mirror of
https://gitea.fenix-dev.com/fenix-gitea-admin/iac-opentofu-private.git
synced 2025-10-27 15:53:06 +00:00
Compare commits
2 Commits
a7f3b6d7e1
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| 870a07b97e | |||
| 2a61b166b4 |
@ -1,12 +1,12 @@
|
|||||||
name: IAC
|
name: IAC
|
||||||
|
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
branches: [ dev ]
|
branches: [ dev ]
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
hello:
|
hello:
|
||||||
#precisa da imagem costum do opentofu
|
#precisa da imagem costum do opentofu
|
||||||
runs-on: [ fenix-opentofu ]
|
runs-on: [ fenix-opentofu ]
|
||||||
env:
|
env:
|
||||||
@ -35,11 +35,6 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
apt-get update -y
|
apt-get update -y
|
||||||
|
|
||||||
- name: Install setup
|
|
||||||
run: |
|
|
||||||
apt install -y curl jq
|
|
||||||
curl -fsSL https://deb.nodesource.com/setup_18.x
|
|
||||||
|
|
||||||
- name: Cloning iac repository
|
- name: Cloning iac repository
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
@ -65,8 +60,7 @@ jobs:
|
|||||||
|
|
||||||
- name: Install dante-server
|
- name: Install dante-server
|
||||||
run: |
|
run: |
|
||||||
apt-get install -y dante-server openssl
|
apt-get install -y dante-server
|
||||||
#libssl1.1
|
|
||||||
|
|
||||||
|
|
||||||
- name: Configure dante-server
|
- name: Configure dante-server
|
||||||
@ -91,17 +85,12 @@ jobs:
|
|||||||
|
|
||||||
|
|
||||||
- name: vaultwarden urls as secrets
|
- name: vaultwarden urls as secrets
|
||||||
|
working-directory:
|
||||||
run: |
|
run: |
|
||||||
echo "config"
|
|
||||||
echo "$VAULTWARDEN_LINK"
|
|
||||||
bw config server $VAULTWARDEN_LINK
|
bw config server $VAULTWARDEN_LINK
|
||||||
echo "login"
|
|
||||||
bw login --apikey
|
bw login --apikey
|
||||||
echo "session"
|
|
||||||
BW_SESSION=$(bw unlock "$BW_PASSWORD" --raw)
|
BW_SESSION=$(bw unlock "$BW_PASSWORD" --raw)
|
||||||
echo "$BW_SESSION"
|
|
||||||
echo "getting item"
|
|
||||||
bw get item "iac.proxmox.ssh.link" --session "$BW_SESSION"
|
|
||||||
bw get item "iac.proxmox.ssh.link" --session "$BW_SESSION" | jq -r '.notes' > "proxmox-ssh-link.txt"
|
bw get item "iac.proxmox.ssh.link" --session "$BW_SESSION" | jq -r '.notes' > "proxmox-ssh-link.txt"
|
||||||
|
|
||||||
- name: Start cloudflared Access TCP -> SOCKS5 (background)
|
- name: Start cloudflared Access TCP -> SOCKS5 (background)
|
||||||
@ -142,7 +131,7 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
pkill danted || true
|
pkill danted || true
|
||||||
danted -f /etc/danted.conf -D > dante.log 2>&1 &
|
danted -f /etc/danted.conf -D > dante.log 2>&1 &
|
||||||
sleep 3
|
sleep 3
|
||||||
cat dante.log
|
cat dante.log
|
||||||
|
|
||||||
|
|
||||||
@ -150,7 +139,6 @@ jobs:
|
|||||||
working-directory: infra/iac
|
working-directory: infra/iac
|
||||||
run: |
|
run: |
|
||||||
BW_SESSION=$(bw unlock "$BW_PASSWORD" --raw)
|
BW_SESSION=$(bw unlock "$BW_PASSWORD" --raw)
|
||||||
echo "$BW_SESSION"
|
|
||||||
|
|
||||||
# Ler o arquivo de referência
|
# Ler o arquivo de referência
|
||||||
for secret in $(jq -c '.secrets[]' secrets/vault-secrets-map.json); do
|
for secret in $(jq -c '.secrets[]' secrets/vault-secrets-map.json); do
|
||||||
@ -168,7 +156,6 @@ jobs:
|
|||||||
elif [ "$type" == "note" ]; then
|
elif [ "$type" == "note" ]; then
|
||||||
echo "note get"
|
echo "note get"
|
||||||
bw get item "$name" --session "$BW_SESSION" | jq -r '.notes' > "$output"
|
bw get item "$name" --session "$BW_SESSION" | jq -r '.notes' > "$output"
|
||||||
#cat $output
|
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|||||||
@ -1,31 +1,23 @@
|
|||||||
FROM ghcr.io/opentofu/opentofu:1.9-minimal AS tofu
|
FROM ghcr.io/opentofu/opentofu:1.9-minimal AS tofu
|
||||||
|
|
||||||
FROM ubuntu:24.04
|
FROM ubuntu:24.04
|
||||||
|
|
||||||
# Copy the tofu binary
|
# Copy the tofu binary
|
||||||
COPY --from=tofu /usr/local/bin/tofu /usr/local/bin/tofu
|
COPY --from=tofu /usr/local/bin/tofu /usr/local/bin/tofu
|
||||||
|
|
||||||
|
# Install dependencies
|
||||||
# Atualizar pacotes e instalar dependências básicas
|
|
||||||
RUN apt-get update && apt-get install -y \
|
RUN apt-get update && apt-get install -y \
|
||||||
curl \
|
|
||||||
git \
|
git \
|
||||||
|
curl \
|
||||||
|
nodejs \
|
||||||
|
npm \
|
||||||
unzip \
|
unzip \
|
||||||
jq \
|
|
||||||
gnupg \
|
|
||||||
ca-certificates \
|
|
||||||
&& rm -rf /var/lib/apt/lists/*
|
&& rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
# Instalar Node.js 18 via NodeSource
|
RUN curl -L -o /tmp/bw.zip https://github.com/bitwarden/cli/releases/download/v1.22.1/bw-linux-1.22.1.zip \
|
||||||
RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
|
&& unzip /tmp/bw.zip -d /usr/local/bin \
|
||||||
apt-get install -y nodejs
|
&& chmod +x /usr/local/bin/bw \
|
||||||
|
&& rm /tmp/bw.zip
|
||||||
|
|
||||||
# Verificar versões (opcional para debug)
|
|
||||||
RUN node -v && npm -v
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
RUN npm install -g @bitwarden/cli
|
|
||||||
|
|
||||||
WORKDIR /workspace
|
WORKDIR /workspace
|
||||||
@ -5,7 +5,7 @@ https://opentofu.org/docs/intro/ - quick start and explaning who to work in team
|
|||||||
https://opentofu.org/docs/intro/ - CICD for opentofu explained
|
https://opentofu.org/docs/intro/ - CICD for opentofu explained
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
tofu init
|
tofu init
|
||||||
tofu plan --var-file=opentofu-varfile.json
|
tofu plan --var-file=opentofu-varfile.json
|
||||||
yes
|
yes
|
||||||
|
|||||||
2
main.tf
2
main.tf
@ -6,7 +6,7 @@ terraform {
|
|||||||
}
|
}
|
||||||
bitwarden = {
|
bitwarden = {
|
||||||
source = "maxlaverse/bitwarden"
|
source = "maxlaverse/bitwarden"
|
||||||
version = ">= 0.16.0"
|
version = ">= 0.15.0"
|
||||||
}
|
}
|
||||||
proxmox = {
|
proxmox = {
|
||||||
source = "bpg/proxmox"
|
source = "bpg/proxmox"
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
#!/usr/bin/env python3
|
#!/usr/bin/env python3
|
||||||
from ruamel.yaml import YAML
|
from ruamel.yaml import YAML
|
||||||
import sys
|
import sys
|
||||||
import json
|
import json
|
||||||
from collections.abc import Mapping
|
from collections.abc import Mapping
|
||||||
|
|||||||
@ -120,7 +120,7 @@ resource "proxmox_virtual_environment_vm" "proxmox-kubernetes-VM-template" {
|
|||||||
|
|
||||||
# Configuração da interface de rede
|
# Configuração da interface de rede
|
||||||
network_device {
|
network_device {
|
||||||
bridge = "vmbr0" # rede de gestão para comunicação com Cluster A
|
bridge = "vmbr0"
|
||||||
}
|
}
|
||||||
|
|
||||||
initialization {
|
initialization {
|
||||||
@ -132,7 +132,6 @@ initialization {
|
|||||||
address = "dhcp"
|
address = "dhcp"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
user_data_file_id = proxmox_virtual_environment_file.cloud_init_yaml.id
|
user_data_file_id = proxmox_virtual_environment_file.cloud_init_yaml.id
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -40,8 +40,6 @@ variable "proxmox_k8s_vms" {
|
|||||||
vm_id = number
|
vm_id = number
|
||||||
node_name = string
|
node_name = string
|
||||||
ip = string
|
ip = string
|
||||||
ip2 = string
|
|
||||||
ip3 = string
|
|
||||||
cores = optional(number)
|
cores = optional(number)
|
||||||
memory = optional(number)
|
memory = optional(number)
|
||||||
data_store = optional(string)
|
data_store = optional(string)
|
||||||
|
|||||||
@ -1,7 +1,7 @@
|
|||||||
{
|
{
|
||||||
"secrets": [
|
"secrets": [
|
||||||
{
|
{
|
||||||
"name": "iac.opentofu.consul.secrets",
|
"name": "iac.opentofu.consul.secrets",
|
||||||
"type": "note",
|
"type": "note",
|
||||||
"output": "../secrets/secrets/consul.secrets.tfvars"
|
"output": "../secrets/secrets/consul.secrets.tfvars"
|
||||||
},
|
},
|
||||||
|
|||||||
@ -16,13 +16,6 @@ resource "vaultwarden_account_register" "vaultwarden-acount-fenix" {
|
|||||||
password = var.vaultwarden_master_password
|
password = var.vaultwarden_master_password
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "bitwarden_item_login" "administrative-user" {
|
|
||||||
name = "teste"
|
|
||||||
username = "teste"
|
|
||||||
password = "teste"
|
|
||||||
collection_ids = [vaultwarden_organization_collection.vaultwarden-collection-iac.id]
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vaultwarden_organization" "vaultwarden-organization-fenix-iac" {
|
resource "vaultwarden_organization" "vaultwarden-organization-fenix-iac" {
|
||||||
name = "fenix-iac"
|
name = "fenix-iac"
|
||||||
}
|
}
|
||||||
@ -33,28 +26,9 @@ resource "vaultwarden_organization_collection" "vaultwarden-collection-iac" {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
resource "bitwarden_item_secure_note" "hosts-ini" {
|
resource "bitwarden_item_login" "administrative-user" {
|
||||||
name = "iac.ansible.hosts.ini"
|
name = "teste"
|
||||||
notes = <<EOT
|
username = "teste"
|
||||||
${local.hosts_ini}
|
password = "teste"
|
||||||
EOT
|
|
||||||
organization_id = vaultwarden_organization.vaultwarden-organization-fenix-iac.id
|
|
||||||
collection_ids = [vaultwarden_organization_collection.vaultwarden-collection-iac.id]
|
collection_ids = [vaultwarden_organization_collection.vaultwarden-collection-iac.id]
|
||||||
reprompt = true
|
}
|
||||||
}
|
|
||||||
|
|
||||||
locals{
|
|
||||||
hosts_ini = <<EOT
|
|
||||||
|
|
||||||
[master]
|
|
||||||
master1 ansible_host=${split("/", var.proxmox_k8s_vms[0].ip)[0]} ansible_user=${var.proxmox_k8s_vms[0].extra_users[0].name} ansible_ssh_pass=${var.proxmox_k8s_vms[0].extra_users[0].password} ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
|
||||||
|
|
||||||
[workers]
|
|
||||||
%{ for i, vm in var.proxmox_k8s_vms ~}
|
|
||||||
%{ if i != 0 }
|
|
||||||
worker-${replace(split("/", vm.ip)[0], ".", "-")} ansible_host=${split("/", vm.ip)[0]} ansible_user=${vm.extra_users[0].name} ansible_ssh_pass=${vm.extra_users[0].password} ansible_ssh_common_args='-o StrictHostKeyChecking=no'
|
|
||||||
%{ endif }
|
|
||||||
%{ endfor }
|
|
||||||
|
|
||||||
EOT
|
|
||||||
}
|
|
||||||
Reference in New Issue
Block a user