arcodange-org/factory
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

runner image and setup for gitea workflow with self signed cert

Browse Source
This commit is contained in:
Gabriel Radureau
2026-01-03 12:44:27 +01:00
parent 07e5ff460b
commit 17e99db641
7 changed files with 298 additions and 223 deletions
Download Patch File Download Diff File Expand all files Collapse all files

447
ansible/arcodange/factory/playbooks/03_cicd.yml
View File

@@ -27,15 +27,18 @@
container_name: gitea_action container_name: gitea_action
restart: always restart: always
environment: environment:
CONFIG_FILE: /config.yaml
GITEA_INSTANCE_URL: >- GITEA_INSTANCE_URL: >-
http://{{ hostvars[groups.gitea[0]].ansible_host }}:3000 http://{{ hostvars[groups.gitea[0]].ansible_host }}:3000
GITEA_RUNNER_REGISTRATION_TOKEN: "{{ gitea_runner_token_cmd.stdout }}" GITEA_RUNNER_REGISTRATION_TOKEN: "{{ gitea_runner_token_cmd.stdout }}"
GITEA_RUNNER_NAME: arcodange_global_runner_{{ inventory_hostname }} GITEA_RUNNER_NAME: arcodange_global_runner_{{ inventory_hostname }}
# GITEA_RUNNER_LABELS: host={{ansible_host}},env=any GITEA_RUNNER_LABELS: ubuntu-latest:docker://gitea.arcodange.lab/arcodange-org/runner-images:ubuntu-latest-ca,ubuntu-latest-ca:docker://gitea.arcodange.lab/arcodange-org/runner-images:ubuntu-latest-ca
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock - /var/run/docker.sock:/var/run/docker.sock
- /etc/timezone:/etc/timezone:ro - /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro - /etc/localtime:/etc/localtime:ro
- /etc/ssl/certs:/etc/ssl/certs:ro
- /usr/local/share/ca-certificates/:/usr/local/share/ca-certificates/:ro
configs: configs:
- config.yaml - config.yaml
configs: configs:
@@ -76,9 +79,8 @@
# If it's empty when registering, it will ask for inputting labels. # If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `daemon`, will use labels in `.runner` file. # If it's empty when execute `daemon`, will use labels in `.runner` file.
labels: labels:
- "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest" - "ubuntu-latest:docker://gitea.arcodange.lab/arcodange-org/runner-images:ubuntu-latest-ca"
- "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04" - "ubuntu-latest-ca:docker://gitea.arcodange.lab/arcodange-org/runner-images:ubuntu-latest-ca"
- "ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04"
cache: cache:
# Enable cache server to use actions/cache. # Enable cache server to use actions/cache.
@@ -141,215 +143,240 @@
community.docker.docker_compose_v2: community.docker.docker_compose_v2:
project_src: "/home/pi/arcodange/docker_composes/arcodange_factory_gitea_action" project_src: "/home/pi/arcodange/docker_composes/arcodange_factory_gitea_action"
pull: missing pull: missing
state: present state: "{{ docker_compose_down_then_up }}"
register: deploy_result register: deploy_result
loop: ["absent", "present"]
loop_control:
loop_var: docker_compose_down_then_up
- name: Set PACKAGES_TOKEN secret to upload packages from CI # - name: Set PACKAGES_TOKEN secret to upload packages from CI
run_once: True # run_once: True
block: # block:
- name: Generate cicd PACKAGES_TOKEN # - name: Generate cicd PACKAGES_TOKEN
include_role: # include_role:
name: arcodange.factory.gitea_token # name: arcodange.factory.gitea_token
vars: # vars:
gitea_token_name: PACKAGES_TOKEN # gitea_token_name: PACKAGES_TOKEN
gitea_token_fact_name: cicd_PACKAGES_TOKEN # gitea_token_fact_name: cicd_PACKAGES_TOKEN
gitea_token_scopes: write:package # gitea_token_scopes: write:package
gitea_token_replace: true # gitea_token_replace: true
- name: Register cicd PACKAGES_TOKEN secrets # - name: Register cicd PACKAGES_TOKEN secrets
include_role: # include_role:
name: arcodange.factory.gitea_secret # name: arcodange.factory.gitea_secret
vars: # vars:
gitea_secret_name: PACKAGES_TOKEN # gitea_secret_name: PACKAGES_TOKEN
gitea_secret_value: "{{ cicd_PACKAGES_TOKEN }}" # gitea_secret_value: "{{ cicd_PACKAGES_TOKEN }}"
loop: ["organization", "user"] # loop: ["organization", "user"]
loop_control: # loop_control:
loop_var: gitea_owner_type # Peut être "user" ou "organization" # loop_var: gitea_owner_type # Peut être "user" ou "organization"
# - name: Set HOMELAB_CA_CERT secret to validate self signed ssl
# run_once: True
# block:
# - name: Download homelab CA certificate
# ansible.builtin.uri:
# url: "https://ssl-ca.arcodange.lab:8443/roots.pem"
# return_content: yes
# validate_certs: no
# register: homelab_ca_cert
# - name: Debug cert
# debug:
# msg: "{{ homelab_ca_cert.content }}..."
# - name: Register cicd HOMELAB_CA_CERT secrets
# include_role:
# name: arcodange.factory.gitea_secret
# vars:
# gitea_secret_name: HOMELAB_CA_CERT
# gitea_secret_value: "{{ homelab_ca_cert.content | b64encode }}"
# loop: ["organization", "user"]
# loop_control:
# loop_var: gitea_owner_type # Peut être "user" ou "organization"
post_tasks: # post_tasks:
- include_role: # - include_role:
name: arcodange.factory.gitea_token # name: arcodange.factory.gitea_token
vars: # vars:
gitea_token_delete: true # gitea_token_delete: true
- name: Deploy Argo CD # - name: Deploy Argo CD
hosts: localhost # hosts: localhost
roles: # roles:
- role: arcodange.factory.gitea_token # generate gitea_api_token used to replace generated token with set name if required # - role: arcodange.factory.gitea_token # generate gitea_api_token used to replace generated token with set name if required
tags: # tags:
- gitea_sync # - gitea_sync
tasks: # tasks:
- name: Set factory repo # - name: Set factory repo
include_role: # include_role:
name: arcodange.factory.gitea_repo # name: arcodange.factory.gitea_repo
vars: # vars:
gitea_repo_name: factory # gitea_repo_name: factory
- name: Sync other repos # - name: Sync other repos
tags: gitea_sync # tags: gitea_sync
include_role: # include_role:
name: arcodange.factory.gitea_sync # name: arcodange.factory.gitea_sync
apply: # apply:
tags: gitea_sync # tags: gitea_sync
- name: Generate Argo CD token # - name: Generate Argo CD token
include_role: # include_role:
name: arcodange.factory.gitea_token # name: arcodange.factory.gitea_token
vars: # vars:
gitea_token_name: ARGOCD_TOKEN # gitea_token_name: ARGOCD_TOKEN
gitea_token_fact_name: argocd_token # gitea_token_fact_name: argocd_token
gitea_token_scopes: read:repository,read:package # gitea_token_scopes: read:repository,read:package
gitea_token_replace: true # gitea_token_replace: true
- name: Figure out k3s master node # - name: Figure out k3s master node
shell: # shell:
kubectl get nodes -l node-role.kubernetes.io/control-plane=true -o name | sed s'#node/##' # kubectl get nodes -l node-role.kubernetes.io/control-plane=true -o name | sed s'#node/##'
register: get_k3s_master_node # register: get_k3s_master_node
changed_when: false # changed_when: false
- name: Get kubernetes server internal url # - name: Get kubernetes server internal url
command: >- # command: >-
echo https://kubernetes.default.svc # echo https://kubernetes.default.svc
# {%raw%} # # {%raw%}
# kubectl get svc/kubernetes -o template="{{.spec.clusterIP}}:{{(index .spec.ports 0).port}}" # # kubectl get svc/kubernetes -o template="{{.spec.clusterIP}}:{{(index .spec.ports 0).port}}"
# {%endraw%} # # {%endraw%}
register: get_k3s_internal_server_url # register: get_k3s_internal_server_url
changed_when: false # changed_when: false
- set_fact: # - set_fact:
k3s_master_node: "{{ get_k3s_master_node.stdout }}" # k3s_master_node: "{{ get_k3s_master_node.stdout }}"
k3s_internal_server_url: "{{ get_k3s_internal_server_url.stdout }}" # k3s_internal_server_url: "{{ get_k3s_internal_server_url.stdout }}"
- name: Read Step CA root certificate from k3s master # - name: Read Step CA root certificate from k3s master
become: true # become: true
delegate_to: "{{ k3s_master_node }}" # delegate_to: "{{ k3s_master_node }}"
slurp: # slurp:
src: /home/step/.step/certs/root_ca.crt # src: /home/step/.step/certs/root_ca.crt
register: step_ca_root_cert # register: step_ca_root_cert
- name: Decode Step CA root certificate # - name: Decode Step CA root certificate
set_fact: # set_fact:
step_ca_root_cert_pem: "{{ step_ca_root_cert.content | b64decode }}" # step_ca_root_cert_pem: "{{ step_ca_root_cert.content | b64decode }}"
- name: Install Argo CD # - name: Install Argo CD
become: true # become: true
delegate_to: "{{ k3s_master_node }}" # delegate_to: "{{ k3s_master_node }}"
vars: # vars:
gitea_credentials: # gitea_credentials:
username: arcodange # username: arcodange
password: "{{ argocd_token }}" # password: "{{ argocd_token }}"
argocd_helm_values: # https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml # argocd_helm_values: # https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml
global: # global:
domain: argocd.arcodange.lab # domain: argocd.arcodange.lab
configs: # configs:
cm: # cm:
kustomize.buildOptions: "--enable-helm" # kustomize.buildOptions: "--enable-helm"
helm.enablePostRenderer: "true" # helm.enablePostRenderer: "true"
exec.enabled: "true" # exec.enabled: "true"
params: # params:
server.insecure: true # let k3s traefik do TLS termination # server.insecure: true # let k3s traefik do TLS termination
ansible.builtin.copy: # ansible.builtin.copy:
dest: /var/lib/rancher/k3s/server/manifests/argocd.yaml # dest: /var/lib/rancher/k3s/server/manifests/argocd.yaml
content: |- # content: |-
apiVersion: v1 # apiVersion: v1
kind: Namespace # kind: Namespace
metadata: # metadata:
name: argocd # name: argocd
--- # ---
apiVersion: v1 # apiVersion: v1
kind: ConfigMap # kind: ConfigMap
metadata: # metadata:
name: argocd-tls-certs-cm # name: argocd-tls-certs-cm
namespace: argocd # namespace: argocd
data: # data:
gitea.arcodange.lab: | # gitea.arcodange.lab: |
{{ step_ca_root_cert_pem | indent(4) }} # {{ step_ca_root_cert_pem | indent(4) }}
--- # ---
apiVersion: helm.cattle.io/v1 # apiVersion: helm.cattle.io/v1
kind: HelmChart # kind: HelmChart
metadata: # metadata:
name: argocd # name: argocd
namespace: kube-system # namespace: kube-system
spec: # spec:
repo: https://argoproj.github.io/argo-helm # repo: https://argoproj.github.io/argo-helm
chart: argo-cd # chart: argo-cd
targetNamespace: argocd # targetNamespace: argocd
valuesContent: |- # valuesContent: |-
{{ argocd_helm_values | to_nice_yaml | indent( width=4 ) }} # {{ argocd_helm_values | to_nice_yaml | indent( width=4 ) }}
--- # ---
apiVersion: networking.k8s.io/v1 # apiVersion: networking.k8s.io/v1
kind: Ingress # kind: Ingress
metadata: # metadata:
name: argocd-server-ingress # name: argocd-server-ingress
namespace: argocd # namespace: argocd
annotations: # annotations:
# For Traefik v2.x # # For Traefik v2.x
traefik.ingress.kubernetes.io/router.entrypoints: websecure # traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true" # traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt # traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab # traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
traefik.ingress.kubernetes.io/router.tls.domains.0.sans: argocd.arcodange.lab # traefik.ingress.kubernetes.io/router.tls.domains.0.sans: argocd.arcodange.lab
traefik.ingress.kubernetes.io/router.middlewares: localIp@file # traefik.ingress.kubernetes.io/router.middlewares: localIp@file
spec: # spec:
rules: # rules:
- host: argocd.arcodange.lab # - host: argocd.arcodange.lab
http: # http:
paths: # paths:
- path: / # - path: /
pathType: Prefix # pathType: Prefix
backend: # backend:
service: # service:
name: argocd-server # name: argocd-server
port: # port:
number: 80 #TLS is terminated at Traefik # number: 80 #TLS is terminated at Traefik
--- # ---
apiVersion: v1 # apiVersion: v1
kind: Secret # kind: Secret
metadata: # metadata:
name: gitea-arcodangeorg-factory-repo # name: gitea-arcodangeorg-factory-repo
namespace: argocd # namespace: argocd
labels: # labels:
argocd.argoproj.io/secret-type: repository # argocd.argoproj.io/secret-type: repository
stringData: # stringData:
type: git # type: git
url: https://gitea.arcodange.lab/arcodange-org/factory # url: https://gitea.arcodange.lab/arcodange-org/factory
--- # ---
apiVersion: v1 # apiVersion: v1
kind: Secret # kind: Secret
metadata: # metadata:
name: gitea-arcodangeorg-repo-creds # name: gitea-arcodangeorg-repo-creds
namespace: argocd # namespace: argocd
labels: # labels:
argocd.argoproj.io/secret-type: repo-creds # argocd.argoproj.io/secret-type: repo-creds
stringData: # stringData:
type: git # type: git
url: https://gitea.arcodange.lab/arcodange-org # url: https://gitea.arcodange.lab/arcodange-org
password: {{ gitea_credentials.password }} # password: {{ gitea_credentials.password }}
username: {{ gitea_credentials.username }} # username: {{ gitea_credentials.username }}
--- # ---
apiVersion: argoproj.io/v1alpha1 # apiVersion: argoproj.io/v1alpha1
kind: Application # kind: Application
metadata: # metadata:
name: factory # name: factory
namespace: argocd # namespace: argocd
spec: # spec:
project: default # project: default
source: # source:
repoURL: https://gitea.arcodange.lab/arcodange-org/factory # repoURL: https://gitea.arcodange.lab/arcodange-org/factory
targetRevision: HEAD # targetRevision: HEAD
path: argocd # path: argocd
destination: # destination:
server: {{ k3s_internal_server_url }} # server: {{ k3s_internal_server_url }}
namespace: argocd # namespace: argocd
syncPolicy: # syncPolicy:
automated: # automated:
prune: true # prune: true
selfHeal: true # selfHeal: true
- name: touch manifests/argocd.yaml to trigger update # - name: touch manifests/argocd.yaml to trigger update
delegate_to: "{{ k3s_master_node }}" # delegate_to: "{{ k3s_master_node }}"
ansible.builtin.file: # ansible.builtin.file:
path: /var/lib/rancher/k3s/server/manifests/argocd.yaml # path: /var/lib/rancher/k3s/server/manifests/argocd.yaml
state: touch # state: touch
become: true # become: true
post_tasks: # post_tasks:
- include_role: # - include_role:
name: arcodange.factory.gitea_token # name: arcodange.factory.gitea_token
apply: # apply:
tags: gitea_sync # tags: gitea_sync
tags: # tags:
- gitea_sync # - gitea_sync
vars: # vars:
gitea_token_delete: true # gitea_token_delete: true

37
ansible/arcodange/factory/playbooks/ssl/ssl.yml
View File

@@ -1,5 +1,5 @@
# - name: step-ca - name: step-ca
# ansible.builtin.import_playbook: step-ca.yml ansible.builtin.import_playbook: step-ca.yml
- name: Fetch Step-CA root certificate - name: Fetch Step-CA root certificate
hosts: localhost hosts: localhost
@@ -26,6 +26,39 @@
become_user: "{{ step_ca_user }}" become_user: "{{ step_ca_user }}"
run_once: true run_once: true
- name: Préparer le répertoire de build
file:
path: /tmp/gitea-runner-image
state: directory
mode: '0755'
- name: Copier le root CA dans le contexte Docker
copy:
src: "{{ tmp_dir }}/root_ca.crt"
dest: /tmp/gitea-runner-image/root_ca.crt
mode: '0644'
- name: Créer le Dockerfile pour l'image runner avec CA custom
copy:
dest: /tmp/gitea-runner-image/Dockerfile
mode: '0644'
content: |
FROM gitea/runner-images:ubuntu-latest
COPY root_ca.crt /usr/local/share/ca-certificates/root_ca.crt
RUN update-ca-certificates
- name: Builder l'image runner avec le CA
community.docker.docker_image:
name: gitea.arcodange.lab/arcodange-org/runner-images
tag: ubuntu-latest-ca
source: build
build:
path: /tmp/gitea-runner-image
push: true
# - /etc/ssl/certs:/etc/ssl/certs:ro
# - name: Distribute Step-CA root certificate # - name: Distribute Step-CA root certificate
# hosts: all # hosts: all
# gather_facts: true # gather_facts: true

13
ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf
View File

@@ -39,10 +39,10 @@ variable "gitea_admin_token" {
sensitive = true sensitive = true
} }
# kubectl -n kube-system exec $(kubectl -n kube-system get pod -l app.kubernetes.io/name=traefik -o jsonpath="{.items[0]['.metadata.name']}") -- cat /data/acme.json | jq '(.letsencrypt.Certificates | map(select(.domain.main=="arcodange.lab")))[0]' | jq '.certificate' -r | base64 -d | openssl x509 # same as vault CA
# variable "ca_pem" { variable "ca_pem" {
# type = string type = string
# } }
terraform { terraform {
required_providers { required_providers {
vault = { vault = {
@@ -63,7 +63,7 @@ resource "vault_jwt_auth_backend" "gitea" {
path = "gitea" path = "gitea"
type = "oidc" type = "oidc"
oidc_discovery_url = var.gitea_app.url oidc_discovery_url = var.gitea_app.url
# oidc_discovery_ca_pem = var.ca_pem oidc_discovery_ca_pem = file(var.ca_pem)
oidc_client_id = var.gitea_app.id oidc_client_id = var.gitea_app.id
oidc_client_secret = var.gitea_app.secret oidc_client_secret = var.gitea_app.secret
bound_issuer = var.gitea_app.url bound_issuer = var.gitea_app.url
@@ -92,6 +92,7 @@ resource "vault_jwt_auth_backend_role" "gitea" {
"http://localhost:8250/oidc/callback", # for command line login "http://localhost:8250/oidc/callback", # for command line login
"${var.vault_address}/ui/vault/auth/gitea/oidc/callback", "${var.vault_address}/ui/vault/auth/gitea/oidc/callback",
"https://webapp.arcodange.fr/oauth-callback", "https://webapp.arcodange.fr/oauth-callback",
"https://webapp.arcodange.lab/oauth-callback",
] ]
} }
@@ -101,7 +102,7 @@ resource "vault_jwt_auth_backend" "gitea_jwt" {
path = "gitea_jwt" path = "gitea_jwt"
type = "jwt" type = "jwt"
oidc_discovery_url = var.gitea_app.url oidc_discovery_url = var.gitea_app.url
# oidc_discovery_ca_pem = var.ca_pem oidc_discovery_ca_pem = file(var.ca_pem)
bound_issuer = var.gitea_app.url bound_issuer = var.gitea_app.url
tune { tune {

2
ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/playwright_setupGiteaApp.js
View File

@@ -22,7 +22,7 @@ const browser = await chromium.launch({
log: (name, severity, message, args) => console.warn(`${severity}| ${name} :: ${message} __ ${args}`) log: (name, severity, message, args) => console.warn(`${severity}| ${name} :: ${message} __ ${args}`)
}, },
}); });
const context = await browser.newContext({locale: "gb-GB"}); const context = await browser.newContext({locale: "gb-GB", ignoreHTTPSErrors: true}); // Using self signed cert - could improve with NODE_EXTRA_CA_CERTS env variable
const page = await context.newPage(); const page = await context.newPage();
async function doLogin() { async function doLogin() {

5
ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
View File

@@ -11,6 +11,7 @@
GITEA_USER: '{{ gitea_admin_user }}' GITEA_USER: '{{ gitea_admin_user }}'
GITEA_PASSWORD: '{{ gitea_admin_password }}' GITEA_PASSWORD: '{{ gitea_admin_password }}'
VAULT_ADDRESS: '{{ vault_address }}' VAULT_ADDRESS: '{{ vault_address }}'
NODE_EXTRA_CA_CERTS: ''
- include_role: - include_role:
name: arcodange.factory.playwright name: arcodange.factory.playwright
@@ -31,6 +32,8 @@
-v {{ volume_name }}:/tofu -w /tofu -v {{ volume_name }}:/tofu -w /tofu
-v {{ role_path }}/files/hashicorp_vault.tf:/tofu/hashicorp_vault.tf -v {{ role_path }}/files/hashicorp_vault.tf:/tofu/hashicorp_vault.tf
-v ~/.config/gcloud:/root/.config/gcloud -v ~/.config/gcloud:/root/.config/gcloud
-v /etc/ssl/certs/arcodange-root.pem:/etc/ssl/custom/arcodange-root.pem:ro
-e VAULT_CACERT=/etc/ssl/custom/arcodange-root.pem
--entrypoint='' --entrypoint=''
ghcr.io/opentofu/opentofu:latest ghcr.io/opentofu/opentofu:latest
{{ command }} {{ command }}
@@ -44,6 +47,7 @@
# -var='vault_token={{ vault_root_token }}' # -var='vault_token={{ vault_root_token }}'
# -var='postgres_admin_credentials={{ postgres_admin_credentials | to_json }}' # -var='postgres_admin_credentials={{ postgres_admin_credentials | to_json }}'
# -var='gitea_admin_token={{ gitea_admin_token }}' # -var='gitea_admin_token={{ gitea_admin_token }}'
# -var="ca_pem=/etc/ssl/custom/arcodange-root.pem"
- >- - >-
tofu apply -auto-approve -no-color tofu apply -auto-approve -no-color
-var='gitea_app={{ gitea_app | to_json }}' -var='gitea_app={{ gitea_app | to_json }}'
@@ -51,6 +55,7 @@
-var='vault_token={{ vault_root_token }}' -var='vault_token={{ vault_root_token }}'
-var='postgres_admin_credentials={{ postgres_admin_credentials | to_json }}' -var='postgres_admin_credentials={{ postgres_admin_credentials | to_json }}'
-var='gitea_admin_token={{ gitea_admin_token }}' -var='gitea_admin_token={{ gitea_admin_token }}'
-var="ca_pem=/etc/ssl/custom/arcodange-root.pem"
loop_control: loop_control:
loop_var: command loop_var: command
extended: true extended: true

7
ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/templates/oidc_jwt_token.sh.j2
View File

@@ -4,7 +4,7 @@ set -eu
# Variables à ajuster selon ta configuration # Variables à ajuster selon ta configuration
CLIENT_ID="{{ OIDC_CLIENT_ID }}" CLIENT_ID="{{ OIDC_CLIENT_ID }}"
CLIENT_SECRET="{{ OIDC_CLIENT_SECRET }}" CLIENT_SECRET="{{ OIDC_CLIENT_SECRET }}"
REDIRECT_URI="{{ OIDC_CLIENT_CALLBACK | default('https://webapp.arcodange.fr/oauth-callback') }}" # Redirige ici après l'authentification REDIRECT_URI="{{ OIDC_CLIENT_CALLBACK | default('https://webapp.arcodange.lab/oauth-callback') }}" # Redirige ici après l'authentification
AUTH_URL="{{ GITEA_BASE_URL | default('https://gitea.arcodange.lab') }}/login/oauth/authorize" AUTH_URL="{{ GITEA_BASE_URL | default('https://gitea.arcodange.lab') }}/login/oauth/authorize"
TOKEN_URL="{{ GITEA_BASE_URL | default('https://gitea.arcodange.lab') }}/login/oauth/access_token" TOKEN_URL="{{ GITEA_BASE_URL | default('https://gitea.arcodange.lab') }}/login/oauth/access_token"
ISSUER="https://gitea.arcodange.lab/" ISSUER="https://gitea.arcodange.lab/"
@@ -26,7 +26,7 @@ poll_state() {
#echo "Tentative $attempt/$MAX_ATTEMPTS: Requête à l'endpoint /retrieve pour state=$STATE..." #echo "Tentative $attempt/$MAX_ATTEMPTS: Requête à l'endpoint /retrieve pour state=$STATE..."
# Effectuer la requête GET # Effectuer la requête GET
RESPONSE=$(curl -s -w "%{http_code}" -o /tmp/response_body "https://webapp.arcodange.fr/retrieve?state=$STATE") RESPONSE=$(curl -s -w "%{http_code}" -o /tmp/response_body "https://webapp.arcodange.lab/retrieve?state=$STATE")
HTTP_CODE=$(tail -n1 <<< "$RESPONSE") HTTP_CODE=$(tail -n1 <<< "$RESPONSE")
if [ "$HTTP_CODE" == "200" ]; then if [ "$HTTP_CODE" == "200" ]; then
@@ -50,6 +50,9 @@ poll_state() {
return 1 return 1
} }
# 0. Installer le certificat arcodange.lab (droits sudo)
# curl https://ssl-ca.arcodange.lab:8443/roots.pem -ks > /usr/local/share/ca-certificates/arcodange-root.crt && update-ca-certificates 2>/dev/null >/dev/null && export VAULT_CACERT=/usr/local/share/ca-certificates/arcodange-root.crt || echo "couldn't install self signed .crt" >&2
# 1. Rediriger l'utilisateur vers l'URL d'authentification # 1. Rediriger l'utilisateur vers l'URL d'authentification
echo "Ouvrez le lien suivant dans votre navigateur pour vous authentifier dans Gitea:" echo "Ouvrez le lien suivant dans votre navigateur pour vous authentifier dans Gitea:"
echo "$AUTH_URL?client_id=$CLIENT_ID&redirect_uri=$REDIRECT_URI&response_type=code&scope=$(sed 's/ /%20/g' <<<$SCOPE)&state=$STATE" echo "$AUTH_URL?client_id=$CLIENT_ID&redirect_uri=$REDIRECT_URI&response_type=code&scope=$(sed 's/ /%20/g' <<<$SCOPE)&state=$STATE"

10
ssl.md
View File

@@ -42,6 +42,7 @@ ssh pi3 "sudo openssl verify /usr/local/share/ca-certificates/arcodange-root.crt
```bash ```bash
scp pi1:/home/step/.step/certs/root_ca.crt /tmp/root_ca.crt scp pi1:/home/step/.step/certs/root_ca.crt /tmp/root_ca.crt
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/root_ca.crt sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/root_ca.crt
sudo scp pi@pi1:/etc/ssl/certs/arcodange-root.pem /etc/ssl/certs/arcodange-root.pem
``` ```
Vérification : Vérification :
@@ -53,6 +54,11 @@ security verify-cert -c /tmp/root_ca.crt
## 3. Redémarrer les services TLS si nécessaire ## 3. Redémarrer les services TLS si nécessaire
Sur les RPi (optionnel, si vous utilisez Docker, containerd ou k3s) : Sur les RPi (optionnel, si vous utilisez Docker, containerd ou k3s par exemple).
```bash ---
## 4
Autre commande pratique:
> `curl https://ssl-ca.arcodange.lab:8443/roots.pem -ks > /usr/local/share/ca-certificates/arcodange-root.crt && update-ca-certificates 2>/dev/null >/dev/null`