xoxys.vault/tasks/main.yml

---
- block:
    - name: Create network specs
      template:
        src: etc/containers/systemd/vault.network.j2
        dest: "/etc/containers/systemd/vault.network"
        owner: root
        group: root
        mode: "0640"
      when: vault_network | splitext | last == ".network"
      notify: __vault_restart

    - name: Create container volumes
      podman_volume:
        name: "{{ item.name }}"
        options: "{{ item.options | default(omit) }}"
        state: "{{ item.state | default('present') }}"
      loop: "{{ vault_volumes }}"
      loop_control:
        label: "{{ item.name }}"
      when: item.type | default("volume") | lower == "volume"
      register: __vault_volumes_raw

    - name: Register container volumes map
      set_fact:
        __vault_volumes_map: "{{ __vault_volumes_raw.results | json_query('[].volume') | items2dict(key_name='Name', value_name='Mountpoint') }}"

    - name: Deploy vault env file
      template:
        src: etc/containers/systemd/vault.env.j2
        dest: "/etc/containers/systemd/vault.env"
        owner: root
        group: root
        mode: "0640"
      notify: __vault_restart

    - name: Deploy vault config
      template:
        src: vault/config.hcl.j2
        dest: "{{ __vault_volumes_map[vault_config_volume] }}/config.hcl"
        owner: root
        group: root
        mode: "0644"
      notify: __vault_reload

    - name: Create container specs
      template:
        src: etc/containers/systemd/vault.container.j2
        dest: "/etc/containers/systemd/vault.container"
        owner: root
        group: root
        mode: "0640"
      notify: __vault_restart

    - name: Ensure service state
      systemd:
        name: "vault.service"
        state: started
        daemon_reload: True
        enabled: True
  become: True
  become_user: root

- block:
  - name: Flush handlers
    meta: flush_handlers

  - name: Wait for Vault startup
    uri:
      url: "{{ vault_url }}/{{ __vault_health_path }}"
      follow_redirects: none
      method: GET
    register: __vault_http_result
    until: __vault_http_result.status == 200
    retries: 10
    delay: 3

  - name: Unseal vault
    hashivault_unseal:
      keys: "{{ vault_unseal_keys }}"
      url: "{{ vault_url }}"
  become: True
  become_user: root
  when:
    - vault_auto_unseal | bool
    - vault_unseal_keys | length > 0