fixes

2025-08-09 17:01:18 +02:00
parent 561331b825
commit b4bde14809
7 changed files with 30 additions and 17 deletions
--- a/ansible/arcodange/factory/inventory/group_vars/hard_disk/gitea_vault.yml
+++ b/ansible/arcodange/factory/inventory/group_vars/hard_disk/gitea_vault.yml
@@ -1,13 +1,14 @@
 $ANSIBLE_VAULT;1.1;AES256
-66376231363631663639623736353861383337333863623761303438643831653061373338306366
-3762316261326433316166393132663034373636313935660a353962653931643131306134663264
-64636264393338366363333932366163393036326362353630656132326534663239306639336531
-3239373433386332640a653262633333653037646236366362333838356534623935613534376465
-66633335636235323035656332356566343738363661363066653239653037643539323533643534
-38376465663637646637326436306631663135333361666635303936643562356365616164636565
-39313231623630386332363262376364383935353534663465333362356631383334396366643463
-65616130613936343035643736623137313665373462353531326365396638633165326139343233
-31313933313161343265373865643638616134303834396563623366633136616333613433323035
-32643336343438646361616364336466366165363464323466363034373531323839363863396236
-34343731386364613739666461633564646135306231366135396562383565383562396639316164
-33626266643765653765
+36376264363339363633323934646662623836323237373638326331643333383664393363653133
+6136336438613839376466613530303630613035383935660a383934386234633163343735633435
+65623262633238356338343038333765333064323337653638636138626530643661313832643634
+3365363638616231350a303461336564636633333664643566346432653032336233326338376134
+36386235366564306533643635653232373634346333373236313462393533396334623365326638
+33363934663763326534363562643338333361616633323336313862353838666235393063306535
+33303465356166323630306265303930363066386533653966633162633161623266356664636537
+32653964326466336136376365386439313962316666333935663037326434306430343734646664
+62376137306434313235363334373737636564316465323965613030643135336161316331663332
+34646437336262306533303462623936336561633032643437396335356435333861353934643234
+63376362366563316437383062653930373536666330313261396338656532333034373232386331
+37363463633863333433613463336564636336366633353663336162303563646331373635663437
+30393962613939323161306131313630333438653539363439643131373736313132
--- a/ansible/arcodange/factory/playbooks/01_system.yml
+++ b/ansible/arcodange/factory/playbooks/01_system.yml
@@ -72,8 +72,8 @@

 - name: k3s
  tags: never
-  # ansible.builtin.import_playbook: k3s.orchestration.site
-  ansible.builtin.import_playbook: k3s.orchestration.upgrade
+  ansible.builtin.import_playbook: k3s.orchestration.site
+  # ansible.builtin.import_playbook: k3s.orchestration.upgrade
  # ansible.builtin.import_playbook: k3s.orchestration.reset
  vars:
    k3s_version: v1.32.2+k3s1
--- a/ansible/arcodange/factory/playbooks/setup/postgres.yml
+++ b/ansible/arcodange/factory/playbooks/setup/postgres.yml
@@ -62,4 +62,4 @@
      loop_control:
        loop_var: database__pg_instruction
      loop:
-        "{{ applications_databases.values() | map(attribute='db_name') | product(pg_instructions) }}"
+        "{{ ( ['postgres'] + ( applications_databases.values() | map(attribute='db_name') ) ) | product(pg_instructions) }}"
--- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
+++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
@@ -37,6 +37,13 @@
    register: last_tofu_command
    loop:
      - tofu init -no-color
+      # - >-
+      #   tofu destroy -auto-approve -no-color
+      #   -var='gitea_app={{ gitea_app | to_json }}'
+      #   -var='vault_address={{ vault_address }}'
+      #   -var='vault_token={{ vault_root_token }}'
+      #   -var='postgres_admin_credentials={{ postgres_admin_credentials | to_json }}'
+      #   -var='gitea_admin_token={{ gitea_admin_token }}'
      - >-
        tofu apply -auto-approve -no-color
        -var='gitea_app={{ gitea_app | to_json }}'
--- a/iac/README.md
+++ b/iac/README.md
@@ -0,0 +1,5 @@
+# 
+
+Provisionne un utilisateur gitea "tofu_module_reader",
+autorisé à lire certains projets il est utilisé par la CI pour récupérer des blueprints terraform
+via sa clé ssh répertoriée dans vault.
--- a/iac/main.tf
+++ b/iac/main.tf
@@ -9,7 +9,7 @@ resource "gitea_user" "tofu" {
  email                = "tofu-module-reader@arcodange.fake"
  must_change_password = false
  full_name = "restricted CI user"
-  prohibit_login = true
+  prohibit_login = false
  restricted = true
  visibility = "private"
 }
--- a/postgres/iac/main.tf
+++ b/postgres/iac/main.tf
@@ -1,6 +1,6 @@
 resource "random_password" "credentials_editor" {
  length           = 24
-  override_special = "-:!+<>$"
+  override_special = "-:!+<>"
 }

 resource "postgresql_role" "credentials_editor" {