator.admissionWebhooks.patch.tolerations[0].key=node-role.kubernetes.io/control-plane",
+        "prometheusOperator.admissionWebhooks.patch.tolerations[0].operator=Exists",
+        "prometheusOperator.admissionWebhooks.patch.tolerations[0].effect=NoSchedule",
+        "prometheusOperator.admissionWebhooks.patch.tolerations[1].key=node-role.kubernetes.io/master",
+        "prometheusOperator.admissionWebhooks.patch.tolerations[1].operator=Exists",
+        "prometheusOperator.admissionWebhooks.patch.tolerations[1].effect=NoSchedule",
+        # Tolerations - kube-state-metrics
         "kube-state-metrics.tolerations[0].key=node-role.kubernetes.io/control-plane",
         "kube-state-metrics.tolerations[0].operator=Exists",
         "kube-state-metrics.tolerations[0].effect=NoSchedule",
         "kube-state-metrics.tolerations[1].key=node-role.kubernetes.io/master",
         "kube-state-metrics.tolerations[1].operator=Exists",
         "kube-state-metrics.tolerations[1].effect=NoSchedule",
+        # Tolerations - node-exporter
         "prometheus-node-exporter.tolerations[0].key=node-role.kubernetes.io/control-plane",
         "prometheus-node-exporter.tolerations[0].operator=Exists",
         "prometheus-node-exporter.tolerations[0].effect=NoSchedule",
@@ -477,8 +499,15 @@ def run(ctx: ExecutionContext) -> None:
         f"prometheus.prometheusSpec.nodeSelector.kubernetes\\.io/hostname={node_name}",
         f"alertmanager.alertmanagerSpec.nodeSelector.kubernetes\\.io/hostname={node_name}",
         f"prometheusOperator.nodeSelector.kubernetes\\.io/hostname={node_name}",
-    ]
-
+    ]    
+    # NodePort para acesso via VPN
+    if enable_nodeport:
+        values.extend([
+            "prometheus.service.type=NodePort",
+            f"prometheus.service.nodePort={prometheus_nodeport}",
+            "alertmanager.service.type=NodePort",
+            f"alertmanager.service.nodePort={alertmanager_nodeport}",
+        ])
     extra_args = ["--wait", "--timeout", "10m", "--atomic"]
 
     chart_version = typer.prompt(
@@ -531,7 +560,18 @@ def run(ctx: ExecutionContext) -> None:
         _wait_for_prometheus_ready(ctx, namespace)
 
     typer.secho("\n✓ kube-prometheus-stack instalado com sucesso.", fg=typer.colors.GREEN, bold=True)
-    typer.echo("\nPara acessar Prometheus via port-forward:")
-    typer.echo(f"  kubectl -n {namespace} port-forward svc/kube-prometheus-stack-prometheus 9090:9090")
-    typer.echo("\nPara acessar Alertmanager via port-forward:")
-    typer.echo(f"  kubectl -n {namespace} port-forward svc/kube-prometheus-stack-alertmanager 9093:9093")
+    
+    if enable_nodeport:
+        typer.secho("\n🔒 Acesso via VPN + NodePort:", fg=typer.colors.CYAN, bold=True)
+        typer.echo("\n1. Configure VPN: sudo raijin vpn")
+        typer.echo("2. Conecte via WireGuard")
+        typer.echo("\nPrometheus:")
+        typer.echo(f"   http://<VPN_SERVER_IP>:{prometheus_nodeport}")
+        typer.echo("\nAlertmanager:")
+        typer.echo(f"   http://<VPN_SERVER_IP>:{alertmanager_nodeport}")
+        typer.echo("\nExemplo: http://10.8.0.1:{} (Prometheus)".format(prometheus_nodeport))
+    else:
+        typer.echo("\nPara acessar Prometheus via port-forward:")
+        typer.echo(f"  kubectl -n {namespace} port-forward svc/kube-prometheus-stack-prometheus 9090:9090")
+        typer.echo("\nPara acessar Alertmanager via port-forward:")
+        typer.echo(f"  kubectl -n {namespace} port-forward svc/kube-prometheus-stack-alertmanager 9093:9093")

raijin_server/modules/vpn.py

@@ -173,12 +173,11 @@ def run(ctx: ExecutionContext) -> None:
         Address = {server_address}
         ListenPort = {listen_port}
         PrivateKey = {server_private}
-        SaveConfig = true
         PostUp = iptables -A FORWARD -i {interface} -j ACCEPT; iptables -A FORWARD -o {interface} -j ACCEPT; iptables -t nat -A POSTROUTING -o {egress_iface} -j MASQUERADE
         PostDown = iptables -D FORWARD -i {interface} -j ACCEPT; iptables -D FORWARD -o {interface} -j ACCEPT; iptables -t nat -D POSTROUTING -o {egress_iface} -j MASQUERADE
 
-        [Peer]
         # {client_name}
+        [Peer]
         PublicKey = {client_public}
         AllowedIPs = {client_address}
         """
@@ -210,8 +209,24 @@ def run(ctx: ExecutionContext) -> None:
     run_cmd(["systemctl", "enable", "--now", f"wg-quick@{interface}"], ctx)
 
     typer.secho("\n✓ WireGuard configurado com sucesso!", fg=typer.colors.GREEN, bold=True)
-    typer.echo(f"Configuracao do servidor: {server_conf_path}")
+    typer.echo("\n" + "="*60)
+    typer.secho("INFORMAÇÕES IMPORTANTES - GUARDE ESTAS CHAVES:", fg=typer.colors.YELLOW, bold=True)
+    typer.echo("="*60)
+    typer.echo(f"\nChave Pública do SERVIDOR (use no [Peer] dos clientes):")
+    typer.secho(f"  {server_public}", fg=typer.colors.CYAN, bold=True)
+    typer.echo(f"\nChave Pública do CLIENTE '{client_name}' (já no servidor):")
+    typer.secho(f"  {client_public}", fg=typer.colors.CYAN)
+    typer.echo("\n" + "="*60)
+    typer.echo(f"Configuração do servidor: {server_conf_path}")
     typer.echo(f"Cliente inicial salvo em: {client_conf_path}")
-    typer.echo("Para gerar QR code no terminal: qrencode -t ansiutf8 < caminho-do-cliente.conf")
-    typer.echo("Para novos clientes, gere chaves com 'wg genkey' e adicione entradas em ambos os arquivos.")
-    typer.echo("Clientes Linux/macOS: sudo wg-quick up ./cliente.conf | Windows: importe o arquivo no app WireGuard.")
+    typer.echo("\n" + "="*60)
+    typer.secho("PRÓXIMOS PASSOS:", fg=typer.colors.GREEN, bold=True)
+    typer.echo("="*60)
+    typer.echo("1. Copie a configuração do cliente para o dispositivo remoto")
+    typer.echo(f"   scp root@servidor:{client_conf_path} .")
+    typer.echo("\n2. No cliente, verifique se o [Peer].PublicKey é a chave pública do SERVIDOR")
+    typer.echo(f"   PublicKey = {server_public}")
+    typer.echo("\n3. Configure o Endpoint com o IP público do servidor:")
+    typer.echo(f"   Endpoint = {public_endpoint}:{listen_port}")
+    typer.echo("\n4. QR code para celular: qrencode -t ansiutf8 < caminho-do-cliente.conf")
+    typer.echo("\n5. Windows/Mac: importe o arquivo .conf no app WireGuard")

raijin_server/modules/vpn_client.py

@@ -494,6 +494,302 @@ def show_client_config(ctx: ExecutionContext) -> None:
     typer.echo("")
 
 
+def verify_config(ctx: ExecutionContext) -> None:
+    """Verifica se a configuração do WireGuard está correta."""
+    require_root(ctx)
+    
+    typer.secho("\n🔍 Verificação de Configuração WireGuard", fg=typer.colors.CYAN, bold=True)
+    typer.echo("="*60)
+    
+    errors = []
+    warnings = []
+    
+    # 1. Verificar se arquivo existe
+    if not WG0_CONF.exists():
+        typer.secho("✗ Arquivo wg0.conf não encontrado!", fg=typer.colors.RED)
+        typer.echo("  Execute 'raijin vpn' primeiro para configurar o servidor.")
+        return
+    
+    content = WG0_CONF.read_text()
+    typer.secho("✓ Arquivo wg0.conf encontrado", fg=typer.colors.GREEN)
+    
+    # 2. Verificar [Interface]
+    typer.echo("\n📋 Verificando [Interface]...")
+    
+    if "[Interface]" not in content:
+        errors.append("Falta seção [Interface] no arquivo!")
+    else:
+        typer.secho("  ✓ Seção [Interface] presente", fg=typer.colors.GREEN)
+    
+    # 3. Verificar ListenPort
+    port_match = re.search(r'^ListenPort\s*=\s*(\d+)', content, re.MULTILINE)
+    if not port_match:
+        errors.append("ListenPort não definida!")
+    else:
+        port = port_match.group(1)
+        if port == "22":
+            errors.append(f"ListenPort={port} está conflitando com SSH! Use 51820.")
+        elif port != "51820":
+            warnings.append(f"ListenPort={port} (padrão é 51820)")
+        else:
+            typer.secho(f"  ✓ ListenPort = {port}", fg=typer.colors.GREEN)
+    
+    # 4. Verificar PrivateKey e calcular PublicKey
+    typer.echo("\n🔑 Verificando chaves...")
+    
+    priv_match = re.search(r'^PrivateKey\s*=\s*(\S+)', content, re.MULTILINE)
+    if not priv_match:
+        errors.append("PrivateKey do servidor não encontrada!")
+    else:
+        private_key = priv_match.group(1)
+        try:
+            result = subprocess.run(
+                ["wg", "pubkey"],
+                input=private_key,
+                capture_output=True,
+                text=True,
+                check=True,
+            )
+            server_public_key = result.stdout.strip()
+            typer.secho(f"  ✓ Chave Pública do Servidor:", fg=typer.colors.GREEN)
+            typer.secho(f"    {server_public_key}", fg=typer.colors.CYAN, bold=True)
+            typer.echo("    ↑ USE ESTA CHAVE no [Peer].PublicKey dos CLIENTES!")
+        except subprocess.CalledProcessError:
+            errors.append("Erro ao calcular chave pública do servidor!")
+    
+    # 5. Verificar peers
+    typer.echo("\n👥 Verificando peers...")
+    
+    peers = re.findall(r'\[Peer\].*?(?=\[|$)', content, re.DOTALL)
+    if not peers:
+        warnings.append("Nenhum peer (cliente) configurado!")
+    else:
+        typer.echo(f"  {len(peers)} peer(s) configurado(s)")
+        
+        for i, peer in enumerate(peers, 1):
+            pub_match = re.search(r'PublicKey\s*=\s*(\S+)', peer)
+            ip_match = re.search(r'AllowedIPs\s*=\s*(\S+)', peer)
+            
+            if pub_match:
+                peer_pubkey = pub_match.group(1)
+                # Verificar se a chave do peer é a mesma do servidor (erro comum!)
+                if 'server_public_key' in dir() and peer_pubkey == server_public_key:
+                    errors.append(f"Peer {i}: PublicKey é igual à do servidor! Erro de configuração.")
+                else:
+                    typer.secho(f"  ✓ Peer {i}: {peer_pubkey[:20]}...", fg=typer.colors.GREEN)
+            
+            if ip_match:
+                peer_ip = ip_match.group(1)
+                typer.echo(f"    AllowedIPs: {peer_ip}")
+    
+    # 6. Verificar PostUp/PostDown
+    typer.echo("\n🔧 Verificando iptables rules...")
+    
+    if "MASQUERADE" not in content:
+        errors.append("Regra MASQUERADE não encontrada no PostUp!")
+    else:
+        typer.secho("  ✓ Regra MASQUERADE presente", fg=typer.colors.GREEN)
+    
+    if "FORWARD" not in content:
+        errors.append("Regras FORWARD não encontradas no PostUp!")
+    else:
+        typer.secho("  ✓ Regras FORWARD presentes", fg=typer.colors.GREEN)
+    
+    # 7. Verificar se WireGuard está rodando
+    typer.echo("\n🚀 Verificando serviço...")
+    
+    result = subprocess.run(["systemctl", "is-active", "wg-quick@wg0"], capture_output=True, text=True)
+    if result.stdout.strip() == "active":
+        typer.secho("  ✓ WireGuard está rodando", fg=typer.colors.GREEN)
+        
+        # Verificar porta real sendo usada
+        wg_result = subprocess.run(["wg", "show", "wg0", "listen-port"], capture_output=True, text=True)
+        actual_port = wg_result.stdout.strip()
+        if actual_port and port_match:
+            if actual_port != port_match.group(1):
+                errors.append(f"CRÍTICO: Porta configurada ({port_match.group(1)}) difere da porta real ({actual_port})!")
+                errors.append("Reinicie o WireGuard: sudo systemctl restart wg-quick@wg0")
+            else:
+                typer.secho(f"  ✓ Escutando na porta {actual_port}", fg=typer.colors.GREEN)
+    else:
+        errors.append("WireGuard não está rodando!")
+    
+    # 8. Resumo
+    typer.echo("\n" + "="*60)
+    
+    if errors:
+        typer.secho("❌ ERROS ENCONTRADOS:", fg=typer.colors.RED, bold=True)
+        for error in errors:
+            typer.secho(f"  • {error}", fg=typer.colors.RED)
+    
+    if warnings:
+        typer.secho("\n⚠️  AVISOS:", fg=typer.colors.YELLOW, bold=True)
+        for warning in warnings:
+            typer.secho(f"  • {warning}", fg=typer.colors.YELLOW)
+    
+    if not errors and not warnings:
+        typer.secho("✅ Configuração do servidor OK!", fg=typer.colors.GREEN, bold=True)
+    
+    typer.echo("\n" + "="*60)
+    typer.secho("CHECKLIST PARA CLIENTES:", fg=typer.colors.CYAN, bold=True)
+    typer.echo("="*60)
+    typer.echo("1. [Peer].PublicKey deve ser a chave pública do SERVIDOR (acima)")
+    typer.echo("2. [Peer].Endpoint deve ser IP_PÚBLICO:PORTA (ex: 177.128.86.89:51820)")
+    typer.echo("3. [Interface].PrivateKey deve ser a chave privada do CLIENTE (não do servidor!)")
+    typer.echo("4. [Interface].Address deve ser único para cada cliente (ex: 10.8.0.2/32)")
+    typer.echo("")
+
+
+def diagnose_and_fix(ctx: ExecutionContext) -> None:
+    """Diagnostica e corrige problemas de roteamento da VPN."""
+    require_root(ctx)
+    
+    typer.secho("\n🔍 Diagnóstico de VPN", fg=typer.colors.CYAN, bold=True)
+    typer.echo("="*60)
+    
+    # 1. Verificar se WireGuard está rodando
+    typer.echo("\n1. Verificando status do WireGuard...")
+    result = run_cmd(["systemctl", "is-active", "wg-quick@wg0"], ctx, check=False)
+    
+    if result.returncode != 0:
+        typer.secho("   ✗ WireGuard não está rodando!", fg=typer.colors.RED)
+        typer.echo("   Execute: systemctl start wg-quick@wg0")
+        return
+    
+    typer.secho("   ✓ WireGuard ativo", fg=typer.colors.GREEN)
+    
+    # 2. Verificar IP forwarding
+    typer.echo("\n2. Verificando IP forwarding...")
+    try:
+        forward = Path("/proc/sys/net/ipv4/ip_forward").read_text().strip()
+        if forward == "1":
+            typer.secho("   ✓ IP forwarding habilitado", fg=typer.colors.GREEN)
+        else:
+            typer.secho("   ✗ IP forwarding desabilitado", fg=typer.colors.YELLOW)
+            typer.echo("   Habilitando...")
+            run_cmd(["sysctl", "-w", "net.ipv4.ip_forward=1"], ctx)
+            typer.secho("   ✓ IP forwarding habilitado", fg=typer.colors.GREEN)
+    except Exception as e:
+        typer.secho(f"   ✗ Erro ao verificar: {e}", fg=typer.colors.RED)
+    
+    # 3. Detectar interface de rede principal
+    typer.echo("\n3. Detectando interface de rede...")
+    result = run_cmd(["ip", "route", "show", "default"], ctx, check=False)
+    
+    if result.returncode != 0:
+        typer.secho("   ✗ Não foi possível detectar interface", fg=typer.colors.RED)
+        return
+    
+    match = re.search(r'dev\s+(\S+)', result.stdout)
+    if not match:
+        typer.secho("   ✗ Interface não encontrada", fg=typer.colors.RED)
+        return
+    
+    iface = match.group(1)
+    typer.secho(f"   ✓ Interface detectada: {iface}", fg=typer.colors.GREEN)
+    
+    # 4. Verificar regra MASQUERADE
+    typer.echo("\n4. Verificando regra MASQUERADE...")
+    result = run_cmd(
+        ["iptables", "-t", "nat", "-L", "POSTROUTING", "-v", "-n"],
+        ctx,
+        check=False
+    )
+    
+    has_masquerade = False
+    if "10.8.0.0/24" in result.stdout and "MASQUERADE" in result.stdout:
+        has_masquerade = True
+        typer.secho("   ✓ Regra MASQUERADE existente", fg=typer.colors.GREEN)
+    else:
+        typer.secho("   ✗ Regra MASQUERADE não encontrada", fg=typer.colors.YELLOW)
+        typer.echo(f"   Adicionando regra para interface {iface}...")
+        
+        run_cmd([
+            "iptables", "-t", "nat", "-A", "POSTROUTING",
+            "-s", "10.8.0.0/24", "-o", iface, "-j", "MASQUERADE"
+        ], ctx)
+        
+        typer.secho("   ✓ Regra MASQUERADE adicionada", fg=typer.colors.GREEN)
+    
+    # 5. Verificar UFW routed
+    typer.echo("\n5. Verificando UFW routed...")
+    result = run_cmd(["ufw", "status", "verbose"], ctx, check=False)
+    
+    if "deny (routed)" in result.stdout.lower():
+        typer.secho("   ✗ UFW está bloqueando routed", fg=typer.colors.YELLOW)
+        typer.echo("   Configurando UFW para permitir routed...")
+        
+        run_cmd(["ufw", "default", "allow", "routed"], ctx, check=False)
+        typer.secho("   ✓ UFW configurado", fg=typer.colors.GREEN)
+    else:
+        typer.secho("   ✓ UFW permite routed", fg=typer.colors.GREEN)
+    
+    # 6. Verificar regras de FORWARD para wg0
+    typer.echo("\n6. Verificando regras FORWARD...")
+    result = run_cmd(["iptables", "-L", "FORWARD", "-v", "-n"], ctx, check=False)
+    
+    has_forward_in = "wg0" in result.stdout and "ACCEPT" in result.stdout
+    
+    if not has_forward_in:
+        typer.secho("   ✗ Regras FORWARD ausentes", fg=typer.colors.YELLOW)
+        typer.echo("   Adicionando regras FORWARD...")
+        
+        run_cmd(["iptables", "-A", "FORWARD", "-i", "wg0", "-j", "ACCEPT"], ctx, check=False)
+        run_cmd(["iptables", "-A", "FORWARD", "-o", "wg0", "-j", "ACCEPT"], ctx, check=False)
+        
+        typer.secho("   ✓ Regras FORWARD adicionadas", fg=typer.colors.GREEN)
+    else:
+        typer.secho("   ✓ Regras FORWARD existentes", fg=typer.colors.GREEN)
+    
+    # 7. Verificar UFW permite wg0
+    typer.echo("\n7. Verificando UFW para wg0...")
+    result = run_cmd(["ufw", "status"], ctx, check=False)
+    
+    if "wg0" not in result.stdout:
+        typer.secho("   ✗ UFW não permite wg0", fg=typer.colors.YELLOW)
+        typer.echo("   Adicionando regra UFW...")
+        
+        run_cmd(["ufw", "allow", "in", "on", "wg0"], ctx, check=False)
+        typer.secho("   ✓ UFW configurado para wg0", fg=typer.colors.GREEN)
+    else:
+        typer.secho("   ✓ UFW permite wg0", fg=typer.colors.GREEN)
+    
+    # 8. Reiniciar WireGuard para aplicar mudanças
+    typer.echo("\n8. Reiniciando WireGuard...")
+    run_cmd(["systemctl", "restart", "wg-quick@wg0"], ctx)
+    typer.secho("   ✓ WireGuard reiniciado", fg=typer.colors.GREEN)
+    
+    # 9. Verificar peers conectados
+    typer.echo("\n9. Verificando peers conectados...")
+    result = run_cmd(["wg", "show"], ctx, check=False)
+    
+    peer_count = result.stdout.count("peer:")
+    typer.echo(f"   Peers configurados: {peer_count}")
+    
+    if "latest handshake" in result.stdout.lower():
+        typer.secho("   ✓ Handshake detectado (cliente conectado)", fg=typer.colors.GREEN)
+    else:
+        typer.secho("   ⚠ Nenhum handshake recente", fg=typer.colors.YELLOW)
+        typer.echo("   Peça ao cliente para reconectar no WireGuard")
+    
+    # 10. Teste básico de conectividade
+    typer.echo("\n10. Testando conectividade VPN...")
+    result = run_cmd(["ping", "-c", "2", "-W", "1", "10.8.0.1"], ctx, check=False)
+    
+    if result.returncode == 0:
+        typer.secho("   ✓ Ping para 10.8.0.1 bem-sucedido", fg=typer.colors.GREEN)
+    else:
+        typer.secho("   ⚠ Ping falhou (normal se nenhum cliente conectado)", fg=typer.colors.YELLOW)
+    
+    typer.echo("\n" + "="*60)
+    typer.secho("✓ Diagnóstico concluído!", fg=typer.colors.GREEN, bold=True)
+    typer.echo("\nPróximos passos:")
+    typer.echo("  1. No cliente Windows, desconecte e reconecte o túnel WireGuard")
+    typer.echo("  2. Teste: ping 10.8.0.1")
+    typer.echo("  3. Verifique 'sudo wg show' para ver handshake")
+    typer.echo("")
+
+
 def run(ctx: ExecutionContext) -> None:
     """Menu interativo para gerenciar clientes VPN."""
     require_root(ctx)
@@ -506,9 +802,11 @@ def run(ctx: ExecutionContext) -> None:
         typer.echo("2. Listar clientes")
         typer.echo("3. Remover cliente")
         typer.echo("4. Mostrar configuração de cliente")
-        typer.echo("5. Sair")
+        typer.echo("5. Verificar configuração do servidor")
+        typer.echo("6. Diagnosticar e corrigir roteamento")
+        typer.echo("7. Sair")
         
-        choice = typer.prompt("\nEscolha uma opção", default="5")
+        choice = typer.prompt("\nEscolha uma opção", default="7")
         
         try:
             if choice == "1":
@@ -520,6 +818,10 @@ def run(ctx: ExecutionContext) -> None:
             elif choice == "4":
                 show_client_config(ctx)
             elif choice == "5":
+                verify_config(ctx)
+            elif choice == "6":
+                diagnose_and_fix(ctx)
+            elif choice == "7":
                 typer.echo("Saindo...")
                 break
             else:

{raijin_server-0.3.2.dist-info → raijin_server-0.3.4.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: raijin-server
-Version: 0.3.2
+Version: 0.3.4
 Summary: CLI para automacao de setup e hardening de servidores Ubuntu Server.
 Home-page: https://example.com/raijin-server
 Author: Equipe Raijin

{raijin_server-0.3.2.dist-info → raijin_server-0.3.4.dist-info}/RECORD

@@ -1,4 +1,4 @@
-raijin_server/__init__.py,sha256=A06gLxft508OGSQ5sPqJhuqoAoEB0hkD0koIF-UP0SQ,94
+raijin_server/__init__.py,sha256=PxBToT7REJri8rHFGLoeIfEApLUM9TrOogmxCLdnomI,94
 raijin_server/cli.py,sha256=rqkAQCU5imi52YJCIeEuZqWo8bWYkVErOQh3JpKIDok,38149
 raijin_server/config.py,sha256=QNiEVvrbW56XgvNn5-h3bkJm46Xc8mjNqPbvixXD8N0,4829
 raijin_server/healthchecks.py,sha256=lzXdFw6S0hOYbUKbqksh4phb04lXgXdTspP1Dsz4dx8,15401
@@ -13,7 +13,7 @@ raijin_server/modules/cert_manager.py,sha256=XkFlXJjiP4_9It_PJaFcVYMS-QKTzzFAt83
 raijin_server/modules/essentials.py,sha256=2xUXCyCQtFGd2DnCKV81N1R6bEJqH8zaet8mLovtQ1I,689
 raijin_server/modules/firewall.py,sha256=h6AISqiZeTinVT7BjmQIS872qRAFZJLg7meqlth3cfw,757
 raijin_server/modules/full_install.py,sha256=xiKe2GLuZ97c4YdTmhP-kwDVuJJ9Xq3dlgcLlqSPeYM,15518
-raijin_server/modules/grafana.py,sha256=r4U6FJZ9OeTk4d3LDJT0NbN8wumB3REMtd3E3PRL_oE,17383
+raijin_server/modules/grafana.py,sha256=8YbKG-UL19lwTkH1-ZxpUetOZd-CLI4_kPsuZblNaWI,18080
 raijin_server/modules/hardening.py,sha256=4hz3ifkMhPlXa2n7gPxN0gitQgzALZ-073vuU3LM4RI,1616
 raijin_server/modules/harness.py,sha256=uWTxTVJlY_VB6xi4ftMtTSaIb96HA8WJQS-RbyxU45M,5391
 raijin_server/modules/internal_dns.py,sha256=Jynngq0TEEUo3jkAR4m8F1ihF10rkQuKHVP-gZYyDFY,15191
@@ -21,28 +21,28 @@ raijin_server/modules/istio.py,sha256=o0K5-Fw4LRs-kbAVgwzYxHzEt_aPFJG8suqOqvg274
 raijin_server/modules/kafka.py,sha256=n7ZpLPWv6sKBJhdBiPe7VgeDB24YiCIOWvOQkWwt03Y,5664
 raijin_server/modules/kong.py,sha256=_w1VIkND6zZuUwIl_CNDxbwWdzaEdXZEO_Iqc1ngPwQ,13654
 raijin_server/modules/kubernetes.py,sha256=9E6zV0zGQWZW92NVpxwYctpi-4JDmi6YzF3tKRI4HlU,13343
-raijin_server/modules/loki.py,sha256=aNiUpnOFppZMXoQwYhn7IoPMzwUz4aHi6pbiqj1PRjc,5022
+raijin_server/modules/loki.py,sha256=fRoXNghwffW6afE_a3sKMhjPJ9DIWhGMTTPM-ltNr2E,5766
 raijin_server/modules/metallb.py,sha256=uUuklc_RsQ-W2qDVRMQAxQm9HKGEqso444b1IwBpM6w,8554
-raijin_server/modules/minio.py,sha256=QbladHGefZBZ8l3f9D7t45nwfwVcuAgHi78E4Ygi300,17614
+raijin_server/modules/minio.py,sha256=ZoxugJvvuGLzViDfEzrVCRZUevoiFwcEy0PNyn0My4w,18918
 raijin_server/modules/network.py,sha256=QRlYdcryCCPAWG3QQ_W7ld9gJgETI7H8gwntOU7UqFE,4818
 raijin_server/modules/observability_dashboards.py,sha256=fVz0WEOQrUTF5rJ__Nu_onyBuwL_exFmysWMmg8AE9w,7319
 raijin_server/modules/observability_ingress.py,sha256=S4MtJKahiZ1qSx0P71P3IhKvq4RY-g01Z4IogW3c1hs,7045
-raijin_server/modules/prometheus.py,sha256=y5sy_mH1YeQWTOt5CNqqj5JD92-GMxbWQaaZKwx505U,19728
+raijin_server/modules/prometheus.py,sha256=lyhaqLIfMl0GtQ2b2Hre7_A47HrHBB5gspmnWtwXZ4Y,21880
 raijin_server/modules/sanitize.py,sha256=_RnWn1DUuNrzx3NnKEbMvf5iicgjiN_ubwT59e0rYWY,6040
 raijin_server/modules/secrets.py,sha256=d4j12feQL8m_4-hYN5FfboQHvBc75TFeGno3OzrXokE,9266
 raijin_server/modules/ssh_hardening.py,sha256=Zd0dlylUBr01SkrI1CS05-0DB9xIto5rWH1bUVs80ow,5422
 raijin_server/modules/traefik.py,sha256=omziywss4o-8t64Kj-upLqbXdFYm2JwqOoOukDUmqxY,5008
 raijin_server/modules/velero.py,sha256=yDtqd6yUu0L5wzLCjYXqvvxB_RyaAoZtntb6HoHVAOo,5642
-raijin_server/modules/vpn.py,sha256=hF-0vA17VKTxhQLDBSEeqI5aPQpiaaj4IpUf9l6lr64,8297
-raijin_server/modules/vpn_client.py,sha256=6P5mYLTgQr5fqjTftY6jW3p_iRXy5YVNxfkLfP0mujs,17228
+raijin_server/modules/vpn.py,sha256=qWyROiHx2-FzMqhfpmzslrdfRBTewd53ylUq90wR7SQ,9149
+raijin_server/modules/vpn_client.py,sha256=SjWzSQKLSJCpjz7Y1i1dFaNfPOVIQXFwgD9uM3GYaIY,30035
 raijin_server/scripts/__init__.py,sha256=deduGfHf8BMVWred4ux5LfBDT2NJ5XYeJAt2sDEU4qs,53
 raijin_server/scripts/checklist.sh,sha256=j6E0Kmk1EfjLvKK1VpCqzXJAXI_7Bm67LK4ndyCxWh0,1842
 raijin_server/scripts/install.sh,sha256=Y1ickbQ4siQ0NIPs6UgrqUr8WWy7U0LHmaTQbEgavoI,3949
 raijin_server/scripts/log_size_metric.sh,sha256=Iv4SsX8AuCYRou-klYn32mX41xB6j0xJGLBO6riw4rU,1208
 raijin_server/scripts/pre-deploy-check.sh,sha256=XqMo7IMIpwUHF17YEmU0-cVmTDMoCGMBFnmS39FidI4,4912
-raijin_server-0.3.2.dist-info/licenses/LICENSE,sha256=kJsMCjOiRZE0AQNtxWqBa32z9kMAaF4EUxyHj3hKaJo,1105
-raijin_server-0.3.2.dist-info/METADATA,sha256=0YsPOlPDXXMTDqNNWcYfcfiwn-C8mw0spAcAGo-XuTU,8829
-raijin_server-0.3.2.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-raijin_server-0.3.2.dist-info/entry_points.txt,sha256=3ZvxDX4pvcjkIRsXAJ69wIfVmKa78LKo-C3QhqN2KVM,56
-raijin_server-0.3.2.dist-info/top_level.txt,sha256=Yz1xneCRtsZOzbPIcTAcrSxd-1p80pohMXYAZ74dpok,14
-raijin_server-0.3.2.dist-info/RECORD,,
+raijin_server-0.3.4.dist-info/licenses/LICENSE,sha256=kJsMCjOiRZE0AQNtxWqBa32z9kMAaF4EUxyHj3hKaJo,1105
+raijin_server-0.3.4.dist-info/METADATA,sha256=pwLU_oSjSgh599AadAEAoyH-UOVQBs9mhQZef-Bcnzk,8829
+raijin_server-0.3.4.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+raijin_server-0.3.4.dist-info/entry_points.txt,sha256=3ZvxDX4pvcjkIRsXAJ69wIfVmKa78LKo-C3QhqN2KVM,56
+raijin_server-0.3.4.dist-info/top_level.txt,sha256=Yz1xneCRtsZOzbPIcTAcrSxd-1p80pohMXYAZ74dpok,14
+raijin_server-0.3.4.dist-info/RECORD,,