Merge pull request 'fenix-admin' (#79) from fenix-admin into main

Reviewed-on: fenix-gitea-admin/iac-teste#79
2025-10-27 15:53:06 +00:00 · 2025-08-24 16:18:27 +00:00
parent de25f44681 b31d09964f
commit e1dba805bb
2 changed files with 46 additions and 5 deletions
--- a/.gitea/workflows/ci-test.yaml
+++ b/.gitea/workflows/ci-test.yaml
@ -33,6 +33,51 @@ jobs:
          token: ${{ secrets.GGITEA_TOKEN }}
          path: infra/secrets

+
+      - name: Install cloudflare prerequisites
+        run: |
+          sudo apt-get install -y curl ca-certificates jq openssh-client net-tools iproute2
+
+      - name: Install cloudflared
+        run: |
+          # pacote .deb oficial - funcionará numa runner Ubuntu x86_64
+          curl -L -o cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
+          sudo dpkg -i cloudflared.deb
+          cloudflared --version
+
+      - name: Start cloudflared Access TCP -> SOCKS5 (background)
+        env:
+          CF_SVC_ID: ${{ secrets.CF_SVC_ID }}
+          CF_SVC_SECRET: ${{ secrets.CF_SVC_SECRET }}
+          HOSTNAME: ${{ env.HOSTNAME }}
+          SOCKS_LISTENER: ${{ env.SOCKS_LISTENER }}
+        run: |
+          # Inicia cloudflared access tcp/ssh com service token e listener socks local
+          # O binário 'cloudflared' tem variações de flags entre versões; estes flags funcionam nas versões recentes.
+          nohup cloudflared access tcp \
+            --hostname "$HOSTNAME" \
+            --listener "socks://$SOCKS_LISTENER" \
+            --service-token-id "$CF_SVC_ID" \
+            --service-token-secret "$CF_SVC_SECRET" \
+            > cloudflared.log 2>&1 &
+
+          # espera a porta do listener estar pronta (timeout 30s)
+          for i in $(seq 1 30); do
+            ss -tnl | grep -q ":1080" && break
+            sleep 1
+          done
+
+          if ! ss -tnl | grep -q ":1080"; then
+            echo "SOCKS listener not ready after 30s, printing cloudflared.log"
+            tail -n +1 cloudflared.log
+            cat cloudflared.log
+            exit 1
+          fi
+
+          echo "cloudflared socks listener ready at $SOCKS_LISTENER"
+          sleep 1
+          # opcional: ver primeiros logs
+          tail -n 50 cloudflared.log || true
      - name: vaultwarden login
        working-directory: infra/iac
        run: |
--- a/proxmox.tf
+++ b/proxmox.tf
@ -4,11 +4,7 @@ provider "proxmox" {
  ssh {
    agent    = true
    username = var.proxmox_username_ssh
-    node {
-     address = var.proxmox_server_ssh
-     name   = var.proxmox_username_ssh  # optional  
-     port = 22
-    }
+    socks5_server = var.proxmox_server_ssh
    password = var.proxmox_password_ssh   
 }
 }