service: Support setting container secrets

roles/service/defaults/main.yaml

@@ -4,6 +4,7 @@ service_domains: []
 service_container_user: ""
 service_container_publish_ports: []
 service_container_mounts: []
+service_container_secrets: []
 service_container_env: {}
 
 service_database_type: none

roles/service/meta/argument_specs.yaml

@@ -66,6 +66,23 @@ argument_specs:
             type: bool
             required: false
             default: false
+      service_container_secrets:
+        description: A list of secrets available to the service container in /run/secrets/<service name>-<secret name>
+        type: list
+        required: false
+        default: []
+        elements: dict
+        options:
+          name:
+            description: Name of the secret
+            type: str
+            required: true
+          value:
+            description:
+              - Value of the secret. Defaults to a 128-character random string containing alphanumeric characters.
+              - If the value is not explicitly set, it will not be changed if the secret already exists.
+            type: str
+            required: false
       service_container_env:
         description: A dict of environment variables for the service container(s)
         type: dict

roles/service/tasks/main.yaml

@@ -6,6 +6,15 @@
   ansible.builtin.set_fact:
     _service_container_mounts: []
     _service_container_requires: "{{ service_requires }}"
+    _service_container_secrets: []
+
+- name: Secrets definition for {{ service_name }}
+  ansible.builtin.set_fact:
+    _service_container_secrets: "{{ _service_container_secrets + [secret | combine({'name': service_name ~ '-' ~ secret.name})] }}"
+  no_log: true
+  loop: "{{ service_container_secrets }}"
+  loop_control:
+    loop_var: secret
 
 - name: Databse for {{ service_name }}
   ansible.builtin.include_tasks: database.yaml
@@ -26,6 +35,7 @@
     container_publish_ports: "{{ service_container_publish_ports }}"
     container_networks:
       - "{{ service_name }}"
+    container_secrets: "{{ _service_container_secrets }}"
     container_env: "{{ service_container_env }}"
     container_requires: "{{ _service_container_requires }}"
     container_wants: "{{ [service_name + '-socat.socket'] if service_domains | length > 0 else [] }}"