# Scoped sudo for the gitea_ci deploy user on the web host (oolon). Installed by
# script/infra-setup.sh as /etc/sudoers.d/moments_web_gitea_ci and verified with
# `visudo -cf`. Used by both deploy.yml's deploy-web and refresh.yml.
# See api-host.conf for the rsync-rule convention.

# --- docroot + static site ---
gitea_ci ALL=(root) NOPASSWD: /usr/bin/install -d -m 0755 /var/www/rob.tn
gitea_ci ALL=(root) NOPASSWD: /usr/bin/rsync * /var/www/rob.tn/
gitea_ci ALL=(root) NOPASSWD: /usr/sbin/restorecon -R /var/www/rob.tn

# --- nginx vhost ---
gitea_ci ALL=(root) NOPASSWD: /usr/bin/rsync * /etc/nginx/conf.d/rob.tn.conf
gitea_ci ALL=(root) NOPASSWD: /usr/sbin/restorecon -R /etc/nginx/conf.d/rob.tn.conf

# --- SELinux booleans/ports for the /api proxy + reload ---
gitea_ci ALL=(root) NOPASSWD: /usr/sbin/setsebool -P httpd_can_network_connect on
gitea_ci ALL=(root) NOPASSWD: /usr/sbin/semanage port -l
gitea_ci ALL=(root) NOPASSWD: /usr/sbin/semanage port -a -t http_port_t -p tcp 42424
gitea_ci ALL=(root) NOPASSWD: /usr/sbin/nginx -t
gitea_ci ALL=(root) NOPASSWD: /usr/bin/systemctl reload nginx