Merge pull request 'dev' (#257) from dev into main

Reviewed-on: fenix-gitea-admin/iac-opentofu-private#257

.gitea/workflows/ci-test.yaml

@@ -1,12 +1,12 @@
 name: IAC
 
-on: 
+on:
   push:
     branches: [ dev ]
   workflow_dispatch:
- 
+
 jobs:
-  hello: 
+  hello:
     #precisa da imagem costum do opentofu
     runs-on: [ fenix-opentofu ]
     env:
@@ -35,11 +35,6 @@ jobs:
         run: |
           apt-get update -y
 
-      - name: Install setup
-        run: |
-          apt install -y curl jq
-          curl -fsSL https://deb.nodesource.com/setup_18.x
-
       - name: Cloning iac repository
         uses: actions/checkout@v4
         with:
@@ -65,8 +60,7 @@ jobs:
 
       - name: Install dante-server
         run: |
-          apt-get install -y dante-server openssl 
+          apt-get install -y dante-server
-          #libssl1.1
 
 
       - name: Configure dante-server
@@ -91,17 +85,12 @@ jobs:
 
 
       - name: vaultwarden urls as secrets
+        working-directory: 
         run: |
-          echo "config"
-          echo "$VAULTWARDEN_LINK"
           bw config server $VAULTWARDEN_LINK
-          echo "login"
           bw login --apikey
-          echo "session"
           BW_SESSION=$(bw unlock "$BW_PASSWORD" --raw)
-          echo "$BW_SESSION"
+          
-          echo "getting item"
-          bw get item "iac.proxmox.ssh.link"  --session "$BW_SESSION"
           bw get item "iac.proxmox.ssh.link"  --session "$BW_SESSION"  | jq -r '.notes' > "proxmox-ssh-link.txt"
 
       - name: Start cloudflared Access TCP -> SOCKS5 (background)
@@ -142,7 +131,7 @@ jobs:
         run: |
           pkill danted || true
           danted -f /etc/danted.conf -D > dante.log 2>&1 &
-          sleep 3 
+          sleep 3
           cat dante.log
           
 
@@ -150,7 +139,6 @@ jobs:
         working-directory: infra/iac
         run: |
           BW_SESSION=$(bw unlock "$BW_PASSWORD" --raw)
-          echo "$BW_SESSION"
           
           # Ler o arquivo de referência
           for secret in $(jq -c '.secrets[]' secrets/vault-secrets-map.json); do
@@ -168,7 +156,6 @@ jobs:
             elif [ "$type" == "note" ]; then
               echo "note get"
               bw get item "$name"  --session "$BW_SESSION"  | jq -r '.notes' > "$output"
-              #cat $output
             fi
           done
 

documentation/Dockerfile

@@ -1,31 +1,23 @@
 FROM ghcr.io/opentofu/opentofu:1.9-minimal AS tofu
 
 FROM ubuntu:24.04
-
+ 
 # Copy the tofu binary
 COPY --from=tofu /usr/local/bin/tofu /usr/local/bin/tofu
 
-
+# Install dependencies
-# Atualizar pacotes e instalar dependências básicas
 RUN apt-get update && apt-get install -y \
-    curl \
     git \
+    curl \
+    nodejs \
+    npm \
     unzip \
-    jq \
-    gnupg \
-    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
-# Instalar Node.js 18 via NodeSource
+RUN curl -L -o /tmp/bw.zip https://github.com/bitwarden/cli/releases/download/v1.22.1/bw-linux-1.22.1.zip \
-RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
+    && unzip /tmp/bw.zip -d /usr/local/bin \
-    apt-get install -y nodejs
+    && chmod +x /usr/local/bin/bw \
+    && rm /tmp/bw.zip
 
-# Verificar versões (opcional para debug)
-RUN node -v && npm -v
-
-
-
-
-RUN npm install -g @bitwarden/cli
 
 WORKDIR /workspace

documentation/start.txt

@@ -5,7 +5,7 @@ https://opentofu.org/docs/intro/ - quick start and explaning who to work in team
 https://opentofu.org/docs/intro/ - CICD for opentofu explained
  
 
- 
+
 tofu init
 tofu plan --var-file=opentofu-varfile.json
 yes

main.tf

@@ -6,7 +6,7 @@ terraform {
     }   
     bitwarden = {
       source  = "maxlaverse/bitwarden"
-      version = ">= 0.16.0"
+      version = ">= 0.15.0"
     } 
     proxmox = {
       source = "bpg/proxmox"

proxmox.tf

@@ -120,10 +120,7 @@ resource "proxmox_virtual_environment_vm" "proxmox-kubernetes-VM-template" {
 
   # Configuração da interface de rede
   network_device {
-    bridge = "vmbr0"  # rede de gestão para comunicação com Cluster A
+    bridge = "vmbr0"
-  }
-  network_device {
-    bridge = "vmbr2"
   }
 
 initialization {
@@ -135,12 +132,6 @@ initialization {
         address = "dhcp"
       }
     }
-
-    ip_config {
-      ipv4 {
-        address = "dhcp"
-      }
-    }
   user_data_file_id = proxmox_virtual_environment_file.cloud_init_yaml.id
  }
 }
@@ -178,12 +169,6 @@ resource "proxmox_virtual_environment_vm" "k8s_vms" {
           gateway = each.value.gateway
         }
       }
-      ip_config {
-        ipv4 {
-          address = each.value.ip2
-          gateway = each.value.gateway
-        }
-      }
 
       user_data_file_id = proxmox_virtual_environment_file.vm_user_data[each.key].id
     }
@@ -192,28 +177,3 @@ resource "proxmox_virtual_environment_vm" "k8s_vms" {
       enabled = true
     }
   }
-
-resource "null_resource" "add_api_ip" {
-  for_each = {
-    for vm in var.proxmox_k8s_vms : vm.name => vm
-  }
-
-  triggers = {
-    vm_id = each.value.vm_id
-  }
-
-  provisioner "remote-exec" {
-    inline = [
-      "sudo ip addr add ${each.value.ip3} dev eth0"
-    ]
-
-    connection {
-      type        = "ssh"
-      host        = split("/", each.value.ip)[0] // remove a máscara para conectar
-      user        = each.value.extra_users[0].name
-      password    = each.value.extra_users[0].password
-      timeout     = "4m"
-      agent       = false
-    }
-  }
-}

proxmox.variables.tf

@@ -40,8 +40,6 @@ variable "proxmox_k8s_vms" {
     vm_id     = number
     node_name  = string
     ip        = string
-    ip2        = string
-    ip3        = string
     cores     = optional(number)
     memory    = optional(number)
     data_store = optional(string)

secrets/vault-secrets-map.json

@@ -1,7 +1,7 @@
 {
   "secrets": [
     { 
-      "name": "iac.opentofu.consul.secrets", 
+      "name": "iac.opentofu.consul.secrets",
       "type": "note",
       "output": "../secrets/secrets/consul.secrets.tfvars"
     },

vaultwarden.tf

@@ -16,13 +16,6 @@ resource "vaultwarden_account_register" "vaultwarden-acount-fenix" {
   password = var.vaultwarden_master_password
 }
 
-resource "bitwarden_item_login" "administrative-user" {
-  name     = "teste"
-  username = "teste"
-  password = "teste"
-  collection_ids  = [vaultwarden_organization_collection.vaultwarden-collection-iac.id]
-}
-
 resource "vaultwarden_organization" "vaultwarden-organization-fenix-iac" {
   name = "fenix-iac"
 }
@@ -33,28 +26,9 @@ resource "vaultwarden_organization_collection" "vaultwarden-collection-iac" {
 }
 
 
-resource "bitwarden_item_secure_note" "hosts-ini" {
+resource "bitwarden_item_login" "administrative-user" {
-  name            = "iac.ansible.hosts.ini"
+  name     = "teste"
-  notes           = <<EOT
+  username = "teste"
-  ${local.hosts_ini}
+  password = "teste"
-EOT
-  organization_id = vaultwarden_organization.vaultwarden-organization-fenix-iac.id
   collection_ids  = [vaultwarden_organization_collection.vaultwarden-collection-iac.id]
-  reprompt = true 
+}
-}
-
-locals{
-  hosts_ini = <<EOT
-
-[master]
-master1 ansible_host=${split("/", var.proxmox_k8s_vms[0].ip)[0]} ansible_user=${var.proxmox_k8s_vms[0].extra_users[0].name} ansible_ssh_pass=${var.proxmox_k8s_vms[0].extra_users[0].password} ansible_ssh_common_args='-o StrictHostKeyChecking=no'
-
-[workers]
-%{ for i, vm in var.proxmox_k8s_vms ~}
-%{ if i != 0 }
-worker-${replace(split("/", vm.ip)[0], ".", "-")} ansible_host=${split("/", vm.ip)[0]} ansible_user=${vm.extra_users[0].name} ansible_ssh_pass=${vm.extra_users[0].password} ansible_ssh_common_args='-o StrictHostKeyChecking=no'
-%{ endif }  
-%{ endfor }
-
-EOT
-  }