secrets(role): introduce secrets role for storing secrets

Allows storage of secrets to then be referenced in other places.
The motivation was storing WireGuard secrets for systemd-networkd.

roles/secrets/tasks/main.yaml

@@ -0,0 +1,53 @@
+- name: validate secret configs
+  ansible.builtin.validate_argument_spec:
+    argument_spec: "{{ required_data }}"
+    provided_arguments:
+      config: "{{ item }}"
+  loop: "{{ secrets__secrets }}"
+  loop_control:
+    label: "{{ item.name }}"
+  vars:
+    required_data:
+      config:
+        type: dict
+        required: true
+        options:
+          name:
+            type: str
+            required: true
+          content:
+            type: str
+            required: true
+          owner:
+            type: str
+            required: false
+            default: root
+          group:
+            type: str
+            required: false
+            default: root
+          mode:
+            type: str
+            required: false
+            default: "0640"
+
+- name: ensure secrets directory exists
+  ansible.builtin.file:
+    path: "/etc/ansible_secrets"
+    state: directory
+    owner: root
+    group: root
+    mode: "0750"
+  become: true
+
+- name: ensure secrets are present
+  ansible.builtin.copy:
+    content: "{{ item.content }}"
+    dest: "/etc/ansible_secrets/{{ item.name }}"
+    mode: "{{ item.mode | default('0640') }}"
+    owner: "{{ item.owner | default('root') }}"
+    group: "{{ item.group | default('root') }}"
+  become: true
+  loop: "{{ secrets__secrets }}"
+  loop_control:
+    label: "{{ item.name }}"