factory/ansible/arcodange/factory/playbooks/ssl/ssl.yml

- name: step-ca
  ansible.builtin.import_playbook: step-ca.yml

- name: Fetch Step-CA root certificate
  hosts: localhost
  gather_facts: false
  vars:
    step_ca_primary: pi1
    step_ca_user: step
    step_ca_root: "/home/step/.step/certs/root_ca.crt"
    tmp_dir: "/tmp/step-ca-cert-manager"
  tasks:
    - name: Ensure local temp directory exists
      file:
        path: "{{ tmp_dir }}"
        state: directory
        mode: "0700"

    - name: Fetch root CA from step_ca_primary
      fetch:
        src: "{{ step_ca_root }}"
        dest: "{{ tmp_dir }}/root_ca.crt"
        flat: true
      delegate_to: "{{ step_ca_primary }}"
      become: true
      become_user: "{{ step_ca_user }}"
      run_once: true

    - name: Préparer le répertoire de build
      file:
        path: /tmp/gitea-runner-image
        state: directory
        mode: '0755'

    - name: Copier le root CA dans le contexte Docker
      copy:
        src: "{{ tmp_dir }}/root_ca.crt"
        dest: /tmp/gitea-runner-image/root_ca.crt
        mode: '0644'

    - name: Créer le Dockerfile pour l'image runner avec CA custom
      copy:
        dest: /tmp/gitea-runner-image/Dockerfile
        mode: '0644'
        content: |
          FROM gitea/runner-images:ubuntu-latest

          COPY root_ca.crt /usr/local/share/ca-certificates/root_ca.crt
          RUN update-ca-certificates

    - name: Builder l'image runner avec le CA
      community.docker.docker_image:
        name: gitea.arcodange.lab/arcodange-org/runner-images
        tag: ubuntu-latest-ca
        source: build
        build:
          path: /tmp/gitea-runner-image
        push: true

# - /etc/ssl/certs:/etc/ssl/certs:ro

# - name: Distribute Step-CA root certificate
#   hosts: all
#   gather_facts: true
#   become: true
#   vars:
#     root_ca_source: "/tmp/step-ca-cert-manager/root_ca.crt"
#     root_ca_filename: "arcodange-root.crt"

#   tasks:
#     - name: Ensure root CA file is copied to correct location
#       copy:
#         src: "{{ root_ca_source }}"
#         dest: "{{ ca_dest_path }}"
#         owner: root
#         group: root
#         mode: '0644'
#       vars:
#         ca_dest_path: >-
#           {% if ansible_facts['os_family'] == 'Debian' %}
#             /usr/local/share/ca-certificates/{{ root_ca_filename }}
#           {% elif ansible_facts['os_family'] in ['RedHat', 'Fedora'] %}
#             /etc/pki/ca-trust/source/anchors/{{ root_ca_filename }}
#           {% else %}
#             /etc/ssl/certs/{{ root_ca_filename }}
#           {% endif %}

#     - name: Update CA trust store
#       command: "{{ ca_update_command }}"
#       vars:
#         ca_update_command: >-
#           {% if ansible_facts['os_family'] == 'Debian' %}
#             update-ca-certificates
#           {% elif ansible_facts['os_family'] in ['RedHat', 'Fedora'] %}
#             update-ca-trust
#           {% else %}
#             echo 'Please update the CA trust manually'
#           {% endif %}