From f55b0d07b0e2d161ba74d1374774b39983b96e27 Mon Sep 17 00:00:00 2001
From: fenix-gitea-admin <danieldanieldanielg2@gmail.com>
Date: Mon, 1 Sep 2025 16:48:52 +0000
Subject: [PATCH 1/2] Update .gitea/workflows/ci-test.yaml

---
 .gitea/workflows/ci-test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitea/workflows/ci-test.yaml b/.gitea/workflows/ci-test.yaml
index 7ea1bb1..bdc45b9 100644
--- a/.gitea/workflows/ci-test.yaml
+++ b/.gitea/workflows/ci-test.yaml
@@ -22,7 +22,7 @@ jobs:
         if: "!contains(gitea.event.head_commit.message, '[deploy-opentofu]')"
         run: |
           echo "Commit não contém [deploy-opentofu], a pipeline será ignorada."
-          exit 0
+          exit 1
 
       - name: Executar deploy opentofu
         run: echo "Commit contém [deploy-opentofu], a pipeline será executada."

From 6f6cff06e143c17b75a4ade5b24b13d94b344d10 Mon Sep 17 00:00:00 2001
From: "tomas.limpinho" <tomas.limpinho@grupoti.pt>
Date: Sun, 7 Sep 2025 19:47:42 +0100
Subject: [PATCH 2/2] get via vaultwarden

---
 .gitea/workflows/ci-test.yaml  | 34 ++++++++++++++++++++++++++++------
 secrets/vault-secrets-map.json | 19 +++++++++++++++++++
 2 files changed, 47 insertions(+), 6 deletions(-)
 create mode 100644 secrets/vault-secrets-map.json

diff --git a/.gitea/workflows/ci-test.yaml b/.gitea/workflows/ci-test.yaml
index bdc45b9..c6884b8 100644
--- a/.gitea/workflows/ci-test.yaml
+++ b/.gitea/workflows/ci-test.yaml
@@ -37,12 +37,12 @@ jobs:
         with:
           path: infra/iac
 
-      - name: cloning iac secrets repository
-        uses: actions/checkout@v4
-        with:
-          repository: fenix-gitea-admin/iac-opentofu-private-secrets
-          token: ${{ secrets.GGITEA_TOKEN }}
-          path: infra/secrets
+      #- name: cloning iac secrets repository
+      #  uses: actions/checkout@v4
+      #  with:
+      #    repository: fenix-gitea-admin/iac-opentofu-private-secrets
+      #    token: ${{ secrets.GGITEA_TOKEN }}
+      #    path: infra/secrets
 
 
       - name: Install cloudflare prerequisites
@@ -125,6 +125,28 @@ jobs:
         run: |
           BW_SESSION=$(bw login)
 
+
+        #!/bin/bash
+
+      - name: vaultwarden getsecrets
+        working-directory: infra
+        run: |
+          bw sync
+          # Ler o arquivo de referência
+          for secret in $(jq -c '.secrets[]' iac/secrets/vault-secrets-map.json); do
+            name=$(echo "$secret" | jq -r '.name')
+            type=$(echo "$secret" | jq -r '.type')
+            output=$(echo "$secret" | jq -r '.output')
+
+            item_id=$(bw get item "$name" | jq -r '.id')
+
+            if [ "$type" == "attachment" ]; then
+              bw get attachment "$output" --itemid "$item_id" --output "$output"
+            elif [ "$type" == "note" ]; then
+              bw get item "$name" | jq -r '.notes' > "$output"
+            fi
+          done
+
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
diff --git a/secrets/vault-secrets-map.json b/secrets/vault-secrets-map.json
new file mode 100644
index 0000000..430175e
--- /dev/null
+++ b/secrets/vault-secrets-map.json
@@ -0,0 +1,19 @@
+{
+  "secrets": [
+    {
+      "name": "iac.opentofu.consul.secrets",
+      "type": "attachment",
+      "output": "iac/secrets/consul.secrets.tfvars"
+    },
+    {
+      "name": "iac.opentofu.proxmox.secrets",
+      "type": "attachment",
+      "output": "iac/secrets/proxmox.secrets.tfvars"
+    },
+    {
+      "name": "iac.opentofu.vaultwarden.secrets",
+      "type": "attachment",
+      "output": "iac/secrets/vaultwarden.secrets.tfvars"
+    }
+  ]
+}