---
- name: ensure vault group
  group:
    name: vault
    state: present
    system: True

- name: ensure vault user
  user:
    name: vault
    state: present
    group: vault
    system: True

- name: ensure vault config dir
  file:
    path: /etc/vault.d/
    state: directory
    owner: vault
    group: vault
    mode: 0755

- name: check vault version
  shell:
    cmd: "vault --version | head -1 | cut -d'v' -f2"
  args:
    executable: /bin/bash
  changed_when: False
  register: installed_vault_version
  check_mode: False

- name: get vault
  unarchive:
    src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
    dest: /usr/local/bin/
    mode: 0755
    owner: root
    group: root
    remote_src: True
  when: installed_vault_version.stdout != vault_version

- name: copy vault unit file
  copy:
    src: files/vault.service
    dest: /etc/systemd/system/vault.service
    mode: 0755
    owner: root
    group: root
  notify: daemon_reload

- name: template vault config
  template:
    src: templates/vault.hcl.j2
    dest: /etc/vault.d/vault.hcl
    owner: vault
    group: vault
    mode: 0640
  notify: restart_vault_debian

- name: ensure vault is started and enabled
  systemd:
    name: vault
    state: started
    enabled: True