♻️ refactor(ansible): move gitea secret user-propagation list to inventory (#4)

Co-authored-by: Gabriel Radureau <arcodange@gmail.com> Co-committed-by: Gabriel Radureau <arcodange@gmail.com>
2026-05-06 14:48:05 +02:00
parent 69b7e9ddcb
commit 9e821e1626
2 changed files with 12 additions and 2 deletions
--- a/ansible/arcodange/factory/inventory/group_vars/all/gitea.yml
+++ b/ansible/arcodange/factory/inventory/group_vars/all/gitea.yml
@@ -0,0 +1,11 @@
+---
+# Gitea ownership configuration consumed by playbooks running on `localhost`
+# (e.g. tools/hashicorp_vault.yml). Role-level defaults (gitea_username,
+# gitea_organization) live in roles/gitea_secret/defaults/main.yml ; this file
+# is for fact lists that the inventory should declare.
+
+# Users (Gitea owner_type=user) to which org-level Gitea Action secrets must
+# also be propagated. Repos owned by these users cannot read org-level secrets,
+# so the secret propagation playbook iterates over this list.
+gitea_secret_propagation_users:
+  - arcodange
--- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
+++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
@@ -123,7 +123,6 @@
      }) | b64encode }}
    gitea_owner_type: 'user'
    gitea_owner_name: '{{ item }}'
-  loop:
-    - arcodange
+  loop: '{{ gitea_secret_propagation_users }}'
  loop_control:
    label: '{{ item }}'