--- # Initialize Vault. Idempotent: skips if already initialized. # On success, displays root token and unseal keys for manual saving to 1Password. # After saving, rerun the playbook (default play) to complete configuration. - name: Check Vault initialization status ansible.builtin.uri: url: "{{ vault_url }}/v1/sys/init" method: GET validate_certs: "{{ vault_validate_certs }}" register: __vault_init_status - name: Skip init (already initialized) ansible.builtin.debug: msg: "Vault is already initialized. Skipping init." when: __vault_init_status.json.initialized | bool - name: Initialize Vault ansible.builtin.uri: url: "{{ vault_url }}/v1/sys/init" method: POST validate_certs: "{{ vault_validate_certs }}" body_format: json body: secret_shares: "{{ vault_init_key_shares }}" secret_threshold: "{{ vault_init_key_threshold }}" status_code: 200 register: __vault_init_result no_log: true when: not __vault_init_status.json.initialized | bool - name: Display init output — SAVE TO 1PASSWORD NOW ansible.builtin.debug: msg: - "*** VAULT INITIALIZED — SAVE THE FOLLOWING TO 1PASSWORD IMMEDIATELY ***" - "" - "Root Token:" - " vault_vault_root_token: {{ __vault_init_result.json.root_token }}" - "" - "Unseal Keys (need {{ vault_init_key_threshold }} of {{ vault_init_key_shares }}):" - "{% for key in __vault_init_result.json.keys_base64 %} unseal_key_{{ loop.index }}: {{ key }}{% endfor %}" - "" - "Save vault_unseal_keys as a list of {{ vault_init_key_threshold }} key strings in 1Password." - "Save vault_vault_root_token to 1Password." when: not __vault_init_status.json.initialized | bool - name: Fail after init — save credentials before continuing ansible.builtin.fail: msg: >- Vault initialization complete. SAVE the root token and unseal keys to 1Password before continuing. Then run the default play to unseal and configure OIDC: ansible-navigator run playbooks/deploy_vault.yml when: not __vault_init_status.json.initialized | bool