add support for docker compose secrets

[KiaraGrouwstra]

enables using docker compose secrets from arion, which includes:

• top-level secrets element defining the secrets to be used
  for the below two use-cases,
  exposing them at /run/secrets/<secret_name>.
  comes in flavors file vs environment.
• run-time: services top-level secrets element
• build time: build secrets (supported in docker compose tho not docker stack, to be mounted in the Dockerfile like
  RUN --mount=type=secret,id=<secret_name> ...)

unlike #52, i did not so far add support for their long syntax, which despite the confusing documentation appears
limited to Docker Swarm, in my understanding currently limiting its use in Arion.

[KiaraGrouwstra]

to make the support for build secrets in the compose file more useful, i'm still trying to figure out how to pass those secret mounts to dockerTools' build steps. those are confusing me a bit right now, as generated images seem to just have a single step (Cmd running an init).
if anyone here would have more of an idea on that, i'd be grateful.

edit: i'm now under the impression the actual nixos config is realized at run-time, meaning for nixos containers we would not currently be able to utilize build secrets' limited secret exposure

edit 2: i think we could set service.image.rawConfig.Run = ["--mount=type=secret,id=foo nixos-rebuild switch"];, but even if that would work (which i'm not confident of), setting service.build.secrets with this PR seems to trigger an arion build error:

failed to solve: failed to read dockerfile: open /home/kiara/.local/share/docker/tmp/buildkit-mount3337376318/Dockerfile: no such file or directory

[KiaraGrouwstra]

given docker stack/swarm seems to support e.g. secrets' long-syntax (configure secret permissions/ownership) and external secrets i wonder, how have considerations been toward supporting that?

[aacebedo]

Is this stil under work? It would be extremely useful.

[KiaraGrouwstra]

@aacebedo i had not worked on this further, no