name: IAC

on: 
  push:
    branches: [ dev ]
  workflow_dispatch:
 
jobs:
  hello: 
    #precisa da imagem costum do opentofu
    runs-on: [ fenix-opentofu ]
    env:
      CONSUL_HTTP_TOKEN: ${{ secrets.CONSUL_HTTP_TOKEN }}
      PM_API_TOKEN_ID: ${{ secrets.PM_API_TOKEN_ID }}
      PM_API_TOKEN_SECRET: ${{ secrets.PM_API_TOKEN_SECRET }}
      BW_EMAIL: ${{ secrets.BW_EMAIL }}
      BW_PASSWORD: ${{ secrets.BW_PASSWORD }}
      BW_CLIENTID: ${{ secrets.BW_CLIENTID }}
      BW_CLIENTSECRET: ${{ secrets.BW_CLIENTSECRET }}
      VAULTWARDEN_LINK: ${{secrets.VAULTWARDEN_LINK }}
      
    steps:

      - name: Verificar se commit pede por [deploy-opentofu]
        if: "!contains(gitea.event.head_commit.message, '[deploy-opentofu]')"
        run: |
          echo "Commit não contém [deploy-opentofu], a pipeline será ignorada."
          exit 1

      - name: Executar deploy opentofu
        run: echo "Commit contém [deploy-opentofu], a pipeline será executada."


      - name: Updating apt-get
        run: |
          apt-get update -y

      - name: Install setup
        run: |
          apt install -y curl jq
          curl -fsSL https://deb.nodesource.com/setup_18.x

      - name: Cloning iac repository
        uses: actions/checkout@v4
        with:
          path: infra/iac

      #- name: cloning iac secrets repository
      #  uses: actions/checkout@v4
      #  with:
      #    repository: fenix-gitea-admin/iac-opentofu-private-secrets
      #    token: ${{ secrets.GGITEA_TOKEN }}
      #    path: infra/secrets


      - name: Install cloudflare prerequisites
        run: |
          apt-get install -y curl ca-certificates jq openssh-client net-tools iproute2
      - name: Install cloudflared
        run: |
          # pacote .deb oficial - funcionará numa runner Ubuntu x86_64
          curl -L -o cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
          dpkg -i cloudflared.deb
          cloudflared --version

      - name: Install dante-server
        run: |
          apt-get install -y dante-server openssl libssl1.1


      - name: Configure dante-server
        run: |
          cat <<EOF |  tee /etc/danted.conf
          logoutput: stderr
          internal: 127.0.0.1 port = 1080
          external: lo
          method: none
          clientmethod: none
          client pass {
              from: 0.0.0.0/0 to: 0.0.0.0/0
              log: connect disconnect
          }
          # encaminhar tudo para o listener TCP do cloudflared
          socks pass {
              from: 0.0.0.0/0 to: 0.0.0.0/0
              command: connect udpassociate bind
              log: connect disconnect
          }
          EOF


      - name: vaultwarden urls as secrets
        run: |
          echo "config"
          bw config server $VAULTWARDEN_LINK
          echo "login"
          bw login --apikey
          echo "session"
          BW_SESSION=$(bw unlock "$BW_PASSWORD" --raw)
          echo "$BW_SESSION"
          echo "getting item"
          bw get item "iac.proxmox.ssh.link"  --session "$BW_SESSION"  | jq -r '.notes' > "proxmox-ssh-link.txt"

      - name: Start cloudflared Access TCP -> SOCKS5 (background)
        env:
          CF_SVC_ID: ${{ secrets.CF_SVC_ID }}
          CF_SVC_SECRET: ${{ secrets.CF_SVC_SECRET }}
        run: |
          Hostname=$(cat proxmox-ssh-link.txt)

          # Inicia cloudflared access tcp/ssh com service token e listener socks local
          # O binário 'cloudflared' tem variações de flags entre versões; estes flags funcionam nas versões recentes.
          nohup cloudflared access tcp \
            --hostname "$Hostname" \
            --listener "tcp://127.0.0.1:1081" \
            --service-token-id "$CF_SVC_ID" \
            --service-token-secret "$CF_SVC_SECRET" \
            > cloudflared.log 2>&1 &

          # espera a porta do listener estar pronta (timeout 30s)
          for i in $(seq 1 30); do
            ss -tnl | grep -q ":1081" && break
            sleep 1
          done

          if ! ss -tnl | grep -q ":1081"; then
            echo "SOCKS listener not ready after 30s, printing cloudflared.log"
            tail -n +1 cloudflared.log
            cat cloudflared.log
            exit 1
          fi

          echo "cloudflared socks listener ready at $SOCKS_LISTENER"
          sleep 1
          # opcional: ver primeiros logs
          tail -n 50 cloudflared.log || true
      
      - name: Start dante-server
        run: |
          pkill danted || true
          danted -f /etc/danted.conf -D > dante.log 2>&1 &
          sleep 3 
          cat dante.log
          

      - name: vaultwarden getsecrets
        working-directory: infra/iac
        run: |
          BW_SESSION=$(bw unlock "$BW_PASSWORD" --raw)
          echo "$BW_SESSION"
          
          # Ler o arquivo de referência
          for secret in $(jq -c '.secrets[]' secrets/vault-secrets-map.json); do
            name=$(echo "$secret" | jq -r '.name')
            type=$(echo "$secret" | jq -r '.type')
            output=$(echo "$secret" | jq -r '.output')
            echo "$name $type $output"
            item_id=$(bw get item "$name"  | jq -r '.id')
            echo "$item_id"
            mkdir -p "$(dirname "$output")"
            echo "dir made"
            if [ "$type" == "attachment" ]; then
              echo "attachment get"
              bw get attachment "$output" --itemid "$item_id" --output "$output"  --session "$BW_SESSION" 
            elif [ "$type" == "note" ]; then
              echo "note get"
              bw get item "$name"  --session "$BW_SESSION"  | jq -r '.notes' > "$output"
              cat $output
            fi
          done

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.11'

      - name: Install dependencies
        run: |
          pip install ruamel.yaml

      - name: Init OpenTofu
        working-directory: infra/iac
        run: |
          tofu init     

      - name: Plan
        working-directory: infra/iac
        run: |
          # Find all .tfvars in the secrets folder
          VAR_FILES=""
          ls -la ../secrets/secrets
          for f in ../secrets/secrets/*.tfvars; do
            echo "found - $f"
            VAR_FILES="$VAR_FILES -var-file=$f"
          done
          tofu plan $VAR_FILES -out=./tfplan  | tee ./tfplan.txt

      - name: Upload tfplan to Gitea Packages
        working-directory: infra/iac
        run: |
          curl --user ${{ secrets.GGITEA_USER }}:${{ secrets.GGITEA_TOKEN }} \
            --upload-file ./tfplan.txt \
            https://gitea.fenix-dev.com/api/packages/${{ secrets.GGITEA_USER }}/generic/tofu-plan/${{ github.sha }}/tfplan.txt

      - name: Apply
        working-directory: infra/iac
        run: |
          tofu apply -auto-approve ./tfplan