--- - block: - name: Create network specs template: src: etc/containers/systemd/vault.network.j2 dest: "/etc/containers/systemd/vault.network" owner: root group: root mode: "0640" when: vault_network | splitext | last == ".network" notify: __vault_restart - name: Create container volumes containers.podman.podman_volume: name: "{{ item.name }}" options: "{{ item.options | default(omit) }}" state: "{{ item.state | default('present') }}" loop: "{{ vault_volumes }}" loop_control: label: "{{ item.name }}" when: item.type | default("volume") | lower == "volume" register: __vault_volumes_raw - name: Register container volumes map set_fact: __vault_volumes_map: "{{ __vault_volumes_raw.results | json_query('[].volume') | items2dict(key_name='Name', value_name='Mountpoint') }}" - name: Deploy vault env file template: src: etc/containers/systemd/vault.env.j2 dest: "/etc/containers/systemd/vault.env" owner: root group: root mode: "0640" notify: __vault_restart - name: Deploy vault config template: src: vault/config.hcl.j2 dest: "{{ __vault_volumes_map[vault_config_volume] }}/config.hcl" owner: root group: root mode: "0644" notify: __vault_reload - name: Create container specs template: src: etc/containers/systemd/vault.container.j2 dest: "/etc/containers/systemd/vault.container" owner: root group: root mode: "0640" notify: __vault_restart - name: Ensure service state systemd: name: "vault.service" state: started daemon_reload: True enabled: True become: True become_user: root - block: - name: Flush handlers meta: flush_handlers - name: Wait for Vault startup uri: url: "{{ vault_url }}/{{ __vault_health_path }}" follow_redirects: none method: GET register: __vault_http_result until: __vault_http_result.status == 200 retries: 10 delay: 3 - name: Unseal vault hashivault_unseal: keys: "{{ vault_unseal_keys }}" url: "{{ vault_url }}" become: True become_user: root when: - vault_auto_unseal | bool - vault_unseal_keys | length > 0