# vim: set filetype=yaml.ansible : --- - name: Add vault when: - vault_configured is undefined block: - name: Load vault config ansible.builtin.include_tasks: file: config/vault.yml - name: Append vault when: - vault.method == 'sys' block: - name: Append vault to pkg_tap when: - ansible_system == 'Darwin' notify: - Depend hashicorp repo changed_when: true ansible.builtin.set_fact: pkg_tap: "{{ pkg_tap + vault.pkgs }}" - name: Append vault to pkg_sys when: - ansible_system == 'Linux' notify: - Depend hashicorp repo changed_when: true ansible.builtin.set_fact: pkg_sys: "{{ pkg_sys + vault.pkgs }}" - name: Append vault to pkg_archive when: - vault.method == 'archive' ansible.builtin.set_fact: pkg_archive: "{{ pkg_archive + ['vault'] }}" - name: Create group for vault become: true when: - ansible_os_family == 'Alpine' ansible.builtin.group: name: vault system: true state: present - name: Create user for vault become: true when: - ansible_os_family == 'Alpine' ansible.builtin.user: comment: hashicorp vault user generate_ssh_key: true home: /var/lib/vault name: vault group: vault ssh_key_file: .ssh/id_ed25519 ssh_key_type: ed25519 state: present system: true - name: Install vault openrc script become: true when: - ansible_os_family == 'Alpine' ansible.builtin.copy: backup: false dest: /etc/init.d/vault owner: root group: root mode: '0755' src: vault/Alpine/openrc - name: Ensure /etc/vault exists become: true ansible.builtin.file: state: directory path: /etc/vault owner: root group: root mode: '0755' - name: Install vault basic config.hcl become: true ansible.builtin.template: src: vault/config.hcl.j2 dest: /etc/vault/config.hcl mode: '0644' owner: root group: root - name: Set vault_configured ansible.builtin.set_fact: vault_configured: true