Support setting owner of custom files

I follow the docs to setup https://gitlab.com/gitlab-org/gitlab-environment-toolkit/-/blob/main/docs/environment_advanced_ssl.md#internal-ssl for the connection from gitlab_rails to postgresql.

I want to use client-cert authentication, so I copy over the files with custom-files (and reference them using a custom config file gitlab_rails.rb.j2):

# client-certificate to connect to postgresql
    gitlab_rails_custom_files_paths:
      - { src_path: "{{ inventory_dir }}/../files/certificates/gitlab_rails/client-cert", dest_path: "/etc/gitlab/ssl/client.pem", mode: "0640" }
      - { src_path: "{{ inventory_dir }}/../files/certificates/gitlab_rails/client-key", dest_path: "/etc/gitlab/ssl/client-key.pem", mode: "0600" }

However when doing it like that, gitlab cannot read the certificate as it seems to expect that the user git can read the file:

2026-01-08_07:39:55.94899 /opt/gitlab/embedded/lib/ruby/gems/3.2.0/gems/pg-1.6.2-x86_64-linux/lib/pg/connection.rb:751:in `polling_loop': connection to server at "192.168.201.96", port 5432 failed: could not read certificate file "/etc/gitlab/ssl/client.pem":  (PG::ConnectionBad)

At least when I change the owner of the file manually to git, the error disappears.

So I propose to add owner and group options to all custom files tasks:

- name: Copy over any Custom Files
  copy:
    src: "{{ item.src_path }}"
    dest: "{{ item.dest_path }}"
    owner: "{{ item.owner | default('root') }}"
    group: "{{ item.group | default('root') }}"
    mode: "{{ item.mode if item.mode is defined else 'preserve' }}"
  loop: "{{ gitlab_rails_custom_files_paths }}"
  tags: reconfigure

(I don't know if default('root') is the correct approach here, but I'd say yes, because the roles run with become.