Install Hashicorp Vault with Ansible

I'm a lazy guy and want to do some automation that renew and distribute the certificates without human intervention. And of course I'd like to try out Vault for ages because it's a great secret store for Kubernetes. I did the installation with Ansible because I like to automate things. Install Vault with ansible Basically it wasn't a hard task. I followed the documentation and converted into a playbook. First I added a repository file (I use Fedora Server): [hashicorp] name=Hashicorp Stable - $basearch baseurl=https://rpm.releases.hashicorp.com/fedora/$releasever/$basearch/stable enabled=1 gpgcheck=1 gpgkey=https://rpm.releases.hashicorp.com/gpg [hashicorp-test] name=Hashicorp Test - $basearch baseurl=https://rpm.releases.hashicorp.com/fedora/$releasever/$basearch/test enabled=0 gpgcheck=1 gpgkey=https://rpm.releases.hashicorp.com/gpg In the docs you can find the systemd unit file too if you want to run the Vault as a service. [Unit] Description="HashiCorp Vault" Documentation="https://developer.hashicorp.com/vault/docs" ConditionFileNotEmpty="/etc/vault.d/vault.hcl" [Service] User=vault Group=vault SecureBits=keep-caps AmbientCapabilities=CAP_IPC_LOCK CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK NoNewPrivileges=yes ExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hcl ExecReload=/bin/kill --signal HUP KillMode=process KillSignal=SIGINT [Install] WantedBy=multi-user.target I used this basic configuration file: # Full configuration options can be found at https://developer.hashicorp.com/vault/docs/configuration ui = true storage "file" { path = "/opt/vault/data" } # HTTP listener listener "tcp" { address = "127.0.0.1:8200" tls_disable = "true" } I bind the 8200 port to the localhost because I use a NGINX reverse proxy in front of the Vault but of course you can bind to all interface. The role contains the following tasks: # Create a group and user for the service because I don't want to run it as root - name: Add 'vault' group ansible.builtin.group: name: vault state: present - name: Add 'vault' user ansible.builtin.user: name: vault group: vault state: present # Copy the repository - name: Add Vaults repository ansible.builtin.copy: src: hashicorp.repo dest: /etc/yum.repos.d/ # Install Vault with DNF package manager - name: Install Vault ansible.builtin.dnf: name: vault state: present - name: Copy Vault configuration ansible.builtin.copy: src: vault.hcl dest: /etc/vault.d/ - name: Copy systemd unit file ansible.builtin.copy: src: vault.service dest: /etc/systemd/system/ mode: '0644' - name: Enable and start Vault service ansible.builtin.systemd_service: name: vault enabled: true daemon_reload: true state: restarted After the Vault has installed starts the real work to configure the user access and the services. Everything is described in the official documentation here.

Feb 12, 2025 - 22:09

I'm a lazy guy and want to do some automation that renew and distribute the certificates without human intervention. And of course I'd like to try out Vault for ages because it's a great secret store for Kubernetes.
I did the installation with Ansible because I like to automate things.

Install Vault with ansible

Basically it wasn't a hard task. I followed the documentation and converted into a playbook.

First I added a repository file (I use Fedora Server):

[hashicorp]
name=Hashicorp Stable - $basearch
baseurl=https://rpm.releases.hashicorp.com/fedora/$releasever/$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://rpm.releases.hashicorp.com/gpg

[hashicorp-test]
name=Hashicorp Test - $basearch
baseurl=https://rpm.releases.hashicorp.com/fedora/$releasever/$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://rpm.releases.hashicorp.com/gpg

In the docs you can find the systemd unit file too if you want to run the Vault as a service.

[Unit]
Description="HashiCorp Vault"
Documentation="https://developer.hashicorp.com/vault/docs"
ConditionFileNotEmpty="/etc/vault.d/vault.hcl"

[Service]
User=vault
Group=vault
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill --signal HUP
KillMode=process
KillSignal=SIGINT

[Install]
WantedBy=multi-user.target

I used this basic configuration file:

# Full configuration options can be found at https://developer.hashicorp.com/vault/docs/configuration
ui = true

storage "file" {
  path = "/opt/vault/data"
}

# HTTP listener
listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = "true"
}

I bind the 8200 port to the localhost because I use a NGINX reverse proxy in front of the Vault but of course you can bind to all interface.

The role contains the following tasks:

# Create a group and user for the service because I don't want to run it as root
- name: Add 'vault' group
  ansible.builtin.group:
    name: vault
    state: present

- name: Add 'vault' user
  ansible.builtin.user:
    name: vault
    group: vault
    state: present

# Copy the repository
- name: Add Vaults repository
  ansible.builtin.copy:
    src: hashicorp.repo
    dest: /etc/yum.repos.d/

# Install Vault with DNF package manager
- name: Install Vault
  ansible.builtin.dnf:
    name: vault
    state: present

- name: Copy Vault configuration
  ansible.builtin.copy:
    src: vault.hcl
    dest: /etc/vault.d/

- name: Copy systemd unit file
  ansible.builtin.copy:
    src: vault.service
    dest: /etc/systemd/system/
    mode: '0644'

- name: Enable and start Vault service
  ansible.builtin.systemd_service:
    name: vault
    enabled: true
    daemon_reload: true
    state: restarted

After the Vault has installed starts the real work to configure the user access and the services. Everything is described in the official documentation here.