fenix-gitea-admin/iac-opentofu-public
1
0
Fork 0
mirror of https://gitea.fenix-dev.com/fenix-gitea-admin/iac-opentofu-private.git synced 2025-10-27 15:53:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a7ad7a03388eca6bb98582c841aeb1d2f82ee697
iac-opentofu-public/.gitea/workflows/ci-test.yaml
fenix-gitea-admin a7ad7a0338 [deploy-opentofu]
2025-09-21 10:43:37 +00:00

198 lines
6.5 KiB
YAML
Raw Blame History

name: IAC
on:
push:
branches: [ dev ]
workflow_dispatch:
jobs:
hello:
#precisa da imagem costum do opentofu
runs-on: [ fenix-opentofu ]
env:
CONSUL_HTTP_TOKEN: ${{ secrets.CONSUL_HTTP_TOKEN }}
PM_API_TOKEN_ID: ${{ secrets.PM_API_TOKEN_ID }}
PM_API_TOKEN_SECRET: ${{ secrets.PM_API_TOKEN_SECRET }}
BW_EMAIL: ${{ secrets.BW_EMAIL }}
BW_PASSWORD: ${{ secrets.BW_PASSWORD }}
BW_CLIENTID: ${{ secrets.BW_CLIENTID }}
BW_CLIENTSECRET: ${{ secrets.BW_CLIENTSECRET }}
VAULTWARDEN_LINK: ${{secrets.VAULTWARDEN_LINK }}
steps:
- name: Verificar se commit pede por [deploy-opentofu]
if: "!contains(gitea.event.head_commit.message, '[deploy-opentofu]')"
run: |
echo "Commit não contém [deploy-opentofu], a pipeline será ignorada."
exit 1
- name: Executar deploy opentofu
run: echo "Commit contém [deploy-opentofu], a pipeline será executada."
- name: Updating apt-get
run: |
apt-get update -y
- name: Cloning iac repository
uses: actions/checkout@v4
with:
path: infra/iac
#- name: cloning iac secrets repository
# uses: actions/checkout@v4
# with:
# repository: fenix-gitea-admin/iac-opentofu-private-secrets
# token: ${{ secrets.GGITEA_TOKEN }}
# path: infra/secrets
- name: Install cloudflare prerequisites
run: |
apt-get install -y curl ca-certificates jq openssh-client net-tools iproute2
- name: Install cloudflared
run: |
# pacote .deb oficial - funcionará numa runner Ubuntu x86_64
curl -L -o cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
dpkg -i cloudflared.deb
cloudflared --version
- name: Install dante-server
run: |
apt-get install -y dante-server
- name: Configure dante-server
run: |
cat <<EOF | tee /etc/danted.conf
logoutput: stderr
internal: 127.0.0.1 port = 1080
external: lo
method: none
clientmethod: none
client pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
log: connect disconnect
}
# encaminhar tudo para o listener TCP do cloudflared
socks pass {
from: 0.0.0.0/0 to: 0.0.0.0/0
command: connect udpassociate bind
log: connect disconnect
}
EOF
- name: vaultwarden urls as secrets
working-directory:
run: |
bw config server $VAULTWARDEN_LINK
bw login --apikey
BW_SESSION=$(bw unlock "$BW_PASSWORD" --raw)
echo "getting item"
bw get item "iac.proxmox.ssh.link" --session "$BW_SESSION" | jq -r '.notes' > "proxmox-ssh-link.txt"
- name: Start cloudflared Access TCP -> SOCKS5 (background)
env:
CF_SVC_ID: ${{ secrets.CF_SVC_ID }}
CF_SVC_SECRET: ${{ secrets.CF_SVC_SECRET }}
run: |
Hostname=$(cat proxmox-ssh-link.txt)
# Inicia cloudflared access tcp/ssh com service token e listener socks local
# O binário 'cloudflared' tem variações de flags entre versões; estes flags funcionam nas versões recentes.
nohup cloudflared access tcp \
--hostname "$Hostname" \
--listener "tcp://127.0.0.1:1081" \
--service-token-id "$CF_SVC_ID" \
--service-token-secret "$CF_SVC_SECRET" \
> cloudflared.log 2>&1 &
# espera a porta do listener estar pronta (timeout 30s)
for i in $(seq 1 30); do
ss -tnl | grep -q ":1081" && break
sleep 1
done
if ! ss -tnl | grep -q ":1081"; then
echo "SOCKS listener not ready after 30s, printing cloudflared.log"
tail -n +1 cloudflared.log
cat cloudflared.log
exit 1
fi
echo "cloudflared socks listener ready at $SOCKS_LISTENER"
sleep 1
# opcional: ver primeiros logs
tail -n 50 cloudflared.log || true
- name: Start dante-server
run: |
pkill danted || true
danted -f /etc/danted.conf -D > dante.log 2>&1 &
sleep 3
cat dante.log
- name: vaultwarden getsecrets
working-directory: infra/iac
run: |
BW_SESSION=$(bw unlock "$BW_PASSWORD" --raw)
# Ler o arquivo de referência
for secret in $(jq -c '.secrets[]' secrets/vault-secrets-map.json); do
name=$(echo "$secret" | jq -r '.name')
type=$(echo "$secret" | jq -r '.type')
output=$(echo "$secret" | jq -r '.output')
echo "$name $type $output"
item_id=$(bw get item "$name" | jq -r '.id')
echo "$item_id"
mkdir -p "$(dirname "$output")"
echo "dir made"
if [ "$type" == "attachment" ]; then
echo "attachment get"
bw get attachment "$output" --itemid "$item_id" --output "$output" --session "$BW_SESSION"
elif [ "$type" == "note" ]; then
echo "note get"
bw get item "$name" --session "$BW_SESSION" | jq -r '.notes' > "$output"
fi
done
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install dependencies
run: |
pip install ruamel.yaml
- name: Init OpenTofu
working-directory: infra/iac
run: |
tofu init
- name: Plan
working-directory: infra/iac
run: |
# Find all .tfvars in the secrets folder
VAR_FILES=""
ls -la ../secrets/secrets
for f in ../secrets/secrets/*.tfvars; do
echo "found - $f"
VAR_FILES="$VAR_FILES -var-file=$f"
done
tofu plan $VAR_FILES -out=./tfplan | tee ./tfplan.txt
- name: Upload tfplan to Gitea Packages
working-directory: infra/iac
run: |
curl --user ${{ secrets.GGITEA_USER }}:${{ secrets.GGITEA_TOKEN }} \
--upload-file ./tfplan.txt \
https://gitea.fenix-dev.com/api/packages/${{ secrets.GGITEA_USER }}/generic/tofu-plan/${{ github.sha }}/tfplan.txt
- name: Apply
working-directory: infra/iac
run: |
tofu apply -auto-approve ./tfplan
Reference in New Issue View Git Blame Copy Permalink