From 9f0adfe14d3c21efc950929cdd07aceb4d15d24d Mon Sep 17 00:00:00 2001
From: Gabriel Radureau <arcodange@gmail.com>
Date: Fri, 2 Jan 2026 14:36:22 +0100
Subject: [PATCH] use self signed cert

---
 .gitea/workflows/crowdsec.yaml  | 7 ++++---
 .gitea/workflows/plausible.yaml | 7 ++++---
 .gitea/workflows/vault.yaml     | 7 ++++---
 3 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/.gitea/workflows/crowdsec.yaml b/.gitea/workflows/crowdsec.yaml
index a75cec3..bfcdc47 100644
--- a/.gitea/workflows/crowdsec.yaml
+++ b/.gitea/workflows/crowdsec.yaml
@@ -20,6 +20,7 @@ concurrency:
   id: vault-secrets
   with:
     url: https://vault.arcodange.lab
+    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
     jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
     role: gitea_cicd_crowdsec
     method: jwt
@@ -49,12 +50,12 @@ jobs:
     env:
       OPENTOFU_VERSION: 1.8.2
       TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
     steps:
       - *vault_step
       - uses: actions/checkout@v4
-      # - uses: dflook/terraform-plan@v1
-      #   with:
-      #     path: hashicorp-vault/iac
+      - name: prepare vault self signed cert
+        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
       - name: terraform apply
         uses: dflook/terraform-apply@v1
         with:
diff --git a/.gitea/workflows/plausible.yaml b/.gitea/workflows/plausible.yaml
index 8476b1f..2f8339b 100644
--- a/.gitea/workflows/plausible.yaml
+++ b/.gitea/workflows/plausible.yaml
@@ -20,6 +20,7 @@ concurrency:
   id: vault-secrets
   with:
     url: https://vault.arcodange.lab
+    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
     jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
     role: gitea_cicd_plausible
     method: jwt
@@ -49,12 +50,12 @@ jobs:
     env:
       OPENTOFU_VERSION: 1.8.2
       TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
     steps:
       - *vault_step
       - uses: actions/checkout@v4
-      # - uses: dflook/terraform-plan@v1
-      #   with:
-      #     path: hashicorp-vault/iac
+      - name: prepare vault self signed cert
+        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
       - name: terraform apply
         uses: dflook/terraform-apply@v1
         with:
diff --git a/.gitea/workflows/vault.yaml b/.gitea/workflows/vault.yaml
index d9b6712..3d0ba45 100644
--- a/.gitea/workflows/vault.yaml
+++ b/.gitea/workflows/vault.yaml
@@ -20,6 +20,7 @@ concurrency:
   id: vault-secrets
   with:
     url: https://vault.arcodange.lab
+    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
     jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
     role: gitea_cicd
     method: jwt
@@ -50,12 +51,12 @@ jobs:
     env:
       OPENTOFU_VERSION: 1.8.2
       TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
     steps:
       - *vault_step
       - uses: actions/checkout@v4
-      # - uses: dflook/terraform-plan@v1
-      #   with:
-      #     path: hashicorp-vault/iac
+      - name: prepare vault self signed cert
+        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
       - name: terraform apply
         uses: dflook/terraform-apply@v1
         with: