diff --git a/nomad/setup-cluster.yml b/nomad/setup-cluster.yml index 0ade1b4..f6d263c 100644 --- a/nomad/setup-cluster.yml +++ b/nomad/setup-cluster.yml @@ -74,7 +74,54 @@ become: true tasks: - - name: Unseal vault + - name: Get Vault status + uri: + url: http://127.0.0.1:8200/v1/sys/health + method: GET + status_code: 200, 429, 472, 473, 501, 503 + body_format: json + return_content: true + run_once: true + register: vault_status + + - name: Initialize Vault + when: not vault_status.json["initialized"] + block: + - name: Initialize Vault + command: + argv: + - "vault" + - "operator" + - "init" + - "-format=json" + - "-address=http://127.0.0.1:8200/" + - "-key-shares={{ vault_init_key_shares|default(3) }}" + - "-key-threshold={{ vault_init_key_threshold|default(2) }}" + run_once: true + register: vault_init + + - name: Save initialize result + copy: + content: "{{ vault_init.stdout }}" + dest: "./vault-keys.json" + when: vault_init is succeeded + delegate_to: localhost + run_once: true + + - name: Unseal from init + no_log: true + command: + argv: + - "vault" + - "operator" + - "unseal" + - "-address=http://127.0.0.1:8200/" + - "{{ item }}" + loop: "{{ (vault_init.stdout | from_json)['unseal_keys_hex'] }}" + when: vault_init is succeeded + + - name: Unseal Vault + no_log: true command: argv: - "vault" @@ -82,9 +129,8 @@ - "unseal" - "-address=http://127.0.0.1:8200/" - "{{ item }}" - loop: "{{ vault_keys }}" - no_log: true - when: vault_keys is defined + loop: "{{ unseal_keys_hex }}" + when: unseal_keys_hex is defined # Not on Ubuntu 20.04 # - name: Install Podman