From ce0d4f70198117b751f434f18db3c95c6cde0e8d Mon Sep 17 00:00:00 2001
From: fenix-gitea-admin <danieldanieldanielg2@gmail.com>
Date: Sun, 12 Oct 2025 11:13:02 +0000
Subject: [PATCH] v0.1

v0.1
---
 .gitea/workflows/deploy-k8s.yml | 120 +++++++++++++++++++++++++++++++-
 1 file changed, 118 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/deploy-k8s.yml b/.gitea/workflows/deploy-k8s.yml
index e1ada71..21a4709 100644
--- a/.gitea/workflows/deploy-k8s.yml
+++ b/.gitea/workflows/deploy-k8s.yml
@@ -1,4 +1,4 @@
-name: IAC
+name: IAC-Ansible
 
 on:
   push:
@@ -7,13 +7,129 @@ on:
 
 jobs:
   hello:
-    runs-on: ubuntu-latest
+    runs-on: [ fenix-opentofu ]
+    env:
+      CONSUL_HTTP_TOKEN: ${{ secrets.CONSUL_HTTP_TOKEN }}
+      PM_API_TOKEN_ID: ${{ secrets.PM_API_TOKEN_ID }}
+      PM_API_TOKEN_SECRET: ${{ secrets.PM_API_TOKEN_SECRET }}
+      BW_EMAIL: ${{ secrets.BW_EMAIL }}
+      BW_PASSWORD: ${{ secrets.BW_PASSWORD }}
+      BW_CLIENTID: ${{ secrets.BW_CLIENTID }}
+      BW_CLIENTSECRET: ${{ secrets.BW_CLIENTSECRET }}
+      VAULTWARDEN_LINK: ${{secrets.VAULTWARDEN_LINK }}
     steps:
+      
+      - name: Updating apt-get
+        run: |
+          apt-get update -y
+
+      - name: Install setup
+        run: |
+          apt install -y curl jq
+          curl -fsSL https://deb.nodesource.com/setup_18.x
+
+
+      - name: Install cloudflare prerequisites
+        run: |
+          apt-get install -y curl ca-certificates jq openssh-client net-tools iproute2
+      - name: Install cloudflared
+        run: |
+          # pacote .deb oficial - funcionará numa runner Ubuntu x86_64
+          curl -L -o cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
+          dpkg -i cloudflared.deb
+          cloudflared --version
+
+      - name: Install dante-server
+        run: |
+          apt-get install -y dante-server openssl 
+          #libssl1.1
+
+
+      - name: Configure dante-server
+        run: |
+          cat <<EOF |  tee /etc/danted.conf
+          logoutput: stderr
+          internal: 127.0.0.1 port = 1080
+          external: lo
+          method: none
+          clientmethod: none
+          client pass {
+              from: 0.0.0.0/0 to: 0.0.0.0/0
+              log: connect disconnect
+          }
+          # encaminhar tudo para o listener TCP do cloudflared
+          socks pass {
+              from: 0.0.0.0/0 to: 0.0.0.0/0
+              command: connect udpassociate bind
+              log: connect disconnect
+          }
+          EOF
+
+      - name: vaultwarden urls as secrets
+        run: |
+          echo "config"
+          echo "$VAULTWARDEN_LINK"
+          bw config server $VAULTWARDEN_LINK
+          echo "login"
+          bw login --apikey
+          echo "session"
+          BW_SESSION=$(bw unlock "$BW_PASSWORD" --raw)
+          echo "getting item"
+          bw get item "iac.proxmox.ssh.link"  --session "$BW_SESSION"  | jq -r '.notes' > "proxmox-ssh-link.txt"
+
+    - name: Start cloudflared Access TCP -> SOCKS5 (background)
+        env:
+          CF_SVC_ID: ${{ secrets.CF_SVC_ID }}
+          CF_SVC_SECRET: ${{ secrets.CF_SVC_SECRET }}
+        run: |
+          Hostname=$(cat proxmox-ssh-link.txt)
+
+          # Inicia cloudflared access tcp/ssh com service token e listener socks local
+          # O binário 'cloudflared' tem variações de flags entre versões; estes flags funcionam nas versões recentes.
+          nohup cloudflared access tcp \
+            --hostname "$Hostname" \
+            --listener "tcp://127.0.0.1:1081" \
+            --service-token-id "$CF_SVC_ID" \
+            --service-token-secret "$CF_SVC_SECRET" \
+            > cloudflared.log 2>&1 &
+
+          # espera a porta do listener estar pronta (timeout 30s)
+          for i in $(seq 1 30); do
+            ss -tnl | grep -q ":1081" && break
+            sleep 1
+          done
+
+          if ! ss -tnl | grep -q ":1081"; then
+            echo "SOCKS listener not ready after 30s, printing cloudflared.log"
+            tail -n +1 cloudflared.log
+            cat cloudflared.log
+            exit 1
+          fi
+
+          echo "cloudflared socks listener ready at $SOCKS_LISTENER"
+          sleep 1
+          # opcional: ver primeiros logs
+          tail -n 50 cloudflared.log || true
+      
+      - name: Start dante-server
+        run: |
+          pkill danted || true
+          danted -f /etc/danted.conf -D > dante.log 2>&1 &
+          sleep 3 
+          cat dante.log
+          
+
       - name: Cloning ansible repository
         uses: actions/checkout@v4
         with:
           path: ansible/iac
 
+      - name: vaultwarden inventory-ini as secrets
+        run: |
+          bw get item "iac.ansible.hosts.ini"  --session "$BW_SESSION"  | jq -r '.notes' > "inventory.ini"
+        with:
+          path: ansible/iac
+
       - name: Install Ansible
         run: sudo apt-get install -y ansible