feat(ci): ajout acme.sh TLS + routes Fabio KV :443 dans deploy

.woodpecker.yml

@@ -12,10 +12,14 @@ steps:
     environment:
       DTRACK_DOMAIN:
         from_secret: dtrack_domain
+      CONSUL_TOKEN:
+        from_secret: consul_token
     commands:
       - env | grep -E "^(DTRACK_DOMAIN)=" > .env.deploy
       # COMPOSE_PROJECT_NAME : convention user-project-branch, genere depuis les vars CI
       - OWNER=$(echo "$CI_REPO_OWNER" | tr 'A-Z' 'a-z') && REPO=$(echo "$CI_REPO_NAME" | tr 'A-Z' 'a-z') && BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-') && echo "COMPOSE_PROJECT_NAME=$OWNER-$REPO-$BRANCH" >> .env.deploy
+      # consul_token ecrit seul (depuis from_secret, sans volumes)
+      - env | grep '^CONSUL_TOKEN=' | cut -d= -f2 > .consul_token
       - echo "Fichier .env.deploy cree ($(wc -c < .env.deploy) octets)"
 
   # TEST write-env : valide le contenu du .env.deploy
@@ -45,7 +49,8 @@ steps:
       - /opt/dtrack:/opt/dtrack
     commands:
       - cp .env.deploy /opt/dtrack/.env
-      - chmod 600 /opt/dtrack/.env
+      - cp .consul_token /opt/dtrack/.consul_token
+      - chmod 600 /opt/dtrack/.env /opt/dtrack/.consul_token
       - cp docker-compose.yml /opt/dtrack/docker-compose.yml
       - echo "=== config resolue ==="
       - cd /opt/dtrack && docker compose config
@@ -54,6 +59,40 @@ steps:
       - echo "=== up ==="
       - cd /opt/dtrack && docker compose up -d --remove-orphans
       - cd /opt/dtrack && docker compose ps
+      - |
+        PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' /opt/dtrack/.env | cut -d= -f2)
+        DOMAIN=$(grep '^DTRACK_DOMAIN=' /opt/dtrack/.env | cut -d= -f2)
+
+        # --- Certificat TLS (acme.sh via sonic-acme-1) ---
+        # Exit 0 = emis/renouvele, exit 2 = skip (domaine inchange), autres = erreur
+        ACME_EXIT=0
+        docker exec sonic-acme-1 /app/acme.sh \
+          --home /etc/acme.sh \
+          --issue -d "$DOMAIN" \
+          --webroot /usr/share/nginx/html \
+          --server letsencrypt \
+          --accountemail support+acme@asycn.io || ACME_EXIT=$?
+        if [ "$ACME_EXIT" -ne 0 ] && [ "$ACME_EXIT" -ne 2 ]; then
+          echo "ERREUR: acme.sh a echoue (exit $ACME_EXIT)"
+          exit 1
+        fi
+        docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/fullchain.cer /host/certs/$DOMAIN-cert.pem
+        docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem
+        echo "Cert TLS: /host/certs/$DOMAIN-cert.pem OK (acme exit $ACME_EXIT)"
+
+        # --- Routes Fabio KV (HTTP + HTTPS) ---
+        # DTrack a deux services : apiserver (/api/*) et frontend (/*)
+        CTOK=$(cat /opt/dtrack/.consul_token)
+        API_IP=$(docker inspect "$PROJECT-apiserver" --format '{{(index .NetworkSettings.Networks "sonic").IPAddress}}')
+        FRONTEND_IP=$(docker inspect "$PROJECT-frontend" --format '{{(index .NetworkSettings.Networks "sonic").IPAddress}}')
+        ROUTES=$(printf \
+          'route add %s-api %s/api/* http://%s:8080/api/\nroute add %s-api %s:443/api/* http://%s:8080/api/\nroute add %s-ui %s/* http://%s:8080/\nroute add %s-ui %s:443/* http://%s:8080/' \
+          "$PROJECT" "$DOMAIN" "$API_IP" \
+          "$PROJECT" "$DOMAIN" "$API_IP" \
+          "$PROJECT" "$DOMAIN" "$FRONTEND_IP" \
+          "$PROJECT" "$DOMAIN" "$FRONTEND_IP")
+        docker exec sonic-consul env CONSUL_HTTP_TOKEN="$CTOK" consul kv put "fabio/config/$PROJECT" "$ROUTES"
+        echo "KV Fabio: fabio/config/$PROJECT -> apiserver=$API_IP frontend=$FRONTEND_IP"
 
   # TEST deploy : verifie que les conteneurs sont running
   # NOTE: pas de ${VAR} (substitue par Woodpecker) — utiliser $VAR sans accolades