--- # Provision OpenBao AppRole credentials to an existing host # Usage: nix develop -c ansible-playbook playbooks/provision-approle.yml -e hostname=ha1 # Requires: BAO_ADDR and BAO_TOKEN environment variables set - name: Fetch AppRole credentials from OpenBao hosts: localhost connection: local gather_facts: false vars: vault_addr: "{{ lookup('env', 'BAO_ADDR') | default('https://vault01.home.2rjus.net:8200', true) }}" domain: "home.2rjus.net" tasks: - name: Validate hostname is provided ansible.builtin.fail: msg: "hostname variable is required. Use: -e hostname=" when: hostname is not defined - name: Get role-id for host ansible.builtin.command: cmd: "bao read -field=role_id auth/approle/role/{{ hostname }}/role-id" environment: BAO_ADDR: "{{ vault_addr }}" BAO_SKIP_VERIFY: "1" register: role_id_result changed_when: false - name: Generate secret-id for host ansible.builtin.command: cmd: "bao write -field=secret_id -f auth/approle/role/{{ hostname }}/secret-id" environment: BAO_ADDR: "{{ vault_addr }}" BAO_SKIP_VERIFY: "1" register: secret_id_result changed_when: true - name: Add target host to inventory ansible.builtin.add_host: name: "{{ hostname }}.{{ domain }}" groups: vault_target ansible_user: root vault_role_id: "{{ role_id_result.stdout }}" vault_secret_id: "{{ secret_id_result.stdout }}" - name: Deploy AppRole credentials to host hosts: vault_target gather_facts: false tasks: - name: Create AppRole directory ansible.builtin.file: path: /var/lib/vault/approle state: directory mode: "0700" owner: root group: root - name: Write role-id ansible.builtin.copy: content: "{{ vault_role_id }}" dest: /var/lib/vault/approle/role-id mode: "0600" owner: root group: root - name: Write secret-id ansible.builtin.copy: content: "{{ vault_secret_id }}" dest: /var/lib/vault/approle/secret-id mode: "0600" owner: root group: root - name: Display success ansible.builtin.debug: msg: "AppRole credentials provisioned to {{ inventory_hostname }}"