ansible-gitea/tasks/get_secrets.yml

---
# This file extracts a secret from the config file. If it is not found, a new value is generated.
# In either case, the secret is made available in a variable for future reference.
# Needs:
# * _slurp_appini - base64-encoded contents of app.ini
# * secret - the name of the secret to handle

- name: "extract {{ secret }} from current config file"
  set_fact:
    _secret_value: "{{ _slurp_appini.content | b64decode | regex_search('(?<=' ~ secret ~ '\\s=\\s`).*(?=`)') }}"
  no_log: true
  when: "_slurp_appini is not skipped"

- name: "generate new {{ secret }}"
  command: "gitea generate secret '{{ secret }}'"
  environment:
    PATH: "{{ ansible_facts['env']['PATH'] }}:/usr/local/bin"
  register: _generate_secret
  no_log: true
  when: "not _secret_value | default(false)"

- name: "store new {{ secret }}"
  set_fact:
    '_{{ secret }}': "{{ _generate_secret.stdout | default(_secret_value) }}"
  no_log: true