From 4574dbf4ba9ec144253625f67eeffdd86659ac51 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sat, 23 May 2026 22:40:17 +0200
Subject: [PATCH] secrets(role): introduce secrets role for storing secrets

Allows storage of secrets to then be referenced in other places.
The motivation was storing WireGuard secrets for systemd-networkd.
---
 inventories/chaosknoten/hosts.yaml     |  2 +
 inventories/external/hosts.yaml        |  2 +
 inventories/z9/hosts.yaml              |  2 +
 playbooks/deploy.yaml                  |  7 ++++
 roles/secrets/README.md                | 24 ++++++++++++
 roles/secrets/defaults/main.yaml       |  1 +
 roles/secrets/meta/argument_specs.yaml |  6 +++
 roles/secrets/tasks/main.yaml          | 53 ++++++++++++++++++++++++++
 8 files changed, 97 insertions(+)
 create mode 100644 roles/secrets/README.md
 create mode 100644 roles/secrets/defaults/main.yaml
 create mode 100644 roles/secrets/meta/argument_specs.yaml
 create mode 100644 roles/secrets/tasks/main.yaml

diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml
index c737f34..1c3f84e 100644
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@@ -291,3 +291,5 @@ msmtp_hosts:
 renovate_hosts:
   hosts:
     renovate:
+secrets_hosts:
+  hosts:
diff --git a/inventories/external/hosts.yaml b/inventories/external/hosts.yaml
index 435a9bf..5d0f9d4 100644
--- a/inventories/external/hosts.yaml
+++ b/inventories/external/hosts.yaml
@@ -22,3 +22,5 @@ infrastructure_authorized_keys_hosts:
 ansible_pull_hosts:
   hosts:
     status:
+secrets_hosts:
+  hosts:
diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml
index 1b37c59..eab3880 100644
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@@ -57,3 +57,5 @@ ansible_pull_hosts:
     light:
     waybackproxy:
     yate:
+secrets_hosts:
+  hosts:
diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml
index ad866cc..b7ce104 100644
--- a/playbooks/deploy.yaml
+++ b/playbooks/deploy.yaml
@@ -6,6 +6,13 @@
   tags:
     - base_config
 
+- name: Ensure secrets deployment on secrets_hosts
+  hosts: secrets_hosts
+  roles:
+    - secrets
+  tags:
+    - secrets
+
 - name: Ensure systemd-networkd config deployment on systemd_networkd_hosts
   hosts: systemd_networkd_hosts
   roles:
diff --git a/roles/secrets/README.md b/roles/secrets/README.md
new file mode 100644
index 0000000..ec04665
--- /dev/null
+++ b/roles/secrets/README.md
@@ -0,0 +1,24 @@
+# Role `secrets`
+
+Allows storing the given secret contents in the configured files.
+
+## Supported Distributions
+
+Should work on Debian-based distributions.
+
+## Required Arguments
+
+None.
+
+## Optional Arguments
+
+- `secrets__secrets`: List of secrets.
+  Defaults to the empty list (`[ ]`).
+- `secrets__secrets.*.name`: (File)name for the secret (in the `/etc/ansible_secrets` directory).
+- `secrets__secrets.*.content`: The secret content to store.
+- `secrets__secrets.*.owner`: The owner of the secret file.
+  Defaults to `root`.
+- `secrets__secrets.*.group`: The group of the secret file.
+  Defaults to `root`.
+- `secrets__secrets.*.mode`: The mode of the secret file.
+  Defaults to `0640`.
diff --git a/roles/secrets/defaults/main.yaml b/roles/secrets/defaults/main.yaml
new file mode 100644
index 0000000..882d77b
--- /dev/null
+++ b/roles/secrets/defaults/main.yaml
@@ -0,0 +1 @@
+secrets__secrets: [ ]
diff --git a/roles/secrets/meta/argument_specs.yaml b/roles/secrets/meta/argument_specs.yaml
new file mode 100644
index 0000000..2562138
--- /dev/null
+++ b/roles/secrets/meta/argument_specs.yaml
@@ -0,0 +1,6 @@
+argument_specs:
+  main:
+    options:
+      secrets__secrets:
+        type: list
+        required: false
diff --git a/roles/secrets/tasks/main.yaml b/roles/secrets/tasks/main.yaml
new file mode 100644
index 0000000..8923397
--- /dev/null
+++ b/roles/secrets/tasks/main.yaml
@@ -0,0 +1,53 @@
+- name: validate secret configs
+  ansible.builtin.validate_argument_spec:
+    argument_spec: "{{ required_data }}"
+    provided_arguments:
+      config: "{{ item }}"
+  loop: "{{ secrets__secrets }}"
+  loop_control:
+    label: "{{ item.name }}"
+  vars:
+    required_data:
+      config:
+        type: dict
+        required: true
+        options:
+          name:
+            type: str
+            required: true
+          content:
+            type: str
+            required: true
+          owner:
+            type: str
+            required: false
+            default: root
+          group:
+            type: str
+            required: false
+            default: root
+          mode:
+            type: str
+            required: false
+            default: "0640"
+
+- name: ensure secrets directory exists
+  ansible.builtin.file:
+    path: "/etc/ansible_secrets"
+    state: directory
+    owner: root
+    group: root
+    mode: "0750"
+  become: true
+
+- name: ensure secrets are present
+  ansible.builtin.copy:
+    content: "{{ item.content }}"
+    dest: "/etc/ansible_secrets/{{ item.name }}"
+    mode: "{{ item.mode | default('0640') }}"
+    owner: "{{ item.owner | default('root') }}"
+    group: "{{ item.group | default('root') }}"
+  become: true
+  loop: "{{ secrets__secrets }}"
+  loop_control:
+    label: "{{ item.name }}"