fenix-gitea-admin/iac-ansible-public
1
0
Fork 0
mirror of https://gitea.fenix-dev.com/fenix-gitea-admin/iac-ansible-private.git synced 2025-10-27 08:43:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

v0.1

Browse Source 
v0.1
This commit is contained in:
fenix-gitea-admin
2025-10-12 11:13:02 +00:00
parent 1d6d1bea7a
commit ce0d4f7019
1 changed files with 118 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
.gitea/workflows/deploy-k8s.yml
View File

@ -1,4 +1,4 @@
name: IAC
name: IAC-Ansible
on:
push:
@ -7,13 +7,129 @@ on:
jobs:
hello:
runs-on: ubuntu-latest
runs-on: [ fenix-opentofu ]
env:
CONSUL_HTTP_TOKEN: ${{ secrets.CONSUL_HTTP_TOKEN }}
PM_API_TOKEN_ID: ${{ secrets.PM_API_TOKEN_ID }}
PM_API_TOKEN_SECRET: ${{ secrets.PM_API_TOKEN_SECRET }}
BW_EMAIL: ${{ secrets.BW_EMAIL }}
BW_PASSWORD: ${{ secrets.BW_PASSWORD }}
BW_CLIENTID: ${{ secrets.BW_CLIENTID }}
BW_CLIENTSECRET: ${{ secrets.BW_CLIENTSECRET }}
VAULTWARDEN_LINK: ${{secrets.VAULTWARDEN_LINK }}
steps:
- name: Updating apt-get
run: |
apt-get update -y
- name: Install setup
run: |
apt install -y curl jq
curl -fsSL https://deb.nodesource.com/setup_18.x
- name: Install cloudflare prerequisites
run: |
apt-get install -y curl ca-certificates jq openssh-client net-tools iproute2
- name: Install cloudflared
run: |
# pacote .deb oficial - funcionará numa runner Ubuntu x86_64
curl -L -o cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
dpkg -i cloudflared.deb
cloudflared --version
- name: Install dante-server
run: |
apt-get install -y dante-server openssl
#libssl1.1
- name: Configure dante-server
run: |
cat <<EOF | tee /etc/danted.conf
logoutput: stderr
internal: 127.0.0.1 port = 1080
external: lo
method: none
clientmethod: none
client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect disconnect
}
# encaminhar tudo para o listener TCP do cloudflared
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: connect udpassociate bind
log: connect disconnect
}
EOF
- name: vaultwarden urls as secrets
run: |
echo "config"
echo "$VAULTWARDEN_LINK"
bw config server $VAULTWARDEN_LINK
echo "login"
bw login --apikey
echo "session"
BW_SESSION=$(bw unlock "$BW_PASSWORD" --raw)
echo "getting item"
bw get item "iac.proxmox.ssh.link" --session "$BW_SESSION" | jq -r '.notes' > "proxmox-ssh-link.txt"
- name: Start cloudflared Access TCP -> SOCKS5 (background)
env:
CF_SVC_ID: ${{ secrets.CF_SVC_ID }}
CF_SVC_SECRET: ${{ secrets.CF_SVC_SECRET }}
run: |
Hostname=$(cat proxmox-ssh-link.txt)
# Inicia cloudflared access tcp/ssh com service token e listener socks local
# O binário 'cloudflared' tem variações de flags entre versões; estes flags funcionam nas versões recentes.
nohup cloudflared access tcp \
--hostname "$Hostname" \
--listener "tcp://127.0.0.1:1081" \
--service-token-id "$CF_SVC_ID" \
--service-token-secret "$CF_SVC_SECRET" \
> cloudflared.log 2>&1 &
# espera a porta do listener estar pronta (timeout 30s)
for i in $(seq 1 30); do
ss -tnl | grep -q ":1081" && break
sleep 1
done
if ! ss -tnl | grep -q ":1081"; then
echo "SOCKS listener not ready after 30s, printing cloudflared.log"
tail -n +1 cloudflared.log
cat cloudflared.log
exit 1
fi
echo "cloudflared socks listener ready at $SOCKS_LISTENER"
sleep 1
# opcional: ver primeiros logs
tail -n 50 cloudflared.log || true
- name: Start dante-server
run: |
pkill danted || true
danted -f /etc/danted.conf -D > dante.log 2>&1 &
sleep 3
cat dante.log
- name: Cloning ansible repository
uses: actions/checkout@v4
with:
path: ansible/iac
- name: vaultwarden inventory-ini as secrets
run: |
bw get item "iac.ansible.hosts.ini" --session "$BW_SESSION" | jq -r '.notes' > "inventory.ini"
with:
path: ansible/iac
- name: Install Ansible
run: sudo apt-get install -y ansible