--- - name: ensure vault group group: name: vault state: present system: True - name: ensure vault user user: name: vault state: present group: vault system: True - name: ensure vault config dir file: path: /etc/vault.d/ state: directory owner: vault group: vault mode: 0755 - name: copy vault unit file copy: src: files/vault.service dest: /etc/systemd/system/vault.service mode: 0755 owner: root group: root notify: daemon_reload - name: ensure vault certs dir file: path: /etc/vault.d/certs/ state: directory owner: vault group: vault mode: 0755 - name: ensure vault raft dir file: path: /opt/vault/ state: directory owner: vault group: vault mode: 0755 - name: check if server cert is expiring in the next 5 days shell: "openssl x509 -checkend 432000 -noout -in /etc/vault.d/certs/vault.pem" args: executable: /bin/bash failed_when: False check_mode: False changed_when: False register: exp - name: get cert shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=vault.service.masked.name ip_sans={{ ansible_default_ipv4.address }} ttl=43200m" args: executable: /bin/bash environment: VAULT_ADDR: https://vault.service.masked.name:8200 VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}" VAULT_FORMAT: json VAULT_SKIP_VERIFY: true register: cert_data when: exp.rc != 0 notify: reload_vault - name: write cert data to server copy: content: "{{ item.content }}" dest: "/etc/vault.d/certs/{{ item.path }}" mode: '{{ item.mode }}' owner: vault group: vault when: cert_data.changed loop: - { content: "{{ (cert_data.stdout | from_json).data.certificate }}", path: "vault.pem", mode: "0755" } - { content: "{{ (cert_data.stdout | from_json).data.private_key }}", path: "vault.key", mode: "0600" } - name: template vault config template: src: templates/vault.hcl.j2 dest: /etc/vault.d/vault.hcl owner: vault group: vault mode: 0640 notify: restart_vault_debian - name: ensure vault is started and enabled systemd: name: vault state: started enabled: True ...