ansible_role_package/tasks/pkgs/vault.yml

# vim: set filetype=yaml.ansible :
---
- name: Add vault
  when:
    - vault_configured is undefined
  block:
    - name: Load vault config
      ansible.builtin.include_tasks:
        file: config/vault.yml

    - name: Append vault
      when:
        - vault.method == 'sys'
      block:
        - name: Append vault to pkg_tap
          when:
            - ansible_system == 'Darwin'
          notify:
            - Depend hashicorp repo
          changed_when: true
          ansible.builtin.set_fact:
            pkg_tap: "{{ pkg_tap + vault.pkgs }}"

        - name: Append vault to pkg_sys
          when:
            - ansible_system == 'Linux'
          notify:
            - Depend hashicorp repo
          changed_when: true
          ansible.builtin.set_fact:
            pkg_sys: "{{ pkg_sys + vault.pkgs }}"

    - name: Append vault to pkg_archive
      when:
        - vault.method == 'archive'
      ansible.builtin.set_fact:
        pkg_archive: "{{ pkg_archive + ['vault'] }}"

    - name: Create group for vault
      become: true
      when:
        - ansible_os_family == 'Alpine'
      ansible.builtin.group:
        name: vault
        system: true
        state: present

    - name: Create user for vault
      become: true
      when:
        - ansible_os_family == 'Alpine'
      ansible.builtin.user:
        comment: hashicorp vault user
        generate_ssh_key: true
        home: /var/lib/vault
        name: vault
        group: vault
        ssh_key_file: .ssh/id_ed25519
        ssh_key_type: ed25519
        state: present
        system: true

    - name: Install vault openrc script
      become: true
      when:
        - ansible_os_family == 'Alpine'
      ansible.builtin.copy:
        backup: false
        dest: /etc/init.d/vault
        owner: root
        group: root
        mode: '0755'
        src: vault/Alpine/openrc

    - name: Ensure /etc/vault exists
      become: true
      ansible.builtin.file:
        state: directory
        path: /etc/vault
        owner: root
        group: root
        mode: '0755'

    - name: Install vault basic config.hcl
      become: true
      ansible.builtin.template:
        src: vault/config.hcl.j2
        dest: /etc/vault/config.hcl
        mode: '0644'
        owner: root
        group: root

    - name: Set vault_configured
      ansible.builtin.set_fact:
        vault_configured: true