From 7d8b1cb258c3e0f99082a3e630f8d1cbf5766be3 Mon Sep 17 00:00:00 2001
From: uumas <gitcommit@uumas.fi>
Date: Tue, 17 Jun 2025 09:08:59 +0300
Subject: [PATCH] container: Add support for specifying secret type (untested)

---
 roles/container/meta/argument_specs.yaml |  9 ++++++++-
 roles/container/tasks/main.yaml          |  2 +-
 roles/container/vars/main.yaml           | 12 ++++++++++++
 roles/service/meta/argument_specs.yaml   |  7 +++++++
 4 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/roles/container/meta/argument_specs.yaml b/roles/container/meta/argument_specs.yaml
index 3c983af..a902c58 100644
--- a/roles/container/meta/argument_specs.yaml
+++ b/roles/container/meta/argument_specs.yaml
@@ -114,7 +114,14 @@ argument_specs:
             description: Length of randomly generated string
             type: int
             required: false
-            defalut: 128
+            default: 128
+          type:
+            description: How the secret will be exposed to the container
+            type: str
+            choices:
+              - mount
+              - env
+            default: mount
 
       container_env:
         description: A dict of environment variables for the container
diff --git a/roles/container/tasks/main.yaml b/roles/container/tasks/main.yaml
index 8e98cc9..76fb6af 100644
--- a/roles/container/tasks/main.yaml
+++ b/roles/container/tasks/main.yaml
@@ -44,7 +44,7 @@
     mount: "{{ _container_mounts | map('items') | map('map', 'join', '=') | map('join', ',') }}"
     network: "{{ container_networks | map('regex_replace', '$', '.network') }}"
     publish: "{{ container_publish_ports }}"
-    secrets: "{{ container_secrets | map(attribute='name') }}"
+    secrets: "{{ _container_secrets }}"
     env: "{{ container_env.keys() | zip(container_env.values() | map('quote')) | community.general.dict }}"
     state: quadlet
     quadlet_file_mode: "0600"
diff --git a/roles/container/vars/main.yaml b/roles/container/vars/main.yaml
index 6612be4..e8c9754 100644
--- a/roles/container/vars/main.yaml
+++ b/roles/container/vars/main.yaml
@@ -22,6 +22,18 @@ _container_mounts: >-
       | zip(_container_volume_mount_sources) | map('combine')
   }}
 
+_container_secrets: >-
+  {{
+    container_secrets
+    | map(attribute='name')
+    | zip(
+      container_secrets
+      | map(attribute='type', default='mount')
+      | map('regex_replace', '^', 'type=')
+    )
+    | map('join', ',')
+  }}
+
 _container_quadlet_unit_options: |
   [Unit]
   Description=Container {{ container_name }}
diff --git a/roles/service/meta/argument_specs.yaml b/roles/service/meta/argument_specs.yaml
index f926a16..733632a 100644
--- a/roles/service/meta/argument_specs.yaml
+++ b/roles/service/meta/argument_specs.yaml
@@ -138,6 +138,13 @@ argument_specs:
             type: int
             required: false
             default: 128
+          type:
+            description: How the secret will be exposed to the container
+            type: str
+            choices:
+              - mount
+              - env
+            default: mount
       service_container_env:
         description: A dict of environment variables for the service container(s)
         type: dict