---
- name: ensure vault group
  group:
    name: vault
    state: present
    system: True

- name: ensure vault user
  user:
    name: vault
    state: present
    group: vault
    system: True

- name: ensure vault config dir
  file:
    path: /etc/vault.d/
    state: directory
    owner: vault
    group: vault
    mode: 0755

- name: copy vault unit file
  copy:
    src: files/vault.service
    dest: /etc/systemd/system/vault.service
    mode: 0755
    owner: root
    group: root
  notify: daemon_reload

- name: template vault config
  template:
    src: templates/vault.hcl.j2
    dest: /etc/vault.d/vault.hcl
    owner: vault
    group: vault
    mode: 0640
  notify: restart_vault_debian

- name: ensure vault is started and enabled
  systemd:
    name: vault
    state: started
    enabled: True
...