diff --git a/.gitea/workflows/ci-test.yaml b/.gitea/workflows/ci-test.yaml
index 1f9f7eb..8c2c50f 100644
--- a/.gitea/workflows/ci-test.yaml
+++ b/.gitea/workflows/ci-test.yaml
@@ -33,6 +33,51 @@ jobs:
           token: ${{ secrets.GGITEA_TOKEN }}
           path: infra/secrets
 
+
+      - name: Install cloudflare prerequisites
+        run: |
+          sudo apt-get install -y curl ca-certificates jq openssh-client net-tools iproute2
+
+      - name: Install cloudflared
+        run: |
+          # pacote .deb oficial - funcionará numa runner Ubuntu x86_64
+          curl -L -o cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
+          sudo dpkg -i cloudflared.deb
+          cloudflared --version
+
+      - name: Start cloudflared Access TCP -> SOCKS5 (background)
+        env:
+          CF_SVC_ID: ${{ secrets.CF_SVC_ID }}
+          CF_SVC_SECRET: ${{ secrets.CF_SVC_SECRET }}
+          HOSTNAME: ${{ env.HOSTNAME }}
+          SOCKS_LISTENER: ${{ env.SOCKS_LISTENER }}
+        run: |
+          # Inicia cloudflared access tcp/ssh com service token e listener socks local
+          # O binário 'cloudflared' tem variações de flags entre versões; estes flags funcionam nas versões recentes.
+          nohup cloudflared access tcp \
+            --hostname "$HOSTNAME" \
+            --listener "socks://$SOCKS_LISTENER" \
+            --service-token-id "$CF_SVC_ID" \
+            --service-token-secret "$CF_SVC_SECRET" \
+            > cloudflared.log 2>&1 &
+
+          # espera a porta do listener estar pronta (timeout 30s)
+          for i in $(seq 1 30); do
+            ss -tnl | grep -q ":1080" && break
+            sleep 1
+          done
+
+          if ! ss -tnl | grep -q ":1080"; then
+            echo "SOCKS listener not ready after 30s, printing cloudflared.log"
+            tail -n +1 cloudflared.log
+            cat cloudflared.log
+            exit 1
+          fi
+
+          echo "cloudflared socks listener ready at $SOCKS_LISTENER"
+          sleep 1
+          # opcional: ver primeiros logs
+          tail -n 50 cloudflared.log || true
       - name: vaultwarden login
         working-directory: infra/iac
         run: |
diff --git a/proxmox.tf b/proxmox.tf
index 716a8a0..e3c1937 100644
--- a/proxmox.tf
+++ b/proxmox.tf
@@ -4,11 +4,7 @@ provider "proxmox" {
   ssh {
     agent    = true
     username = var.proxmox_username_ssh
-    node {
-     address = var.proxmox_server_ssh
-     name   = var.proxmox_username_ssh  # optional  
-     port = 22
-    }
+    socks5_server = var.proxmox_server_ssh
     password = var.proxmox_password_ssh   
 }
 }