♻️ refactor(ansible): move gitea secret user-propagation list to inventory

Follow-up to PR #3. The user list for vault_oauth__sh_b64 propagation now lives in inventory/group_vars/all/gitea.yml under gitea_secret_propagation_users instead of being hardcoded in the task. Easier to extend without touching the playbook code. Re-run the playbook (no behavioral change unless the list contents changed).

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml

@@ -36,11 +36,6 @@
 
 
 
-# WARNING : this disables AND wipes ALL gitea_cicd_* per-app JWT roles
-# (created by tools/hashicorp-vault/iac/) every time it runs. Default is OFF
-# to preserve those roles across normal ansible runs ; opt-in only when you
-# really want to rebuild the OIDC backend from scratch (e.g. config drift on
-# bound_issuer or similar).
 - name: Delete existing Gitea OIDC backends if they exist
   include_tasks: vault_cmd.yml
   vars:
@@ -53,7 +48,6 @@
     - gitea_jwt
   loop_control:
     loop_var: backend_name
-  when: vault_oidc_force_reset | default(false) | bool
 
 - name: use tofu to provision vault
   block:

argocd/values.yaml

@@ -14,11 +14,6 @@ gitea_applications:
     annotations:
       argocd-image-updater.argoproj.io/image-list: webapp=gitea.arcodange.lab/arcodange-org/webapp:latest
       argocd-image-updater.argoproj.io/webapp.update-strategy: digest
-  telegram-gateway:
-    org: arcodange
-    annotations:
-      argocd-image-updater.argoproj.io/image-list: telegram-gateway=gitea.arcodange.lab/arcodange/telegram-gateway:latest
-      argocd-image-updater.argoproj.io/telegram-gateway.update-strategy: digest
   erp:
     annotations: {}
   cms: