From 17e99db64127475a1390433d9fd25dbecfbe8857 Mon Sep 17 00:00:00 2001 From: Gabriel Radureau Date: Sat, 3 Jan 2026 12:44:27 +0100 Subject: [PATCH] runner image and setup for gitea workflow with self signed cert --- .../arcodange/factory/playbooks/03_cicd.yml | 447 ++++++++++-------- .../arcodange/factory/playbooks/ssl/ssl.yml | 37 +- .../hashicorp_vault/files/hashicorp_vault.tf | 13 +- .../files/playwright_setupGiteaApp.js | 2 +- .../hashicorp_vault/tasks/gitea_oidc_auth.yml | 5 + .../templates/oidc_jwt_token.sh.j2 | 7 +- ssl.md | 10 +- 7 files changed, 298 insertions(+), 223 deletions(-) diff --git a/ansible/arcodange/factory/playbooks/03_cicd.yml b/ansible/arcodange/factory/playbooks/03_cicd.yml index def60fb..e93adf6 100644 --- a/ansible/arcodange/factory/playbooks/03_cicd.yml +++ b/ansible/arcodange/factory/playbooks/03_cicd.yml @@ -27,15 +27,18 @@ container_name: gitea_action restart: always environment: + CONFIG_FILE: /config.yaml GITEA_INSTANCE_URL: >- http://{{ hostvars[groups.gitea[0]].ansible_host }}:3000 GITEA_RUNNER_REGISTRATION_TOKEN: "{{ gitea_runner_token_cmd.stdout }}" GITEA_RUNNER_NAME: arcodange_global_runner_{{ inventory_hostname }} - # GITEA_RUNNER_LABELS: host={{ansible_host}},env=any + GITEA_RUNNER_LABELS: ubuntu-latest:docker://gitea.arcodange.lab/arcodange-org/runner-images:ubuntu-latest-ca,ubuntu-latest-ca:docker://gitea.arcodange.lab/arcodange-org/runner-images:ubuntu-latest-ca volumes: - /var/run/docker.sock:/var/run/docker.sock - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro + - /etc/ssl/certs:/etc/ssl/certs:ro + - /usr/local/share/ca-certificates/:/usr/local/share/ca-certificates/:ro configs: - config.yaml configs: @@ -76,9 +79,8 @@ # If it's empty when registering, it will ask for inputting labels. # If it's empty when execute `daemon`, will use labels in `.runner` file. labels: - - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest" - - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04" - - "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04" + - "ubuntu-latest:docker://gitea.arcodange.lab/arcodange-org/runner-images:ubuntu-latest-ca" + - "ubuntu-latest-ca:docker://gitea.arcodange.lab/arcodange-org/runner-images:ubuntu-latest-ca" cache: # Enable cache server to use actions/cache. @@ -141,215 +143,240 @@ community.docker.docker_compose_v2: project_src: "/home/pi/arcodange/docker_composes/arcodange_factory_gitea_action" pull: missing - state: present + state: "{{ docker_compose_down_then_up }}" register: deploy_result + loop: ["absent", "present"] + loop_control: + loop_var: docker_compose_down_then_up - - name: Set PACKAGES_TOKEN secret to upload packages from CI - run_once: True - block: - - name: Generate cicd PACKAGES_TOKEN - include_role: - name: arcodange.factory.gitea_token - vars: - gitea_token_name: PACKAGES_TOKEN - gitea_token_fact_name: cicd_PACKAGES_TOKEN - gitea_token_scopes: write:package - gitea_token_replace: true +# - name: Set PACKAGES_TOKEN secret to upload packages from CI +# run_once: True +# block: +# - name: Generate cicd PACKAGES_TOKEN +# include_role: +# name: arcodange.factory.gitea_token +# vars: +# gitea_token_name: PACKAGES_TOKEN +# gitea_token_fact_name: cicd_PACKAGES_TOKEN +# gitea_token_scopes: write:package +# gitea_token_replace: true - - name: Register cicd PACKAGES_TOKEN secrets - include_role: - name: arcodange.factory.gitea_secret - vars: - gitea_secret_name: PACKAGES_TOKEN - gitea_secret_value: "{{ cicd_PACKAGES_TOKEN }}" - loop: ["organization", "user"] - loop_control: - loop_var: gitea_owner_type # Peut être "user" ou "organization" +# - name: Register cicd PACKAGES_TOKEN secrets +# include_role: +# name: arcodange.factory.gitea_secret +# vars: +# gitea_secret_name: PACKAGES_TOKEN +# gitea_secret_value: "{{ cicd_PACKAGES_TOKEN }}" +# loop: ["organization", "user"] +# loop_control: +# loop_var: gitea_owner_type # Peut être "user" ou "organization" + +# - name: Set HOMELAB_CA_CERT secret to validate self signed ssl +# run_once: True +# block: +# - name: Download homelab CA certificate +# ansible.builtin.uri: +# url: "https://ssl-ca.arcodange.lab:8443/roots.pem" +# return_content: yes +# validate_certs: no +# register: homelab_ca_cert +# - name: Debug cert +# debug: +# msg: "{{ homelab_ca_cert.content }}..." +# - name: Register cicd HOMELAB_CA_CERT secrets +# include_role: +# name: arcodange.factory.gitea_secret +# vars: +# gitea_secret_name: HOMELAB_CA_CERT +# gitea_secret_value: "{{ homelab_ca_cert.content | b64encode }}" +# loop: ["organization", "user"] +# loop_control: +# loop_var: gitea_owner_type # Peut être "user" ou "organization" - post_tasks: - - include_role: - name: arcodange.factory.gitea_token - vars: - gitea_token_delete: true +# post_tasks: +# - include_role: +# name: arcodange.factory.gitea_token +# vars: +# gitea_token_delete: true -- name: Deploy Argo CD - hosts: localhost - roles: - - role: arcodange.factory.gitea_token # generate gitea_api_token used to replace generated token with set name if required - tags: - - gitea_sync - tasks: - - name: Set factory repo - include_role: - name: arcodange.factory.gitea_repo - vars: - gitea_repo_name: factory - - name: Sync other repos - tags: gitea_sync - include_role: - name: arcodange.factory.gitea_sync - apply: - tags: gitea_sync - - name: Generate Argo CD token - include_role: - name: arcodange.factory.gitea_token - vars: - gitea_token_name: ARGOCD_TOKEN - gitea_token_fact_name: argocd_token - gitea_token_scopes: read:repository,read:package - gitea_token_replace: true - - name: Figure out k3s master node - shell: - kubectl get nodes -l node-role.kubernetes.io/control-plane=true -o name | sed s'#node/##' - register: get_k3s_master_node - changed_when: false - - name: Get kubernetes server internal url - command: >- - echo https://kubernetes.default.svc - # {%raw%} - # kubectl get svc/kubernetes -o template="{{.spec.clusterIP}}:{{(index .spec.ports 0).port}}" - # {%endraw%} - register: get_k3s_internal_server_url - changed_when: false - - set_fact: - k3s_master_node: "{{ get_k3s_master_node.stdout }}" - k3s_internal_server_url: "{{ get_k3s_internal_server_url.stdout }}" - - name: Read Step CA root certificate from k3s master - become: true - delegate_to: "{{ k3s_master_node }}" - slurp: - src: /home/step/.step/certs/root_ca.crt - register: step_ca_root_cert - - name: Decode Step CA root certificate - set_fact: - step_ca_root_cert_pem: "{{ step_ca_root_cert.content | b64decode }}" - - name: Install Argo CD - become: true - delegate_to: "{{ k3s_master_node }}" - vars: - gitea_credentials: - username: arcodange - password: "{{ argocd_token }}" - argocd_helm_values: # https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml - global: - domain: argocd.arcodange.lab - configs: - cm: - kustomize.buildOptions: "--enable-helm" - helm.enablePostRenderer: "true" - exec.enabled: "true" - params: - server.insecure: true # let k3s traefik do TLS termination - ansible.builtin.copy: - dest: /var/lib/rancher/k3s/server/manifests/argocd.yaml - content: |- - apiVersion: v1 - kind: Namespace - metadata: - name: argocd - --- - apiVersion: v1 - kind: ConfigMap - metadata: - name: argocd-tls-certs-cm - namespace: argocd - data: - gitea.arcodange.lab: | - {{ step_ca_root_cert_pem | indent(4) }} - --- - apiVersion: helm.cattle.io/v1 - kind: HelmChart - metadata: - name: argocd - namespace: kube-system - spec: - repo: https://argoproj.github.io/argo-helm - chart: argo-cd - targetNamespace: argocd - valuesContent: |- - {{ argocd_helm_values | to_nice_yaml | indent( width=4 ) }} - --- - apiVersion: networking.k8s.io/v1 - kind: Ingress - metadata: - name: argocd-server-ingress - namespace: argocd - annotations: - # For Traefik v2.x - traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.tls: "true" - traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt - traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab - traefik.ingress.kubernetes.io/router.tls.domains.0.sans: argocd.arcodange.lab - traefik.ingress.kubernetes.io/router.middlewares: localIp@file - spec: - rules: - - host: argocd.arcodange.lab - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: argocd-server - port: - number: 80 #TLS is terminated at Traefik - --- - apiVersion: v1 - kind: Secret - metadata: - name: gitea-arcodangeorg-factory-repo - namespace: argocd - labels: - argocd.argoproj.io/secret-type: repository - stringData: - type: git - url: https://gitea.arcodange.lab/arcodange-org/factory - --- - apiVersion: v1 - kind: Secret - metadata: - name: gitea-arcodangeorg-repo-creds - namespace: argocd - labels: - argocd.argoproj.io/secret-type: repo-creds - stringData: - type: git - url: https://gitea.arcodange.lab/arcodange-org - password: {{ gitea_credentials.password }} - username: {{ gitea_credentials.username }} - --- - apiVersion: argoproj.io/v1alpha1 - kind: Application - metadata: - name: factory - namespace: argocd - spec: - project: default - source: - repoURL: https://gitea.arcodange.lab/arcodange-org/factory - targetRevision: HEAD - path: argocd - destination: - server: {{ k3s_internal_server_url }} - namespace: argocd - syncPolicy: - automated: - prune: true - selfHeal: true - - name: touch manifests/argocd.yaml to trigger update - delegate_to: "{{ k3s_master_node }}" - ansible.builtin.file: - path: /var/lib/rancher/k3s/server/manifests/argocd.yaml - state: touch - become: true - post_tasks: - - include_role: - name: arcodange.factory.gitea_token - apply: - tags: gitea_sync - tags: - - gitea_sync - vars: - gitea_token_delete: true \ No newline at end of file +# - name: Deploy Argo CD +# hosts: localhost +# roles: +# - role: arcodange.factory.gitea_token # generate gitea_api_token used to replace generated token with set name if required +# tags: +# - gitea_sync +# tasks: +# - name: Set factory repo +# include_role: +# name: arcodange.factory.gitea_repo +# vars: +# gitea_repo_name: factory +# - name: Sync other repos +# tags: gitea_sync +# include_role: +# name: arcodange.factory.gitea_sync +# apply: +# tags: gitea_sync +# - name: Generate Argo CD token +# include_role: +# name: arcodange.factory.gitea_token +# vars: +# gitea_token_name: ARGOCD_TOKEN +# gitea_token_fact_name: argocd_token +# gitea_token_scopes: read:repository,read:package +# gitea_token_replace: true +# - name: Figure out k3s master node +# shell: +# kubectl get nodes -l node-role.kubernetes.io/control-plane=true -o name | sed s'#node/##' +# register: get_k3s_master_node +# changed_when: false +# - name: Get kubernetes server internal url +# command: >- +# echo https://kubernetes.default.svc +# # {%raw%} +# # kubectl get svc/kubernetes -o template="{{.spec.clusterIP}}:{{(index .spec.ports 0).port}}" +# # {%endraw%} +# register: get_k3s_internal_server_url +# changed_when: false +# - set_fact: +# k3s_master_node: "{{ get_k3s_master_node.stdout }}" +# k3s_internal_server_url: "{{ get_k3s_internal_server_url.stdout }}" +# - name: Read Step CA root certificate from k3s master +# become: true +# delegate_to: "{{ k3s_master_node }}" +# slurp: +# src: /home/step/.step/certs/root_ca.crt +# register: step_ca_root_cert +# - name: Decode Step CA root certificate +# set_fact: +# step_ca_root_cert_pem: "{{ step_ca_root_cert.content | b64decode }}" +# - name: Install Argo CD +# become: true +# delegate_to: "{{ k3s_master_node }}" +# vars: +# gitea_credentials: +# username: arcodange +# password: "{{ argocd_token }}" +# argocd_helm_values: # https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml +# global: +# domain: argocd.arcodange.lab +# configs: +# cm: +# kustomize.buildOptions: "--enable-helm" +# helm.enablePostRenderer: "true" +# exec.enabled: "true" +# params: +# server.insecure: true # let k3s traefik do TLS termination +# ansible.builtin.copy: +# dest: /var/lib/rancher/k3s/server/manifests/argocd.yaml +# content: |- +# apiVersion: v1 +# kind: Namespace +# metadata: +# name: argocd +# --- +# apiVersion: v1 +# kind: ConfigMap +# metadata: +# name: argocd-tls-certs-cm +# namespace: argocd +# data: +# gitea.arcodange.lab: | +# {{ step_ca_root_cert_pem | indent(4) }} +# --- +# apiVersion: helm.cattle.io/v1 +# kind: HelmChart +# metadata: +# name: argocd +# namespace: kube-system +# spec: +# repo: https://argoproj.github.io/argo-helm +# chart: argo-cd +# targetNamespace: argocd +# valuesContent: |- +# {{ argocd_helm_values | to_nice_yaml | indent( width=4 ) }} +# --- +# apiVersion: networking.k8s.io/v1 +# kind: Ingress +# metadata: +# name: argocd-server-ingress +# namespace: argocd +# annotations: +# # For Traefik v2.x +# traefik.ingress.kubernetes.io/router.entrypoints: websecure +# traefik.ingress.kubernetes.io/router.tls: "true" +# traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt +# traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab +# traefik.ingress.kubernetes.io/router.tls.domains.0.sans: argocd.arcodange.lab +# traefik.ingress.kubernetes.io/router.middlewares: localIp@file +# spec: +# rules: +# - host: argocd.arcodange.lab +# http: +# paths: +# - path: / +# pathType: Prefix +# backend: +# service: +# name: argocd-server +# port: +# number: 80 #TLS is terminated at Traefik +# --- +# apiVersion: v1 +# kind: Secret +# metadata: +# name: gitea-arcodangeorg-factory-repo +# namespace: argocd +# labels: +# argocd.argoproj.io/secret-type: repository +# stringData: +# type: git +# url: https://gitea.arcodange.lab/arcodange-org/factory +# --- +# apiVersion: v1 +# kind: Secret +# metadata: +# name: gitea-arcodangeorg-repo-creds +# namespace: argocd +# labels: +# argocd.argoproj.io/secret-type: repo-creds +# stringData: +# type: git +# url: https://gitea.arcodange.lab/arcodange-org +# password: {{ gitea_credentials.password }} +# username: {{ gitea_credentials.username }} +# --- +# apiVersion: argoproj.io/v1alpha1 +# kind: Application +# metadata: +# name: factory +# namespace: argocd +# spec: +# project: default +# source: +# repoURL: https://gitea.arcodange.lab/arcodange-org/factory +# targetRevision: HEAD +# path: argocd +# destination: +# server: {{ k3s_internal_server_url }} +# namespace: argocd +# syncPolicy: +# automated: +# prune: true +# selfHeal: true +# - name: touch manifests/argocd.yaml to trigger update +# delegate_to: "{{ k3s_master_node }}" +# ansible.builtin.file: +# path: /var/lib/rancher/k3s/server/manifests/argocd.yaml +# state: touch +# become: true +# post_tasks: +# - include_role: +# name: arcodange.factory.gitea_token +# apply: +# tags: gitea_sync +# tags: +# - gitea_sync +# vars: +# gitea_token_delete: true \ No newline at end of file diff --git a/ansible/arcodange/factory/playbooks/ssl/ssl.yml b/ansible/arcodange/factory/playbooks/ssl/ssl.yml index d8ed2a0..45f0a74 100644 --- a/ansible/arcodange/factory/playbooks/ssl/ssl.yml +++ b/ansible/arcodange/factory/playbooks/ssl/ssl.yml @@ -1,5 +1,5 @@ -# - name: step-ca -# ansible.builtin.import_playbook: step-ca.yml +- name: step-ca + ansible.builtin.import_playbook: step-ca.yml - name: Fetch Step-CA root certificate hosts: localhost @@ -26,6 +26,39 @@ become_user: "{{ step_ca_user }}" run_once: true + - name: Préparer le répertoire de build + file: + path: /tmp/gitea-runner-image + state: directory + mode: '0755' + + - name: Copier le root CA dans le contexte Docker + copy: + src: "{{ tmp_dir }}/root_ca.crt" + dest: /tmp/gitea-runner-image/root_ca.crt + mode: '0644' + + - name: Créer le Dockerfile pour l'image runner avec CA custom + copy: + dest: /tmp/gitea-runner-image/Dockerfile + mode: '0644' + content: | + FROM gitea/runner-images:ubuntu-latest + + COPY root_ca.crt /usr/local/share/ca-certificates/root_ca.crt + RUN update-ca-certificates + + - name: Builder l'image runner avec le CA + community.docker.docker_image: + name: gitea.arcodange.lab/arcodange-org/runner-images + tag: ubuntu-latest-ca + source: build + build: + path: /tmp/gitea-runner-image + push: true + +# - /etc/ssl/certs:/etc/ssl/certs:ro + # - name: Distribute Step-CA root certificate # hosts: all # gather_facts: true diff --git a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf index 449d6fa..377492d 100644 --- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf +++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf @@ -39,10 +39,10 @@ variable "gitea_admin_token" { sensitive = true } -# kubectl -n kube-system exec $(kubectl -n kube-system get pod -l app.kubernetes.io/name=traefik -o jsonpath="{.items[0]['.metadata.name']}") -- cat /data/acme.json | jq '(.letsencrypt.Certificates | map(select(.domain.main=="arcodange.lab")))[0]' | jq '.certificate' -r | base64 -d | openssl x509 -# variable "ca_pem" { -# type = string -# } +# same as vault CA +variable "ca_pem" { + type = string +} terraform { required_providers { vault = { @@ -63,7 +63,7 @@ resource "vault_jwt_auth_backend" "gitea" { path = "gitea" type = "oidc" oidc_discovery_url = var.gitea_app.url - # oidc_discovery_ca_pem = var.ca_pem + oidc_discovery_ca_pem = file(var.ca_pem) oidc_client_id = var.gitea_app.id oidc_client_secret = var.gitea_app.secret bound_issuer = var.gitea_app.url @@ -92,6 +92,7 @@ resource "vault_jwt_auth_backend_role" "gitea" { "http://localhost:8250/oidc/callback", # for command line login "${var.vault_address}/ui/vault/auth/gitea/oidc/callback", "https://webapp.arcodange.fr/oauth-callback", + "https://webapp.arcodange.lab/oauth-callback", ] } @@ -101,7 +102,7 @@ resource "vault_jwt_auth_backend" "gitea_jwt" { path = "gitea_jwt" type = "jwt" oidc_discovery_url = var.gitea_app.url - # oidc_discovery_ca_pem = var.ca_pem + oidc_discovery_ca_pem = file(var.ca_pem) bound_issuer = var.gitea_app.url tune { diff --git a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/playwright_setupGiteaApp.js b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/playwright_setupGiteaApp.js index 87e6977..7c4509a 100644 --- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/playwright_setupGiteaApp.js +++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/playwright_setupGiteaApp.js @@ -22,7 +22,7 @@ const browser = await chromium.launch({ log: (name, severity, message, args) => console.warn(`${severity}| ${name} :: ${message} __ ${args}`) }, }); -const context = await browser.newContext({locale: "gb-GB"}); +const context = await browser.newContext({locale: "gb-GB", ignoreHTTPSErrors: true}); // Using self signed cert - could improve with NODE_EXTRA_CA_CERTS env variable const page = await context.newPage(); async function doLogin() { diff --git a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml index 6cee0ad..9070124 100644 --- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml +++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml @@ -11,6 +11,7 @@ GITEA_USER: '{{ gitea_admin_user }}' GITEA_PASSWORD: '{{ gitea_admin_password }}' VAULT_ADDRESS: '{{ vault_address }}' + NODE_EXTRA_CA_CERTS: '' - include_role: name: arcodange.factory.playwright @@ -31,6 +32,8 @@ -v {{ volume_name }}:/tofu -w /tofu -v {{ role_path }}/files/hashicorp_vault.tf:/tofu/hashicorp_vault.tf -v ~/.config/gcloud:/root/.config/gcloud + -v /etc/ssl/certs/arcodange-root.pem:/etc/ssl/custom/arcodange-root.pem:ro + -e VAULT_CACERT=/etc/ssl/custom/arcodange-root.pem --entrypoint='' ghcr.io/opentofu/opentofu:latest {{ command }} @@ -44,6 +47,7 @@ # -var='vault_token={{ vault_root_token }}' # -var='postgres_admin_credentials={{ postgres_admin_credentials | to_json }}' # -var='gitea_admin_token={{ gitea_admin_token }}' + # -var="ca_pem=/etc/ssl/custom/arcodange-root.pem" - >- tofu apply -auto-approve -no-color -var='gitea_app={{ gitea_app | to_json }}' @@ -51,6 +55,7 @@ -var='vault_token={{ vault_root_token }}' -var='postgres_admin_credentials={{ postgres_admin_credentials | to_json }}' -var='gitea_admin_token={{ gitea_admin_token }}' + -var="ca_pem=/etc/ssl/custom/arcodange-root.pem" loop_control: loop_var: command extended: true diff --git a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/templates/oidc_jwt_token.sh.j2 b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/templates/oidc_jwt_token.sh.j2 index d3a22eb..bd5b664 100644 --- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/templates/oidc_jwt_token.sh.j2 +++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/templates/oidc_jwt_token.sh.j2 @@ -4,7 +4,7 @@ set -eu # Variables à ajuster selon ta configuration CLIENT_ID="{{ OIDC_CLIENT_ID }}" CLIENT_SECRET="{{ OIDC_CLIENT_SECRET }}" -REDIRECT_URI="{{ OIDC_CLIENT_CALLBACK | default('https://webapp.arcodange.fr/oauth-callback') }}" # Redirige ici après l'authentification +REDIRECT_URI="{{ OIDC_CLIENT_CALLBACK | default('https://webapp.arcodange.lab/oauth-callback') }}" # Redirige ici après l'authentification AUTH_URL="{{ GITEA_BASE_URL | default('https://gitea.arcodange.lab') }}/login/oauth/authorize" TOKEN_URL="{{ GITEA_BASE_URL | default('https://gitea.arcodange.lab') }}/login/oauth/access_token" ISSUER="https://gitea.arcodange.lab/" @@ -26,7 +26,7 @@ poll_state() { #echo "Tentative $attempt/$MAX_ATTEMPTS: Requête à l'endpoint /retrieve pour state=$STATE..." # Effectuer la requête GET - RESPONSE=$(curl -s -w "%{http_code}" -o /tmp/response_body "https://webapp.arcodange.fr/retrieve?state=$STATE") + RESPONSE=$(curl -s -w "%{http_code}" -o /tmp/response_body "https://webapp.arcodange.lab/retrieve?state=$STATE") HTTP_CODE=$(tail -n1 <<< "$RESPONSE") if [ "$HTTP_CODE" == "200" ]; then @@ -50,6 +50,9 @@ poll_state() { return 1 } +# 0. Installer le certificat arcodange.lab (droits sudo) +# curl https://ssl-ca.arcodange.lab:8443/roots.pem -ks > /usr/local/share/ca-certificates/arcodange-root.crt && update-ca-certificates 2>/dev/null >/dev/null && export VAULT_CACERT=/usr/local/share/ca-certificates/arcodange-root.crt || echo "couldn't install self signed .crt" >&2 + # 1. Rediriger l'utilisateur vers l'URL d'authentification echo "Ouvrez le lien suivant dans votre navigateur pour vous authentifier dans Gitea:" echo "$AUTH_URL?client_id=$CLIENT_ID&redirect_uri=$REDIRECT_URI&response_type=code&scope=$(sed 's/ /%20/g' <<<$SCOPE)&state=$STATE" diff --git a/ssl.md b/ssl.md index 4784efd..3f107e6 100644 --- a/ssl.md +++ b/ssl.md @@ -42,6 +42,7 @@ ssh pi3 "sudo openssl verify /usr/local/share/ca-certificates/arcodange-root.crt ```bash scp pi1:/home/step/.step/certs/root_ca.crt /tmp/root_ca.crt sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/root_ca.crt +sudo scp pi@pi1:/etc/ssl/certs/arcodange-root.pem /etc/ssl/certs/arcodange-root.pem ``` Vérification : @@ -53,6 +54,11 @@ security verify-cert -c /tmp/root_ca.crt ## 3. Redémarrer les services TLS si nécessaire -Sur les RPi (optionnel, si vous utilisez Docker, containerd ou k3s) : +Sur les RPi (optionnel, si vous utilisez Docker, containerd ou k3s par exemple). -```bash \ No newline at end of file +--- + +## 4 + +Autre commande pratique: +> `curl https://ssl-ca.arcodange.lab:8443/roots.pem -ks > /usr/local/share/ca-certificates/arcodange-root.crt && update-ca-certificates 2>/dev/null >/dev/null` \ No newline at end of file