- name: validate secret configs
  ansible.builtin.validate_argument_spec:
    argument_spec: "{{ required_data }}"
    provided_arguments:
      config: "{{ item }}"
  loop: "{{ secrets__secrets }}"
  loop_control:
    label: "{{ item.name }}"
  vars:
    required_data:
      config:
        type: dict
        required: true
        options:
          name:
            type: str
            required: true
          content:
            type: str
            required: true
          owner:
            type: str
            required: false
            default: root
          group:
            type: str
            required: false
            default: root
          mode:
            type: str
            required: false
            default: "0640"

- name: ensure secrets directory exists
  ansible.builtin.file:
    path: "/etc/ansible_secrets"
    state: directory
    owner: root
    group: root
    mode: "0750"
  become: true

- name: ensure secrets are present
  ansible.builtin.copy:
    content: "{{ item.content }}"
    dest: "/etc/ansible_secrets/{{ item.name }}"
    mode: "{{ item.mode | default('0640') }}"
    owner: "{{ item.owner | default('root') }}"
    group: "{{ item.group | default('root') }}"
  become: true
  loop: "{{ secrets__secrets }}"
  loop_control:
    label: "{{ item.name }}"