name: IACAnsible

on: 
  push:
    branches: [ main ]
  workflow_dispatch:

jobs:
  hello:
    runs-on: fenix-opentofu
    env:
      CONSUL_HTTP_TOKEN: ${{ secrets.CONSUL_HTTP_TOKEN }}
      PM_API_TOKEN_ID: ${{ secrets.PM_API_TOKEN_ID }}
      PM_API_TOKEN_SECRET: ${{ secrets.PM_API_TOKEN_SECRET }}
      BW_EMAIL: ${{ secrets.BW_EMAIL }}
      BW_PASSWORD: ${{ secrets.BW_PASSWORD }}
      BW_CLIENTID: ${{ secrets.BW_CLIENTID }}
      BW_CLIENTSECRET: ${{ secrets.BW_CLIENTSECRET }}
      VAULTWARDEN_LINK: ${{secrets.VAULTWARDEN_LINK }}
    steps:
      
      - name: Updating apt-get
        run: |
          apt-get update -y

      - name: Install setup
        run: |
          apt install -y curl jq
          curl -fsSL https://deb.nodesource.com/setup_18.x


      - name: Install cloudflare prerequisites
        run: |
          apt-get install -y curl ca-certificates jq openssh-client net-tools iproute2
      - name: Install cloudflared
        run: |
          # pacote .deb oficial - funcionará numa runner Ubuntu x86_64
          curl -L -o cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
          dpkg -i cloudflared.deb
          cloudflared --version

      - name: Install dante-server
        run: |
          apt-get install -y dante-server openssl 
          #libssl1.1


      - name: Configure dante-server
        run: |
          cat <<EOF |  tee /etc/danted.conf
          logoutput: stderr
          internal: 127.0.0.1 port = 1080
          external: lo
          method: none
          clientmethod: none
          client pass {
              from: 0.0.0.0/0 to: 0.0.0.0/0
              log: connect disconnect
          }
          # encaminhar tudo para o listener TCP do cloudflared
          socks pass {
              from: 0.0.0.0/0 to: 0.0.0.0/0
              command: connect udpassociate bind
              log: connect disconnect
          }
          EOF

      - name: vaultwarden urls as secrets
        run: |
          echo "config"
          echo "$VAULTWARDEN_LINK"
          bw config server $VAULTWARDEN_LINK
          echo "login"
          bw login --apikey
          echo "session"
          BW_SESSION=$(bw unlock "$BW_PASSWORD" --raw)
          echo "getting item"
          bw get item "iac.proxmox.ssh.link"  --session "$BW_SESSION"  | jq -r '.notes' > "proxmox-ssh-link.txt"

      - name: Start cloudflared Access TCP -> SOCKS5 (background)
        env:
          CF_SVC_ID: ${{ secrets.CF_SVC_ID }}
          CF_SVC_SECRET: ${{ secrets.CF_SVC_SECRET }}
        run: |
          Hostname=$(cat proxmox-ssh-link.txt)

          # Inicia cloudflared access tcp/ssh com service token e listener socks local
          # O binário 'cloudflared' tem variações de flags entre versões; estes flags funcionam nas versões recentes.
          nohup cloudflared access tcp \
            --hostname "$Hostname" \
            --listener "tcp://127.0.0.1:1081" \
            --service-token-id "$CF_SVC_ID" \
            --service-token-secret "$CF_SVC_SECRET" \
            > cloudflared.log 2>&1 &

          # espera a porta do listener estar pronta (timeout 30s)
          for i in $(seq 1 30); do
            ss -tnl | grep -q ":1081" && break
            sleep 1
          done

          if ! ss -tnl | grep -q ":1081"; then
            echo "SOCKS listener not ready after 30s, printing cloudflared.log"
            tail -n +1 cloudflared.log
            cat cloudflared.log
            exit 1
          fi

          echo "cloudflared socks listener ready at $SOCKS_LISTENER"
          sleep 1
          # opcional: ver primeiros logs
          tail -n 50 cloudflared.log || true
      
      - name: Start dante-server
        run: |
          pkill danted || true
          danted -f /etc/danted.conf -D > dante.log 2>&1 &
          sleep 3 
          cat dante.log
          

      - name: Cloning ansible repository
        uses: actions/checkout@v4
        with:
          path: ansible/iac

      - name: vaultwarden inventory-ini as secrets
        run: |
          bw get item "iac.ansible.hosts.ini"  --session "$BW_SESSION"  | jq -r '.notes' > "inventory.ini"
        with:
          path: ansible/iac

      - name: Install Ansible
        run: apt-get install -y ansible

      - name: Run Ansible Playbook
        working-directory: ansible/iac
        run: |
          ansible-playbook -i inventory.ini playbook.yml