mount secrets subfolder as read-only volume to protect them

Signed-off-by: Jakub Sokołowski <jakub@status.im>

defaults/main.yml

@@ -11,6 +11,9 @@ beacon_node_cont_vol: '/docker/{{ beacon_node_cont_name }}'
 beacon_node_cont_entrypoint: '/usr/local/bin/nimbus_beacon_node'
 beacon_node_cont_update_enabled: true
 
+# Subfolders for separate read-only mounting
+beacon_node_secrets_path: '{{ beacon_node_cont_vol }}/data/{{ beacon_node_data_folder }}/secrets'
+
 # connectivity settings
 beacon_node_discovery_port: 9000
 beacon_node_listening_port: 9000

tasks/compose.yml

@@ -6,6 +6,9 @@
     owner: dockremap
     group: docker
     mode: 0750
+  with_items:
+    - '{{ beacon_node_cont_vol }}/data'
+    - '{{ beacon_node_secrets_path }}'
 
 - name: Verify network name
   assert:
@@ -31,6 +34,9 @@
             - '{{ beacon_node_listening_port }}:{{ beacon_node_listening_port }}/tcp'
             - '{{ beacon_node_discovery_port }}:{{ beacon_node_discovery_port }}/udp'
           entrypoint: '{{ beacon_node_cont_entrypoint }}'
+          volumes:
+            - '{{ beacon_node_cont_vol }}/data:/data'
+            - '{{ beacon_node_secrets_path }}:/data/{{ beacon_node_data_folder }}/secrets:ro'
           command: >-
             --network={{ beacon_node_network }}
             --data-dir='/data/{{ beacon_node_data_folder }}'
@@ -47,5 +53,3 @@
             --metrics
             --metrics-address=0.0.0.0
             --metrics-port={{ beacon_node_metrics_port }}
-          volumes:
-            - '{{ beacon_node_cont_vol }}/data:/data'