Provide secrets for keycloak VM from pass

ansible.cfg

@@ -1,2 +1,5 @@
 [defaults]
 inventory = ./inventories/z9/hosts.yaml
+
+[passwordstore_lookup]
+backend = pass

inventories/z9/host_vars/keycloak.yaml

@@ -1,4 +1,4 @@
-docker_compose__compose_file_content: "{{ lookup('ansible.builtin.file', 'configs/keycloak/compose.yaml') }}"
+docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'configs/keycloak/compose.yaml.j2') }}"
 docker_compose__configuration_files: [ ]
 
 cert__acme_account_email: j+letsencrypt-ccchh@jsts.xyz

playbooks/templates/configs/keycloak/compose.yaml.j2

@@ -46,11 +46,11 @@ services:
       - keycloak
     environment:
       KEYCLOAK_ADMIN: admin
-      # KEYCLOAK_ADMIN_PASSWORD: in secrets file
+      KEYCLOAK_ADMIN_PASSWORD: {{ lookup("community.general.passwordstore", "vm-secrets/keycloak/KEYCLOAK_ADMIN_PASSWORD", create=false, missing="error") }}
       KC_DB: postgres
       KC_DB_URL_HOST: db
       KC_DB_USERNAME: keycloak
-      # KC_DB_PASSWORD: in secrets file
+      KC_DB_PASSWORD: {{ lookup("community.general.passwordstore", "vm-secrets/keycloak/KC_DB_PASSWORD", create=false, missing="error") }}
       KC_HOSTNAME: id.ccchh.net
       KC_HOSTNAME_STRICT_BACKCHANNEL: true
       KC_HOSTNAME_ADMIN: keycloak-admin.ccchh.net
@@ -69,7 +69,7 @@ services:
       - "./database:/var/lib/postgresql/data"
     environment:
       POSTGRES_USER: keycloak
-      # POSTGRES_PASSWORD: in secrets file
+      POSTGRES_PASSWORD: {{ lookup("community.general.passwordstore", "vm-secrets/keycloak/POSTGRES_PASSWORD", create=false, missing="error") }}
       POSTGRES_DB: keycloak
     env_file:
       - db_secrets.env  # Must be managed by the admin manually. Not managed by Ansible.