Generate a random admin_token if needed

example/prep.d/10-rand-secrets

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+set -euo pipefail
+
+# vim: syntax=sh
+
+export LC_ALL=C
+VAULT_KV_PATH=/kv/service/vaultwarden
+RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
+if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
+  vault kv put ${VAULT_KV_PATH} \
+    admin_token="$(sh -c "${RAND_CMD}")" \
+
+fi
+for SECRET in admin_token; do
+  if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
+    vault kv patch ${VAULT_KV_PATH} \
+      ${SECRET}=$(sh -c "${RAND_CMD}")
+  fi
+done
+

prep.d/10-rand-secrets

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -euo pipefail
+
+[[ template "common/vault.rand_secrets" merge .vaultwarden.server . ]]

variables.yml

@@ -27,6 +27,10 @@ vaultwarden:
     vault:
       policies:
         - '[[ .instance ]][[ .consul.suffix ]]'
+      # A list of random secrets to generate if not present in vault kv store
+      rand_secrets:
+        fields:
+          - admin_token
 
     # Postgres settings
     postgres: