From 95f365dbb5daa4e6b5bcca19499459b7c6019bae Mon Sep 17 00:00:00 2001
From: Gabriel Radureau <arcodange@gmail.com>
Date: Tue, 20 Aug 2024 11:25:19 +0200
Subject: [PATCH] provide PACKAGES_TOKEN secret

---
 .../arcodange/factory/playbooks/03_cicd.yml   | 39 +++++++++++++++++--
 .../factory/playbooks/setup/gitea.yml         |  2 +-
 .../roles/gitea_secret/defaults/main.yml      | 11 ++++++
 .../factory/roles/gitea_secret/tasks/main.yml | 37 ++++++++++++++++++
 .../roles/gitea_token/defaults/main.yml       |  6 ++-
 .../factory/roles/gitea_token/tasks/main.yml  | 34 ++++++++++++----
 6 files changed, 116 insertions(+), 13 deletions(-)
 create mode 100644 ansible/arcodange/factory/roles/gitea_secret/defaults/main.yml
 create mode 100644 ansible/arcodange/factory/roles/gitea_secret/tasks/main.yml

diff --git a/ansible/arcodange/factory/playbooks/03_cicd.yml b/ansible/arcodange/factory/playbooks/03_cicd.yml
index f4ba3c0..7d9e31c 100644
--- a/ansible/arcodange/factory/playbooks/03_cicd.yml
+++ b/ansible/arcodange/factory/playbooks/03_cicd.yml
@@ -3,6 +3,9 @@
 - name: Deploy Gitea Action
   hosts: raspberries:&local:!gitea # do not deploy on machine with gitea instance
 
+  roles:
+    - arcodange.factory.gitea_token # generate gitea_api_token used to replace generated token with set name if required
+
   tasks:
 
     - name: Fetch Gitea Token for Action Runner registration
@@ -39,9 +42,9 @@
                 # You don't have to copy this file to your instance,
                 # just run `./act_runner generate-config > config.yaml` to generate a config file.
 
-                log:
-                  # The level of logging, can be trace, debug, info, warn, error, fatal
-                  level: info
+                #log:
+                #  # The level of logging, can be trace, debug, info, warn, error, fatal
+                #  level: info
 
                 runner:
                   # Where to store the registration result.
@@ -132,13 +135,35 @@
                   # The parent directory of a job's working directory.
                   # If it's empty, $HOME/.cache/act/ will be used.
                   workdir_parent:
-    - name: Deploy Gitea with Docker Compose
+    - name: Deploy Gitea Action with Docker Compose
       community.docker.docker_compose_v2:
         project_src: "/home/pi/arcodange/docker_composes/arcodange_factory_gitea_action"
         pull: missing
         state: present
       register: deploy_result
     
+    - name: Set PACKAGES_TOKEN secret to upload packages from CI
+      run_once: True
+      block:
+        - name: Generate cicd PACKAGES_TOKEN
+          include_role:
+            name: arcodange.factory.gitea_token
+          vars:
+            gitea_token_name: PACKAGES_TOKEN
+            gitea_token_fact_name: cicd_PACKAGES_TOKEN
+            gitea_token_scopes: write:package
+            gitea_token_replace: true
+
+        - name: Register cicd PACKAGES_TOKEN secrets
+          include_role:
+            name: arcodange.factory.gitea_secret
+          vars:
+            gitea_secret_name: PACKAGES_TOKEN
+            gitea_secret_value: "{{ cicd_PACKAGES_TOKEN }}"
+          loop: ["organization", "user"]
+          loop_control:
+            loop_var: gitea_owner_type # Peut être "user" ou "organization"
+    
     - name: Deploy Argo CD
       run_once: true
       block:
@@ -150,3 +175,9 @@
         - name: Sync other repos
           include_role:
             name: arcodange.factory.gitea_sync
+  
+  post_tasks:
+    - include_role:
+        name: arcodange.factory.gitea_token
+      vars:
+        gitea_token_delete: true
\ No newline at end of file
diff --git a/ansible/arcodange/factory/playbooks/setup/gitea.yml b/ansible/arcodange/factory/playbooks/setup/gitea.yml
index ce42bcb..240ad4c 100644
--- a/ansible/arcodange/factory/playbooks/setup/gitea.yml
+++ b/ansible/arcodange/factory/playbooks/setup/gitea.yml
@@ -169,7 +169,7 @@
                   username: "{{ gitea_org_name }}"
                   full_name: "{{ gitea_org_full_name }}"
                   description: "{{ gitea_org_description }}"
-                  visibility: private
+                  visibility: public
                   website: "{{ gitea_org_website }}"
                   location: "{{ gitea_org_location }}"
                 status_code: 201
diff --git a/ansible/arcodange/factory/roles/gitea_secret/defaults/main.yml b/ansible/arcodange/factory/roles/gitea_secret/defaults/main.yml
new file mode 100644
index 0000000..c1c6e08
--- /dev/null
+++ b/ansible/arcodange/factory/roles/gitea_secret/defaults/main.yml
@@ -0,0 +1,11 @@
+gitea_username: arcodange
+gitea_organization: arcodange-org
+
+# URL de base du serveur Gitea
+gitea_base_url: http://{{ groups.gitea[0] }}:3000
+
+gitea_secret_name: "my_secret"      # The name of the secret to put
+gitea_secret_value: "super_secret_value"  # The value of the secret
+gitea_owner_type: "user"            # Can be "user" or "organization"
+gitea_owner_name: >-  # Username or organization name
+  {{ (gitea_owner_type == 'user') | ternary(gitea_username, gitea_organization) }}
\ No newline at end of file
diff --git a/ansible/arcodange/factory/roles/gitea_secret/tasks/main.yml b/ansible/arcodange/factory/roles/gitea_secret/tasks/main.yml
new file mode 100644
index 0000000..e6fdf76
--- /dev/null
+++ b/ansible/arcodange/factory/roles/gitea_secret/tasks/main.yml
@@ -0,0 +1,37 @@
+- name: Generate Gitea Token
+  include_role:
+    name: arcodange.factory.gitea_token
+
+- name: Préparer l'URL de l'API pour mettre à jour ou ajouter un secret
+  set_fact:
+    gitea_api_url: |
+      {{
+        gitea_base_url ~ "/api/v1/"
+        ~ ((gitea_owner_type == 'user') | ternary('user', 'orgs/' ~ gitea_owner_name))  
+        ~ "/actions/secrets/" ~ gitea_secret_name
+      }}
+
+- name: Ajouter ou mettre à jour le secret
+  uri:
+    url: "{{ gitea_api_url }}"
+    method: PUT
+    headers:
+      Authorization: "token {{ gitea_api_token }}"
+      Content-Type: "application/json"
+    body_format: json
+    body: |
+      {
+        "name": "{{ gitea_secret_name }}",
+        "data": "{{ gitea_secret_value }}"
+      }
+    status_code:
+      - 201
+      - 204
+  register: gitea_secret_update
+
+- name: Afficher la réponse après l'ajout ou la mise à jour du secret
+  debug:
+    msg: >-
+      Secret {{ gitea_secret_name }}
+      {{ (gitea_secret_update.status == 204) | ternary('mis à jour','créé') }}
+      pour {{ gitea_owner_type }} {{ gitea_owner_name }}.
diff --git a/ansible/arcodange/factory/roles/gitea_token/defaults/main.yml b/ansible/arcodange/factory/roles/gitea_token/defaults/main.yml
index fb05bf5..7630d99 100644
--- a/ansible/arcodange/factory/roles/gitea_token/defaults/main.yml
+++ b/ansible/arcodange/factory/roles/gitea_token/defaults/main.yml
@@ -1,4 +1,8 @@
 gitea_user_name: arcodange
 gitea_container_name: gitea
 gitea_token_scopes: write:admin,write:organization,write:package,write:repository,write:user
-# gitea_base_url: 'http://{{ groups.gitea[0] }}:3000'
\ No newline at end of file
+gitea_token_fact_name: gitea_api_token
+gitea_base_url: 'http://{{ groups.gitea[0] }}:3000'
+gitea_token_replace: false
+gitea_token_name: ansible-{{ ansible_date_time.iso8601 }} # require gathering facts
+gitea_token_delete: false # only delete token
\ No newline at end of file
diff --git a/ansible/arcodange/factory/roles/gitea_token/tasks/main.yml b/ansible/arcodange/factory/roles/gitea_token/tasks/main.yml
index 26fe56d..dcf47e6 100644
--- a/ansible/arcodange/factory/roles/gitea_token/tasks/main.yml
+++ b/ansible/arcodange/factory/roles/gitea_token/tasks/main.yml
@@ -1,10 +1,12 @@
 # to see generated tokens
 # go to https://gitea.arcodange.duckdns.org/user/settings/applications
 
-- when: gitea_api_token is undefined
+- when: lookup('ansible.builtin.varnames', '^' ~ gitea_token_fact_name ~ '$') | length == 0 or gitea_token_delete
   block:
     
-    - name: Create new token for ansible
+    - &createTokenTask
+      name: Create new token for ansible
+      when: not gitea_token_delete
       delegate_to: "{{ groups.gitea[0] }}"
       delegate_facts: true
       ansible.builtin.command: >-
@@ -13,11 +15,29 @@
         --username {{ gitea_user_name }}
         --token-name {{ gitea_token_name }}
         --raw
-        --scopes {{gitea_token_scopes}}
+        --scopes {{ gitea_token_scopes }}
       register: gitea_api_token_cmd
-      vars:
-        # ansible_date_time requires having gathered facts
-        gitea_token_name: ansible-{{ ansible_date_time.iso8601 }}
+      ignore_errors: '{{ gitea_token_replace }}'
+    
+    - name: replace token
+      when:
+        - gitea_token_delete or gitea_api_token_cmd.rc != 0
+        - gitea_token_delete or "'access token name has been used already' in gitea_api_token_cmd.stderr"
+        - gitea_token_delete or gitea_token_replace
+        - gitea_api_token is defined
+      block:
+        - name: "delete token{{ gitea_token_replace | ternary(' to replace','') }}"
+          uri:
+            url: "{{ gitea_base_url }}/api/v1/users/{{ gitea_user_name }}/tokens/{{ gitea_token_name }}"
+            method: DELETE
+            headers:
+              Authorization: "Basic {{ (gitea_user_name ~ ':' ~ gitea_api_token) | b64encode }}"
+              Accept: application/json'
+            status_code: 204
+        - <<: *createTokenTask
+          ignore_errors: false
+          register: gitea_api_token_cmd_bis
 
     - ansible.builtin.set_fact:
-        gitea_api_token: '{{ gitea_api_token_cmd.stdout }}'
\ No newline at end of file
+        '{{ gitea_token_fact_name }}': '{{ (gitea_api_token_cmd.rc == 0) | ternary(gitea_api_token_cmd.stdout, gitea_api_token_cmd_bis.stdout) }}'
+      when: not gitea_token_delete
\ No newline at end of file