Update to 2024-04-17 12:01

roles/vault/defaults/main.yml

@@ -160,3 +160,7 @@ vault_base_secrets:
 vault_extra_secrets: {}
 vault_host_secrets: {}
 vault_secrets: "{{ vault_base_secrets | combine(vault_extra_secrets, recursive=True) | combine(vault_host_secrets, recursive=True) }}"
+
+# If set, vault will be auto-unsealed on start. This is not recommanded for obvious security reasons
+# but might be conveniant on test systems
+vault_unseal_keys: []

roles/vault/tasks/directories.yml

@@ -7,6 +7,7 @@
       owner: root
       group: root
       mode: 755
+    - dir: /bin
     - dir: backup
       owner: root
       group: root

roles/vault/tasks/install.yml

@@ -36,3 +36,7 @@
     - pre
     - post
   tags: vault
+
+- name: Install unseal script
+  template: src=unseal dest={{ vault_root_dir }}/bin/unseal mode=700
+  tags: vault

roles/vault/templates/unseal

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+export VAULT_ADDR={{ vault_conf.api_addr }}
+
+UNSEAL='{% if vault_unseal_keys | length > 0 %}{{ vault_unseal_keys | join(',') }}{% endif %}'
+STATUS=$(vault status -format json)
+
+if [ "$(echo ${STATUS} | jq -r .initialized)" != "true" ]; then
+  echo "Vault not initialized yet"
+  exit 0
+fi
+
+if [ "$(echo ${STATUS} | jq -r .sealed)" != "true" ]; then
+  echo "Vault not sealed, nothing to do"
+  exit 0
+fi
+
+for KEY in $(echo ${UNSEAL} | sed -E 's/,/\n/g'); do
+  vault operator unseal "${KEY}"
+done

roles/vault/templates/vault.service.j2

@@ -22,6 +22,9 @@ CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_NET_BIND_SERVICE
 NoNewPrivileges=yes
 ExecStart=/usr/local/bin/vault server -config={{ vault_root_dir }}/etc/
 ExecReload=/bin/kill --signal HUP $MAINPID
+{%- if vault_unseal_keys | length > 0 +%}
+ExecStartPost=!{{ vault_root_dir }}/bin/unseal }}
+{%- endif +%}
 KillMode=process
 KillSignal=SIGINT
 Restart=on-failure