From 6c78b7ce390147467288b4ac194a501e5fa4e93c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1s=20Limpinho?=
 <53994778+TomasLimpinho@users.noreply.github.com>
Date: Wed, 12 Nov 2025 17:18:40 +0000
Subject: [PATCH] cloudflare

---
 .../files/cloudflare-namespace.yaml           |  4 ++
 .../files/cloudflared-tunnel-deployment.yaml  | 49 ++++++++++++++++++
 .../files/tunnel-token-secret.yaml            |  8 +++
 roles/cloudflared/tasks/main.yml              | 51 +++++++++++++++++++
 roles/cloudflared/vars/main.yml               |  4 ++
 5 files changed, 116 insertions(+)
 create mode 100644 roles/cloudflared/files/cloudflare-namespace.yaml
 create mode 100644 roles/cloudflared/files/cloudflared-tunnel-deployment.yaml
 create mode 100644 roles/cloudflared/files/tunnel-token-secret.yaml
 create mode 100644 roles/cloudflared/tasks/main.yml
 create mode 100644 roles/cloudflared/vars/main.yml

diff --git a/roles/cloudflared/files/cloudflare-namespace.yaml b/roles/cloudflared/files/cloudflare-namespace.yaml
new file mode 100644
index 0000000..b7626fc
--- /dev/null
+++ b/roles/cloudflared/files/cloudflare-namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cloudflare
diff --git a/roles/cloudflared/files/cloudflared-tunnel-deployment.yaml b/roles/cloudflared/files/cloudflared-tunnel-deployment.yaml
new file mode 100644
index 0000000..6109b06
--- /dev/null
+++ b/roles/cloudflared/files/cloudflared-tunnel-deployment.yaml
@@ -0,0 +1,49 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cloudflared-tunnel
+  namespace: cloudflare
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: cloudflared
+  template:
+    metadata:
+      labels:
+        app: cloudflared
+    spec:
+      securityContext:
+        sysctls:
+        # Allows ICMP traffic (ping, traceroute) to resources behind cloudflared.
+          - name: net.ipv4.ping_group_range
+            value: "65532 65532"
+      containers:
+        - image: cloudflare/cloudflared:latest
+          name: cloudflared
+          env:
+            # Defines an environment variable for the tunnel token.
+            - name: TUNNEL_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: tunnel-token-secret
+                  key: token
+          command:
+            # Configures tunnel run parameters
+            - cloudflared
+            - tunnel
+            - --no-autoupdate
+            - --loglevel
+            - debug
+            - --metrics
+            - 0.0.0.0:2000
+            - run
+          livenessProbe:
+            httpGet:
+              # Cloudflared has a /ready endpoint which returns 200 if and only if
+              # it has an active connection to Cloudflare's network.
+              path: /ready
+              port: 2000
+            failureThreshold: 1
+            initialDelaySeconds: 10
+            periodSeconds: 10
\ No newline at end of file
diff --git a/roles/cloudflared/files/tunnel-token-secret.yaml b/roles/cloudflared/files/tunnel-token-secret.yaml
new file mode 100644
index 0000000..3f09ee2
--- /dev/null
+++ b/roles/cloudflared/files/tunnel-token-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: tunnel-token-secret
+    namespace: cloudflare
+type: Opaque
+data:
+    token: <CLOUDFLARE_TUNNEL_TOKEN>
\ No newline at end of file
diff --git a/roles/cloudflared/tasks/main.yml b/roles/cloudflared/tasks/main.yml
new file mode 100644
index 0000000..762106f
--- /dev/null
+++ b/roles/cloudflared/tasks/main.yml
@@ -0,0 +1,51 @@
+- name: Remover o diretório /tmp/cloudflare/kubernetes-files
+  ansible.builtin.file:
+    path: /tmp/cloudflare/kubernetes-files
+    state: absent
+
+- name: Criar diretório temporário no remoto
+  file:
+    path: /tmp/cloudflare/kubernetes-files
+    state: directory
+    mode: '0755'
+
+- name: Copy file with owner and permissions
+  ansible.builtin.copy:
+    src: ../files
+    dest: /tmp/cloudflare/kubernetes-files
+    owner: fenix
+    group: root
+    mode: '0644'
+
+
+- name: Obter várias notas do Bitwarden
+  shell: |
+    echo "unlock"
+    BW_SESSION=$(bw unlock {{ bw_password }} --raw)
+    echo "get item"
+    bw get item "{{ item.id }}" --session $BW_SESSION | jq -r '.notes' > {{ item.dest }}
+  loop:
+    - { id: "iac.ansible.cloudflare.tunnel.secret", dest: "/tmp/cloudflare/kubernetes-files/files/tunnel-token-secret.yaml" }
+  args:
+    executable: /bin/bash
+  environment:
+    BW_PASSWORD: "{{ BW_PASSWORD }}"
+
+
+- name: Listar conteúdo do diretório remoto
+  shell: ls -l /tmp/cloudflare/kubernetes-files/files
+  register: resultado_ls
+
+
+- name: Mostrar resultado do ls
+  debug:
+    var: resultado_ls.stdout_lines
+
+
+- name: Aplicar o stolon
+  become: yes
+  become_user: fenix 
+  shell: |
+    kubectl apply -f /tmp/cloudflare/kubernetes-files/files/
+  environment:
+    KUBECONFIG:  /home/fenix/.kube/config
\ No newline at end of file
diff --git a/roles/cloudflared/vars/main.yml b/roles/cloudflared/vars/main.yml
new file mode 100644
index 0000000..c8fe60b
--- /dev/null
+++ b/roles/cloudflared/vars/main.yml
@@ -0,0 +1,4 @@
+bw_password: "{{ lookup('env', 'BW_PASSWORD') }}"
+VAULTWARDEN_LINK: "{{ lookup('env', 'VAULTWARDEN_LINK') }}"
+BW_CLIENTID: "{{ lookup('env', 'BW_CLIENTID') }}"
+BW_CLIENTSECRET : "{{ lookup('env', 'BW_CLIENTSECRET') }}"
\ No newline at end of file