Metadata-Version: 2.4
Name: lnp-devopscli
Version: 2.1.1
Summary: DevOps CLI — workspace sync (GDrive, git, GPG, systemd timers) + GitLab/Bitwarden tooling
Author-email: Lucas Neves Pires <npires.lucas@gmail.com>
License: MIT
Project-URL: Homepage, https://gitlab.com/lnp-consulting-ti/devops/devops-cli
Project-URL: Repository, https://gitlab.com/lnp-consulting-ti/devops/devops-cli
Project-URL: Issues, https://gitlab.com/lnp-consulting-ti/devops/devops-cli/-/issues
Keywords: devops,workspace-sync,rclone,gdrive,gitlab,bitwarden,systemd
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: POSIX :: Linux
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: System :: Systems Administration
Classifier: Topic :: Utilities
Requires-Python: >=3.10
Description-Content-Type: text/markdown
Requires-Dist: click>=8.0
Requires-Dist: pyyaml>=6.0
Requires-Dist: requests>=2.28
Requires-Dist: rich>=13.0
Requires-Dist: fastapi>=0.115
Requires-Dist: uvicorn[standard]>=0.32
Requires-Dist: sse-starlette>=2.1
Requires-Dist: pydantic>=2.0

# lnp-devopscli

Bootstrap declarativo de máquinas Linux + sync bidirecional (GDrive + git +
GPG + systemd timers) + restore de secrets (Bitwarden Secrets Manager).

```
pipx install lnp-devopscli
devopscli profile init     # gera ~/.config/devopscli/profile.yaml
devopscli setup            # pipeline de 11 stages
```

[![PyPI](https://img.shields.io/pypi/v/lnp-devopscli.svg)](https://pypi.org/project/lnp-devopscli/)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)

## Comandos por grupo

| Grupo | Comandos | Propósito |
|---|---|---|
| `profile` | `init / show / validate / path / detect` | Schema Pydantic do estado declarativo da máquina |
| `install` | `list / run / run-profile` | Instala 25 ferramentas via .sh embedded |
| `setup` | `--dry-run --skip --only --list-phases` | Orchestrator de 11 stages |
| `ws` | `push / pull / sync / doctor / install-timers / gpg-backup / gpg-restore / verify` | Workspace sync (GDrive + git + GPG + systemd) |
| `bw` | `install-cli / token-persist / migrate-secrets / sync-secrets / list-secrets / env-push / env-pull / env-list` | Bitwarden Secrets Manager |
| `gl` | `tokens / projects` | GitLab tokens e bw-projects |
| `ui` | `demo` | Dashboard Rich demo |
| `report` | `list / show / last / html` | Logs de execução |
| `test vm` | `create / reset / shell / exec / mount / bootstrap / rclone-setup / set-bw-token / verify-bw-restore` | Multipass pra teste isolado |

`devopscli --help` ou `devopscli <grupo> --help` pra detalhes.

## Use cases

### A) Bootstrap PC novo (Ubuntu/Debian)

```bash
# 1. Snippet bootstrap (3 linhas no PC novo)
bash <(curl -fsSL https://gitlab.com/-/snippets/6003334/raw/main/bootstrap.sh)

# 2. Exporta BWS_ACCESS_TOKEN (obtido de https://vault.bitwarden.com)
export BWS_ACCESS_TOKEN='0.abc...'

# 3. Configura rclone (uma vez, OAuth Google)
rclone config

# 4. Orchestrator zero-touch (~25 min)
devopscli setup
```

Dado que `BWS_ACCESS_TOKEN`, `rclone gdrive`, e `GPG_PASSPHRASE` no BWS
estão configurados, o setup roda zero-touch:

```
apt-deps → rclone-config → bw-token → bw-install-cli → bw-sync →
install-tools → ws-pull → gpg-restore → workspaces-clone → git-crypt →
timers
```

### B) Sync diário (workspaces + dotfiles)

Já automatizado via systemd user timers (instalados por `ws install-timers`):

| Timer | Frequência | Função |
|---|---|---|
| `ws-push.timer` | 30 min | `ws push` (snapshot GDrive) |
| `ws-sync.timer` | 1 h | `ws ai-sync` + `repos-sync` (git pull/commit/push) |
| `bw-sync.timer` | diário | `bw sync-secrets` + `env-pull` |

Inspecionar status:

```bash
devopscli ws timers-doctor
journalctl --user -u ws-sync.service -f
```

### C) Trocar de máquina

A máquina origem mantém o estado autoritativo no GDrive + BWS. A máquina
destino só precisa do bootstrap acima — todo o resto vem dos remotes.

```bash
# máquina origem (uma vez antes do switch)
devopscli ws push              # estado fresh no GDrive
devopscli bw sync-secrets --direction push   # secrets up-to-date no BWS

# máquina destino
bash <(curl -fsSL https://gitlab.com/-/snippets/6003334/raw/main/bootstrap.sh)
devopscli setup
```

## Profile.yaml

`~/.config/devopscli/profile.yaml` — gerado por `devopscli profile init`,
versionado no BWS pelo `bw-sync`. Schema:

```yaml
version: 1
name: lnpires-desktop-default
hostname_match: [lnpires-desktop]
platform: linux

installers:                       # acionável por `install run-profile`
  - name: docker
    version: latest
  - name: kubectl
    version: latest

repos:                            # acionável por `setup workspaces-clone`
  - name: workspace-personal
    url: git@gitlab.com:...
    path: ~/workspace-personal
    auto_commit: true             # auto-snapshot via ws-sync.timer

env_secrets:                      # quais ENV vars do BWS exportar
  - RNN_TOKEN
  - GITLAB_PERSONAL_TOKEN
  - GPG_PASSPHRASE

file_secrets:                     # quais file secrets do BWS restaurar
  - ssh_id_ed25519
  - rclone_conf

rclone:
  remote_name: gdrive

timers:
  - name: ws-push
    enabled: true
  - name: bw-sync
    enabled: true
```

## Segurança

| O quê | Quem guarda |
|---|---|
| OAuth Google → rclone | Tokens em `~/.config/rclone/rclone.conf`, sincronizado pelo BWS |
| SSH keys | BWS (categoria `ssh`), restauradas com chmod 600 |
| GPG private key | GDrive (encrypted com passphrase), passphrase no BWS |
| `.env` de repos | git-crypt no próprio repo, key derivada da GPG |
| Shell tokens (GitLab, Anthropic, …) | BWS (categoria `env`), sourceado via `env-secrets.sh` |
| `BWS_ACCESS_TOKEN` | `~/.config/devopscli/secrets.env` (gerado por `bw token-persist`) — chicken-and-egg, único secret manual |

O código é open source — qualquer um pode `pipx install`. Sem suas
credenciais, ninguém acessa seus dados.

## Diagnóstico

```bash
devopscli ws doctor
```

Cobre 12 categorias: deps obrigatórias/opcionais, Python modules, schedule
(systemd + cron), última sync, GDrive accessibility, GPG keyring, git-crypt,
repos sincronizados, configs locais críticos, **profile.yaml**, **BWS
conectividade**, **installers do registry**, **último setup run**.

Exit code: 0 = saudável, 1 = ≥1 fail crítico.

## Teste em VM (Multipass)

Para desenvolvimento — VM Ubuntu 24.04 isolada com snapshots:

```bash
devopscli test vm create                  # uma vez (deixa snapshot 'fresh')
devopscli test vm reset                   # antes de cada teste
devopscli test vm mount ~/bin/devops-cli  # editável
devopscli test vm rclone-setup            # OAuth via host
devopscli test vm set-bw-token            # injeta BWS_ACCESS_TOKEN
```

## Release

CI auto-publica no PyPI em push de tag `v*.*.*`. Veja
[CONTRIBUTING.md](CONTRIBUTING.md#release).

## Roadmap

- ✅ Fases 0 (UI), 1 (BWS), 2 (profile), 3 (installers), 4 (setup), 5 (polish)
- ⬜ Fase 6: `machine reinstall` remoto (cloud-init autoinstall + grub-imageboot)

Detalhes em [ROADMAP-V2.md](ROADMAP-V2.md).

## License

MIT
