From f591ce19a20c5649aafabd0c0152b1f17c0552c8 Mon Sep 17 00:00:00 2001
From: Dominic Vos <dominic@qlic.nl>
Date: Tue, 5 Aug 2025 13:07:40 +0000
Subject: [PATCH] Add secrets for custom certificate (#7)

Co-authored-by: Jamie Schouten <jamie@qlic.nl>
Reviewed-on: https://git.qlic.nl/workflows/kamal/pulls/7
Co-authored-by: Dominic Vos <dominic@qlic.nl>
Co-committed-by: Dominic Vos <dominic@qlic.nl>
---
 .gitea/workflows/deploy.yml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index c22bd9b..636c913 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -4,6 +4,12 @@ on:
       ssh-private-key:
         required: true
         type: string
+      certificate-pem:
+        required: false
+        type: string
+      private-key-pem:
+        required: false
+        type: string
     inputs:
       image:
         required: false
@@ -70,6 +76,29 @@ jobs:
       - name: Append kamal registry password
         run: echo "KAMAL_REGISTRY_PASSWORD=${{ inputs.password }}" >> .kamal/secrets.${{ inputs.environment }}
 
+      - name: Add optional PEM secrets to .env
+        run: |
+          ENV_FILE=".kamal/secrets.${{ inputs.environment }}"
+
+          if [[ -n "${{ secrets.certificate-pem }}" ]]; then
+            echo "" >> "$ENV_FILE"
+            {
+              echo "CERTIFICATE_PEM='"
+              echo "${{ secrets.certificate-pem }}"
+              echo "'"
+            } >> "$ENV_FILE"
+          fi
+
+          if [[ -n "${{ secrets.private-key-pem }}" ]]; then
+            echo "" >> "$ENV_FILE"
+            {
+              echo "PRIVATE_KEY_PEM='"
+              echo "${{ secrets.private-key-pem }}"
+              echo "'"
+            } >> "$ENV_FILE"
+          fi
+
+
       - name: Boot accessories
         run: kamal accessory reboot all -d ${{ inputs.environment }}