From aa9eabf19c6d86468ceb880fb3d3912050dc12d1 Mon Sep 17 00:00:00 2001
From: uumas <gitcommit@uumas.fi>
Date: Thu, 26 Jun 2025 12:04:42 +0300
Subject: [PATCH] service: Actually do something with
 service_additional_containers

---
 roles/service/meta/argument_specs.yaml | 49 +++++++++++++++++++++++++-
 roles/service/tasks/additional.yaml    | 20 +++++++++++
 roles/service/tasks/main.yaml          |  6 +++-
 roles/service/vars/main.yaml           | 31 ++++++++++++++--
 4 files changed, 101 insertions(+), 5 deletions(-)
 create mode 100644 roles/service/tasks/additional.yaml

diff --git a/roles/service/meta/argument_specs.yaml b/roles/service/meta/argument_specs.yaml
index 37f8a31..db9970d 100644
--- a/roles/service/meta/argument_specs.yaml
+++ b/roles/service/meta/argument_specs.yaml
@@ -192,7 +192,7 @@ argument_specs:
 
       service_additional_containers:
         description:
-          - List of additional containers for the sercice.
+          - List of additional containers for the service.
           - >
             Will inherit most options from main service container, except for publish_ports.
             All options can be overridden per-container.
@@ -259,6 +259,53 @@ argument_specs:
             type: dict
             required: false
             default: {}
+          secrets:
+            description:
+              - >
+                A list of secrets available to the service container as file or environment
+                variable
+              - >
+                A dict of secrets and their values (including autogenerated values) is available as
+                `service_podman_secrets` for use in templates. This should only be used if the
+                container doesn't support reading the secret from file or environment variable.
+            type: list
+            required: false
+            default: []
+            elements: dict
+            options:
+              name:
+                description: Name of the secret
+                type: str
+                required: true
+              value:
+                description:
+                  - >
+                    Value of the secret. Defaults to a 128-character random string containing
+                    alphanumeric characters.
+                  - >
+                    If the value is not explicitly set, it will not be changed if the secret
+                    already exists.
+                type: str
+                required: false
+              length:
+                description: Length of randomly generated string
+                type: int
+                required: false
+                default: 128
+              type:
+                description: How the secret will be exposed to the container
+                type: str
+                choices:
+                  - mount
+                  - env
+                default: mount
+              target:
+                description: >
+                  Where the secret will be available inside the container. If type is mount, this is
+                  either a full file path or a filename under /run/secrets. If type is env, this is
+                  the name of the environment variable. Defaults to secret name.
+                type: str
+                required: false
 
       service_requires:
         description: List of systemd units this service container depends on.
diff --git a/roles/service/tasks/additional.yaml b/roles/service/tasks/additional.yaml
new file mode 100644
index 0000000..2a9703f
--- /dev/null
+++ b/roles/service/tasks/additional.yaml
@@ -0,0 +1,20 @@
+---
+- name: Additional container {{ container ~ ' for ' ~ service_name }}
+  ansible.builtin.include_role:
+    name: container
+  vars:
+    container_name: "{{ container.name }}"
+    container_image: "{{ container.image | default(service_container_image) }}"
+    container_image_creds: "{{ service_container_image_creds }}"
+    container_user: "{{ service_container_user }}"
+    container_mounts: "{{ container.mounts | default(_service_container_mounts) }}"
+    container_publish_ports: "{{ container.publish_ports | default([]) }}"
+    container_networks: "{{ _service_container_networks }}"
+    container_secrets: "{{ container.secrets | default(_service_container_secrets) }}"
+    container_env: "{{ container.env | default(service_container_env) }}"
+    container_requires: "{{ _service_container_requires }}"
+    container_wants: "{{ service_wants }}"
+    container_auto_update: "{{ service_auto_update }}"
+  loop: "{{ _service_additional_containers }}"
+  loop_control:
+    loop_var: container
diff --git a/roles/service/tasks/main.yaml b/roles/service/tasks/main.yaml
index 5aa269d..372a854 100644
--- a/roles/service/tasks/main.yaml
+++ b/roles/service/tasks/main.yaml
@@ -18,6 +18,10 @@
   ansible.builtin.include_tasks: mounts.yaml
   when: service_container_mounts | length > 0
 
+- name: Additional containers for {{ service_name }}
+  ansible.builtin.include_tasks: additional.yaml
+  when: _service_additional_containers | length > 0
+
 - name: Main container for {{ service_name }}
   ansible.builtin.import_role:
     name: container
@@ -28,7 +32,7 @@
     container_user: "{{ service_container_user }}"
     container_mounts: "{{ _service_container_mounts }}"
     container_publish_ports: "{{ service_container_publish_ports }}"
-    container_networks: "{{ [service_name] + service_container_additional_networks }}"
+    container_networks: "{{ _service_container_networks }}"
     container_secrets: "{{ _service_container_secrets }}"
     container_env: "{{ service_container_env }}"
     container_requires: "{{ _service_container_requires }}"
diff --git a/roles/service/vars/main.yaml b/roles/service/vars/main.yaml
index 4959147..844cb03 100644
--- a/roles/service/vars/main.yaml
+++ b/roles/service/vars/main.yaml
@@ -5,7 +5,9 @@ _service_host_directory: "/srv/{{ service_name }}"
 _service_setup_database: "{{ service_database_type != 'none' }}"
 _service_database_name: "{{ service_name }}-{{ service_database_type }}"
 
-_service_container_secrets: >
+_service_container_networks: "{{ [service_name] + service_container_additional_networks }}"
+
+_service_container_secrets: >-
   {{
     service_container_secrets
       | map(attribute='name')
@@ -21,8 +23,31 @@ _service_container_secrets: >
       + ([{'name': _service_database_name, 'target': service_database_type }] if _service_setup_database else [])
   }}
 
-_service_container_requires: "{{ service_requires + ([_service_database_name + '.service'] if _service_setup_database else []) }}"
-_service_container_wants: "{{ service_wants + ([service_name + '-socat.socket'] if service_domains | length > 0 else []) }}"
+_service_additional_containers: >-
+  {{
+    service_additional_containers
+      | zip(
+         service_additional_containers
+            | map(attribute='name')
+            | map('regex_replace', '^', service_name ~ '-')
+            | map('community.general.dict_kv', 'name')
+        )
+      | map('combine')
+  }}
+
+_service_container_requires: >-
+  {{
+    service_requires
+    + ([_service_database_name + '.service'] if _service_setup_database else [])
+  }}
+_service_container_wants: >-
+  {{
+    service_wants
+    + ([service_name + '-socat.socket'] if service_domains | length > 0 else [])
+    + _service_additional_containers
+        | map(attribute='name')
+        | map('regex_replace', '$', '.service')
+  }}
 
 _service_replacement_host_header:
   Host: "{{ service_name }}:{{ service_container_http_port }}"