--- # hashistack deployment playbook - name: "Deploy" hosts: all gather_facts: true become: true tasks: - name: "Vault" when: enable_vault | bool tags: - vault block: - name: "Include ednxzu.hashicorp_vault" ansible.builtin.include_role: name: ednxzu.hashistack.hashicorp_vault - name: "Initialize vault cluster" ednxzu.hashistack.vault_init: api_url: "http://127.0.0.1:8200" key_shares: 3 key_threshold: 2 run_once: true retries: 5 delay: 5 delegate_to: "{{ groups['vault_servers'] | first }}" register: _vault_init_secret until: not _vault_init_secret.failed - name: "Write vault configuration to file" ansible.builtin.copy: content: "{{ _vault_init_secret.state | to_nice_yaml}}" dest: "{{ configuration_directory }}/vault/vault_config" mode: '0644' when: _vault_init_secret.changed run_once: true delegate_to: localhost - name: "Load vault cluster variables necessary for unseal operation" ansible.builtin.include_vars: file: "{{ configuration_directory }}/vault/vault_config" name: _vault_cluster_config - name: "Unseal the bootstrap node" ednxzu.hashistack.vault_unseal: api_url: "http://127.0.0.1:8200" key_shares: "{{ _vault_cluster_config['keys'] }}" max_retries: "{{ (_vault_cluster_config['keys'] | length) - 1 }}" run_once: true delegate_to: "{{ groups['vault_servers'] | first }}" when: _vault_init_secret.changed - name: "Unseal all vault nodes" ednxzu.hashistack.vault_unseal: api_url: "http://127.0.0.1:8200" key_shares: "{{ _vault_cluster_config['keys'] }}" max_retries: "{{ (_vault_cluster_config['keys'] | length) - 1 }}" retries: 5 delay: 5 register: _unseal_status until: not _unseal_status.failed