secrets

[deploy-opentofu]

.gitea/workflows/ci-test.yaml

@@ -1,12 +1,12 @@
 name: IAC
 
-on:
+on: 
   push:
-    branches: [ main ]
+    branches: [ dev ]
   workflow_dispatch:
-
+ 
 jobs:
-  hello:
+  hello: 
     #precisa da imagem costum do opentofu
     runs-on: [ fenix-opentofu ]
     env:
@@ -17,6 +17,7 @@ jobs:
       BW_PASSWORD: ${{ secrets.BW_PASSWORD }}
       BW_CLIENTID: ${{ secrets.BW_CLIENTID }}
       BW_CLIENTSECRET: ${{ secrets.BW_CLIENTSECRET }}
+      VAULTWARDEN_LINK: ${{secrets.VAULTWARDEN_LINK }}
       
     steps:
 
@@ -34,6 +35,11 @@ jobs:
         run: |
           apt-get update -y
 
+      - name: Install setup
+        run: |
+          apt install -y curl jq
+          curl -fsSL https://deb.nodesource.com/setup_18.x
+
       - name: Cloning iac repository
         uses: actions/checkout@v4
         with:
@@ -59,7 +65,8 @@ jobs:
 
       - name: Install dante-server
         run: |
-          apt-get install -y dante-server
+          apt-get install -y dante-server openssl 
+          #libssl1.1
 
 
       - name: Configure dante-server
@@ -82,16 +89,32 @@ jobs:
           }
           EOF
 
+
+      - name: vaultwarden urls as secrets
+        run: |
+          echo "config"
+          echo "$VAULTWARDEN_LINK"
+          bw config server $VAULTWARDEN_LINK
+          echo "login"
+          bw login --apikey
+          echo "session"
+          BW_SESSION=$(bw unlock "$BW_PASSWORD" --raw)
+          echo "$BW_SESSION"
+          echo "getting item"
+          bw get item "iac.proxmox.ssh.link"  --session "$BW_SESSION"
+          bw get item "iac.proxmox.ssh.link"  --session "$BW_SESSION"  | jq -r '.notes' > "proxmox-ssh-link.txt"
+
       - name: Start cloudflared Access TCP -> SOCKS5 (background)
         env:
           CF_SVC_ID: ${{ secrets.CF_SVC_ID }}
           CF_SVC_SECRET: ${{ secrets.CF_SVC_SECRET }}
-          HOSTNAME: "proxmox-ssh.fenix-dev.com"
         run: |
+          Hostname=$(cat proxmox-ssh-link.txt)
+
           # Inicia cloudflared access tcp/ssh com service token e listener socks local
           # O binário 'cloudflared' tem variações de flags entre versões; estes flags funcionam nas versões recentes.
           nohup cloudflared access tcp \
-            --hostname "$HOSTNAME" \
+            --hostname "$Hostname" \
             --listener "tcp://127.0.0.1:1081" \
             --service-token-id "$CF_SVC_ID" \
             --service-token-secret "$CF_SVC_SECRET" \
@@ -119,24 +142,15 @@ jobs:
         run: |
           pkill danted || true
           danted -f /etc/danted.conf -D > dante.log 2>&1 &
-          sleep 3
+          sleep 3 
           cat dante.log
           
-      #- name: vaultwarden login
-      #  working-directory: infra/iac
-      #  run: |
-      #    bw config server https://vaultwarden.fenix-dev.com
-      #    #BW_SESSION=$(bw login)
-      #    bw login --apikey
-      #    BW_SESSION=$(bw unlock "$BW_PASSWORD" --raw)
-          
 
       - name: vaultwarden getsecrets
         working-directory: infra/iac
         run: |
-          bw config server https://vaultwarden.fenix-dev.com
-          bw login --apikey
           BW_SESSION=$(bw unlock "$BW_PASSWORD" --raw)
+          echo "$BW_SESSION"
           
           # Ler o arquivo de referência
           for secret in $(jq -c '.secrets[]' secrets/vault-secrets-map.json); do
@@ -154,6 +168,7 @@ jobs:
             elif [ "$type" == "note" ]; then
               echo "note get"
               bw get item "$name"  --session "$BW_SESSION"  | jq -r '.notes' > "$output"
+              #cat $output
             fi
           done
 

LICENSE

@@ -0,0 +1,18 @@
+MIT License
+
+Copyright (c) 2025 fenix-gitea-admin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and 
+associated documentation files (the "Software"), to deal in the Software without restriction, including 
+without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 
+copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the 
+following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial 
+portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT 
+LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO 
+EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE 
+USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1 @@
+the most stable branch is main, dev is where tests are made, and the remaining branches are personal and can undergo changes at any time 

documentation/Dockerfile

@@ -1,23 +1,31 @@
 FROM ghcr.io/opentofu/opentofu:1.9-minimal AS tofu
 
 FROM ubuntu:24.04
- 
+
 # Copy the tofu binary
 COPY --from=tofu /usr/local/bin/tofu /usr/local/bin/tofu
 
-# Install dependencies
+
+# Atualizar pacotes e instalar dependências básicas
 RUN apt-get update && apt-get install -y \
-    git \
     curl \
-    nodejs \
-    npm \
+    git \
     unzip \
+    jq \
+    gnupg \
+    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
-RUN curl -L -o /tmp/bw.zip https://github.com/bitwarden/cli/releases/download/v1.22.1/bw-linux-1.22.1.zip \
-    && unzip /tmp/bw.zip -d /usr/local/bin \
-    && chmod +x /usr/local/bin/bw \
-    && rm /tmp/bw.zip
+# Instalar Node.js 18 via NodeSource
+RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
+    apt-get install -y nodejs
 
+# Verificar versões (opcional para debug)
+RUN node -v && npm -v
+
+
+
+
+RUN npm install -g @bitwarden/cli
 
 WORKDIR /workspace

documentation/start.txt

@@ -5,7 +5,7 @@ https://opentofu.org/docs/intro/ - quick start and explaning who to work in team
 https://opentofu.org/docs/intro/ - CICD for opentofu explained
  
 
-
+ 
 tofu init
 tofu plan --var-file=opentofu-varfile.json
 yes

main.tf

@@ -6,7 +6,7 @@ terraform {
     }   
     bitwarden = {
       source  = "maxlaverse/bitwarden"
-      version = ">= 0.15.0"
+      version = ">= 0.16.0"
     } 
     proxmox = {
       source = "bpg/proxmox"

merge_yaml.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-from ruamel.yaml import YAML
+from ruamel.yaml import YAML 
 import sys
 import json
 from collections.abc import Mapping

proxmox.tf

@@ -120,7 +120,7 @@ resource "proxmox_virtual_environment_vm" "proxmox-kubernetes-VM-template" {
 
   # Configuração da interface de rede
   network_device {
-    bridge = "vmbr0"
+    bridge = "vmbr0"  # rede de gestão para comunicação com Cluster A
   }
 
 initialization {
@@ -132,6 +132,7 @@ initialization {
         address = "dhcp"
       }
     }
+
   user_data_file_id = proxmox_virtual_environment_file.cloud_init_yaml.id
  }
 }

proxmox.variables.tf

@@ -40,6 +40,8 @@ variable "proxmox_k8s_vms" {
     vm_id     = number
     node_name  = string
     ip        = string
+    ip2        = string
+    ip3        = string
     cores     = optional(number)
     memory    = optional(number)
     data_store = optional(string)

secrets-output/iac.ansible.hosts.ini

@@ -0,0 +1,13 @@
+  
+[master]
+master1 ansible_host=192.168.1.99 ansible_user=user ansible_ssh_pass=pass ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+
+[workers]
+  
+
+worker-192-168-1-101 ansible_host=192.168.1.101 ansible_user=user ansible_ssh_pass=pass ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+  
+  
+
+
+

secrets/iac.proxmox.ssh.link

@@ -0,0 +1 @@
+proxmox-ssh.example.com

secrets/iac.vaultwarden-link

@@ -0,0 +1 @@
+https://vaultwarden.example.com

secrets/proxmox.secrets.tfvars

@@ -1,5 +1,60 @@
-proxmox_server   = "proxmox.example.com"
-PM_API_TOKEN_ID  = "tokenid"
-PM_API_TOKEN_SECRET = "tokensecret"
+#proxmox_server   = "proxmox.example.com"
+#PM_API_TOKEN_ID  = "tokenid"
+#PM_API_TOKEN_SECRET = "tokensecret"
 # tokenid is read automatically from PM_API_TOKEN_ID
-# token is read automatically from PM_API_TOKEN_SECRET
+# token is read automatically from PM_API_TOKEN_SECRET
+
+
+
+proxmox_server   = "https://proxmox.example.com:443/api2/json"
+proxmox_apikey   = "user@pam!token=fdjkdslfjdsflkj"
+proxmox_server_ssh = "127.0.0.1:1080"
+proxmox_username_ssh = "user"
+proxmox_password_ssh = "password"
+# tokenid is read automatically from PM_API_TOKEN_ID
+# token is read automatically from PM_API_TOKEN_SECRET
+
+proxmox_k8s_vms = [
+  {
+    name      = "k8s-master-01"
+    vm_id     = 3001
+    node_name = "node"
+    ip        = "192.168.1.99/24"
+    ip3       = "192.168.1.199/24"
+    cores     = 2
+    memory    = 2000
+    disk_size = 32
+    data_store = "local-lvm"
+    gateway = "192.168.1.1"
+    extra_users = [
+      {
+        name  = "user"
+        password  = "pass"
+        groups = ["sudo"]
+      }
+    ]
+    extra_packages = []
+    extra_runcmd   = ["sudo ip addr add 192.168.1.199/24 dev eth0"]
+  },
+  {
+    name      = "k8s-worker-01"
+    vm_id     = 3002
+    node_name = "node"
+    ip        = "192.168.1.101/24"
+    ip3       = "192.168.1.201/24"
+    cores     = 1
+    memory    = 2000
+    disk_size = 32
+    data_store = "local-lvm"
+    gateway = "192.168.1.1"
+    extra_users = [
+      {
+        name  = "user"
+        password  = "pass"
+        groups = ["sudo"]
+      }
+    ]
+    extra_packages = []
+    extra_runcmd   = ["sudo ip addr add 192.168.1.201/24 dev eth0"]
+  },
+]

secrets/vault-secrets-map.json

@@ -1,7 +1,7 @@
 {
   "secrets": [
     { 
-      "name": "iac.opentofu.consul.secrets",
+      "name": "iac.opentofu.consul.secrets", 
       "type": "note",
       "output": "../secrets/secrets/consul.secrets.tfvars"
     },

secrets/vaultwarden.secrets.tfvars

@@ -3,4 +3,6 @@ vaultwarden_email    = "admin@example.com"
 vaultwarden_master_password = "SuperSecretMasterPassword"
 vaultwarden_admin_token = "tokenadmin"
 vaultwarden_client_id = "clientid"
-vaultwarden_client_secret = "clientsecret" 
+vaultwarden_client_secret = "clientsecret" 
+# email is read automatically from BW_EMAIL
+# password is read automatically from BW_PASSWORD

vaultwarden.tf

@@ -16,6 +16,13 @@ resource "vaultwarden_account_register" "vaultwarden-acount-fenix" {
   password = var.vaultwarden_master_password
 }
 
+resource "bitwarden_item_login" "administrative-user" {
+  name     = "teste"
+  username = "teste"
+  password = "teste"
+  collection_ids  = [vaultwarden_organization_collection.vaultwarden-collection-iac.id]
+}
+
 resource "vaultwarden_organization" "vaultwarden-organization-fenix-iac" {
   name = "fenix-iac"
 }
@@ -26,9 +33,28 @@ resource "vaultwarden_organization_collection" "vaultwarden-collection-iac" {
 }
 
 
-resource "bitwarden_item_login" "administrative-user" {
-  name     = "teste"
-  username = "teste"
-  password = "teste"
+resource "bitwarden_item_secure_note" "hosts-ini" {
+  name            = "iac.ansible.hosts.ini"
+  notes           = <<EOT
+  ${local.hosts_ini}
+EOT
+  organization_id = vaultwarden_organization.vaultwarden-organization-fenix-iac.id
   collection_ids  = [vaultwarden_organization_collection.vaultwarden-collection-iac.id]
-}
+  reprompt = true 
+}
+
+locals{
+  hosts_ini = <<EOT
+
+[master]
+master1 ansible_host=${split("/", var.proxmox_k8s_vms[0].ip)[0]} ansible_user=${var.proxmox_k8s_vms[0].extra_users[0].name} ansible_ssh_pass=${var.proxmox_k8s_vms[0].extra_users[0].password} ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+
+[workers]
+%{ for i, vm in var.proxmox_k8s_vms ~}
+%{ if i != 0 }
+worker-${replace(split("/", vm.ip)[0], ".", "-")} ansible_host=${split("/", vm.ip)[0]} ansible_user=${vm.extra_users[0].name} ansible_ssh_pass=${vm.extra_users[0].password} ansible_ssh_common_args='-o StrictHostKeyChecking=no'
+%{ endif }  
+%{ endfor }
+
+EOT
+  }