resource "random_password" "tofu" {
  length = 32
}
resource "gitea_user" "tofu" {
  username             = "tofu_module_reader"
  login_name           = "tofu_module_reader"
  password             = random_password.tofu.result
  email                = "tofu-module-reader@arcodange.fake"
  must_change_password = false
  full_name            = "restricted CI user"
  prohibit_login       = false
  restricted           = true
  visibility           = "private"
}
resource "tls_private_key" "tofu" {
  algorithm = "ED25519"
}
resource "gitea_public_key" "tofu" {
  title    = "tofu"
  key      = tls_private_key.tofu.public_key_openssh
  username = gitea_user.tofu.username
}

resource "vault_kv_secret" "gitea_admin_token" {
  path = "kvv1/gitea/tofu_module_reader"
  data_json = jsonencode({
    ssh_private_key = tls_private_key.tofu.private_key_openssh
    ssh_public_key  = tls_private_key.tofu.public_key_openssh
  })
}