Auto initialize vault

nomad/setup-cluster.yml

@@ -74,7 +74,54 @@
       become: true
 
   tasks:
-    - name: Unseal vault
+    - name: Get Vault status
+      uri:
+        url: http://127.0.0.1:8200/v1/sys/health
+        method: GET
+        status_code: 200, 429, 472, 473, 501, 503
+        body_format: json
+        return_content: true
+      run_once: true
+      register: vault_status
+
+    - name: Initialize Vault
+      when: not vault_status.json["initialized"]
+      block:
+        - name: Initialize Vault
+          command:
+            argv:
+              - "vault"
+              - "operator"
+              - "init"
+              - "-format=json"
+              - "-address=http://127.0.0.1:8200/"
+              - "-key-shares={{ vault_init_key_shares|default(3) }}"
+              - "-key-threshold={{ vault_init_key_threshold|default(2) }}"
+          run_once: true
+          register: vault_init
+
+        - name: Save initialize result
+          copy:
+            content: "{{ vault_init.stdout }}"
+            dest: "./vault-keys.json"
+          when: vault_init is succeeded
+          delegate_to: localhost
+          run_once: true
+
+        - name: Unseal from init
+          no_log: true
+          command:
+            argv:
+              - "vault"
+              - "operator"
+              - "unseal"
+              - "-address=http://127.0.0.1:8200/"
+              - "{{ item }}"
+          loop: "{{ (vault_init.stdout | from_json)['unseal_keys_hex'] }}"
+          when: vault_init is succeeded
+
+    - name: Unseal Vault
+      no_log: true
       command:
         argv:
           - "vault"
@@ -82,9 +129,8 @@
           - "unseal"
           - "-address=http://127.0.0.1:8200/"
           - "{{ item }}"
-      loop: "{{ vault_keys }}"
-      no_log: true
-      when: vault_keys is defined
+      loop: "{{ unseal_keys_hex }}"
+      when: unseal_keys_hex is defined
 
 # Not on Ubuntu 20.04
 # - name: Install Podman