service: Make secrets available in a variable

roles/service/meta/argument_specs.yaml

@@ -80,7 +80,11 @@ argument_specs:
             required: false
             default: ""
       service_container_secrets:
-        description: A list of secrets available to the service container in /run/secrets/<service name>-<secret name>
+        description:
+          - A list of secrets available to the service container in /run/secrets/<service name>-<secret name>
+          - >
+            A dict of secrets and their values (including autogenerated values) is available as `_service_podman_secrets` for use
+            in tepmlates or environment variables. This should only be used if the container doesn't support reading the secret from file
         type: list
         required: false
         default: []

roles/service/tasks/main.yaml

@@ -11,6 +11,10 @@
   ansible.builtin.include_tasks: database.yaml
   when: "service_database_type != 'none'"
 
+- name: Secrets for {{ service_name }}
+  ansible.builtin.include_tasks: secrets.yaml
+  when: service_container_secrets | length > 0
+
 - name: Mounts for {{ service_name }}
   ansible.builtin.include_tasks: mounts.yaml
   when: service_container_mounts | length > 0

roles/service/tasks/secrets.yaml

@@ -0,0 +1,25 @@
+---
+- name: Create secrets
+  ansible.builtin.include_role:
+    name: container
+    tasks_from: secrets.yaml
+    rolespec_validate: false # FIXME make proper validation possible
+  vars:
+    container_name: "{{ service_name }}"
+    container_secrets: "{{ _service_container_secrets }}"
+
+- name: Gather secrets information
+  containers.podman.podman_secret_info:
+    showsecret: true
+  register: _service_podman_secret_info
+  no_log: true
+
+- name: Store secrets in a variable for later
+  ansible.builtin.set_fact:
+    _service_podman_secrets: >
+      {{ _service_podman_secret_info.secrets
+        | map(attribute='Spec.Name')
+        | zip(_service_podman_secret_info.secrets | map(attribute='SecretData'))
+        | community.general.dict 
+    }}
+  no_log: true