iac-opentofu-public/.gitea/workflows/ci-test.yaml

name: IAC

on:
  push:
    branches: [ main ]
  workflow_dispatch:

jobs:
  hello:
    #precisa da imagem costum do opentofu
    runs-on: [ fenix-opentofu ]
    env:
      CONSUL_HTTP_TOKEN: ${{ secrets.CONSUL_HTTP_TOKEN }}
      PM_API_TOKEN_ID: ${{ secrets.PM_API_TOKEN_ID }}
      PM_API_TOKEN_SECRET: ${{ secrets.PM_API_TOKEN_SECRET }}
      BW_EMAIL: ${{ secrets.BW_EMAIL }}
      BW_PASSWORD: ${{ secrets.BW_PASSWORD }}
      
    steps:

      - name: Verificar se commit pede por [deploy-opentofu]
        if: "!contains(gitea.event.head_commit.message, '[deploy-opentofu]')"
        run: |
          echo "Commit não contém [deploy-opentofu], a pipeline será ignorada."
          exit 1

      - name: Executar deploy opentofu
        run: echo "Commit contém [deploy-opentofu], a pipeline será executada."


      - name: Updating apt-get
        run: |
          apt-get update -y

      - name: Cloning iac repository
        uses: actions/checkout@v4
        with:
          path: infra/iac

      - name: cloning iac secrets repository
        uses: actions/checkout@v4
        with:
          repository: fenix-gitea-admin/iac-opentofu-private-secrets
          token: ${{ secrets.GGITEA_TOKEN }}
          path: infra/secrets


      - name: Install cloudflare prerequisites
        run: |
          apt-get install -y curl ca-certificates jq openssh-client net-tools iproute2
      - name: Install cloudflared
        run: |
          # pacote .deb oficial - funcionará numa runner Ubuntu x86_64
          curl -L -o cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
          dpkg -i cloudflared.deb
          cloudflared --version

      - name: Install dante-server
        run: |
          apt-get install -y dante-server


      - name: Configure dante-server
        run: |
          cat <<EOF |  tee /etc/danted.conf
          logoutput: stderr
          internal: 127.0.0.1 port = 1080
          external: lo
          method: none
          clientmethod: none
          client pass {
              from: 0.0.0.0/0 to: 0.0.0.0/0
              log: connect disconnect
          }
          # encaminhar tudo para o listener TCP do cloudflared
          socks pass {
              from: 0.0.0.0/0 to: 0.0.0.0/0
              command: connect udpassociate bind
              log: connect disconnect
          }
          EOF

      - name: Start cloudflared Access TCP -> SOCKS5 (background)
        env:
          CF_SVC_ID: ${{ secrets.CF_SVC_ID }}
          CF_SVC_SECRET: ${{ secrets.CF_SVC_SECRET }}
          HOSTNAME: "proxmox-ssh.fenix-dev.com"
        run: |
          # Inicia cloudflared access tcp/ssh com service token e listener socks local
          # O binário 'cloudflared' tem variações de flags entre versões; estes flags funcionam nas versões recentes.
          nohup cloudflared access tcp \
            --hostname "$HOSTNAME" \
            --listener "tcp://127.0.0.1:1081" \
            --service-token-id "$CF_SVC_ID" \
            --service-token-secret "$CF_SVC_SECRET" \
            > cloudflared.log 2>&1 &

          # espera a porta do listener estar pronta (timeout 30s)
          for i in $(seq 1 30); do
            ss -tnl | grep -q ":1081" && break
            sleep 1
          done

          if ! ss -tnl | grep -q ":1081"; then
            echo "SOCKS listener not ready after 30s, printing cloudflared.log"
            tail -n +1 cloudflared.log
            cat cloudflared.log
            exit 1
          fi

          echo "cloudflared socks listener ready at $SOCKS_LISTENER"
          sleep 1
          # opcional: ver primeiros logs
          tail -n 50 cloudflared.log || true
      
      - name: Start dante-server
        run: |
          pkill danted || true
          danted -f /etc/danted.conf -D > dante.log 2>&1 &
          sleep 3
          cat dante.log
          
      - name: vaultwarden login
        working-directory: infra/iac
        run: |
          BW_SESSION=$(bw login)

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.11'

      - name: Install dependencies
        run: |
          pip install ruamel.yaml

      - name: Init OpenTofu
        working-directory: infra/iac
        run: |
          tofu init     

      - name: Plan
        working-directory: infra/iac
        run: |
          # Find all .auto.tfvars in the secrets folder
          VAR_FILES=""
          for f in ../secrets/secrets/*.auto.tfvars; do
            VAR_FILES="$VAR_FILES -var-file=$f"
          done
          tofu plan $VAR_FILES -out=./tfplan  | tee ./tfplan.txt

      - name: Upload tfplan to Gitea Packages
        working-directory: infra/iac
        run: |
          curl --user ${{ secrets.GGITEA_USER }}:${{ secrets.GGITEA_TOKEN }} \
            --upload-file ./tfplan.txt \
            https://gitea.fenix-dev.com/api/packages/${{ secrets.GGITEA_USER }}/generic/tofu-plan/${{ github.sha }}/tfplan.txt

      - name: Apply
        working-directory: infra/iac
        run: |
          tofu apply -auto-approve ./tfplan