{"id":30750055,"url":"https://github.com/robertdebock/ansible-role-openbao","last_synced_at":"2026-02-19T10:12:17.704Z","repository":{"id":312665682,"uuid":"1046889167","full_name":"robertdebock/ansible-role-openbao","owner":"robertdebock","description":"Install and configure openbao on your system.","archived":false,"fork":false,"pushed_at":"2026-02-11T15:47:50.000Z","size":190,"stargazers_count":7,"open_issues_count":0,"forks_count":3,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-02-12T00:31:44.635Z","etag":null,"topics":["ansible","application","cloud","database","infrastructure","linux","molecule","openbao","playbook","security","storage","system","tools"],"latest_commit_sha":null,"homepage":"https://robertdebock.nl/","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/robertdebock.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"robertdebock"}},"created_at":"2025-08-29T11:46:54.000Z","updated_at":"2026-02-11T15:43:01.000Z","dependencies_parsed_at":"2025-10-07T10:09:41.162Z","dependency_job_id":"a4cc964f-8143-496f-9d9d-0ec88cafb295","html_url":"https://github.com/robertdebock/ansible-role-openbao","commit_stats":null,"previous_names":["robertdebock/ansible-role-openbao"],"tags_count":20,"template":false,"template_full_name":null,"purl":"pkg:github/robertdebock/ansible-role-openbao","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdebock%2Fansible-role-openbao","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdebock%2Fansible-role-openbao/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdebock%2Fansible-role-openbao/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdebock%2Fansible-role-openbao/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/robertdebock","download_url":"https://codeload.github.com/robertdebock/ansible-role-openbao/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robertdebock%2Fansible-role-openbao/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29609534,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-19T06:47:36.664Z","status":"ssl_error","status_checked_at":"2026-02-19T06:45:47.551Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","application","cloud","database","infrastructure","linux","molecule","openbao","playbook","security","storage","system","tools"],"created_at":"2025-09-04T07:00:53.911Z","updated_at":"2026-02-19T10:12:17.698Z","avatar_url":"https://github.com/robertdebock.png","language":"Jinja","funding_links":["https://github.com/sponsors/robertdebock"],"categories":[],"sub_categories":[],"readme":"# [Ansible role openbao](#ansible-role-openbao)\n\nInstall and configure OpenBao server and/or OpenBao agent on your system.\n\n|GitHub|GitLab|Downloads|Version|\n|------|------|---------|-------|\n|[![github](https://github.com/robertdebock/ansible-role-openbao/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-openbao/actions)|[![gitlab](https://gitlab.com/robertdebock-iac/ansible-role-openbao/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/ansible-role-openbao)|[![downloads](https://img.shields.io/ansible/role/d/robertdebock/openbao)](https://galaxy.ansible.com/robertdebock/openbao)|[![Version](https://img.shields.io/github/release/robertdebock/ansible-role-openbao.svg)](https://github.com/robertdebock/ansible-role-openbao/releases/)|\n\n## [Example Playbook](#example-playbook)\n\nThis example is taken from [`molecule/default/converge.yml`](https://github.com/robertdebock/ansible-role-openbao/blob/master/molecule/default/converge.yml) and is tested on each push, pull request and release.\n\n```yaml\n---\n- name: Converge\n hosts: all\n become: true\n gather_facts: true\n\n roles:\n - role: robertdebock.openbao\n openbao_storage:\n type: raft\n path: /opt/openbao/data\n node_id: node1\n retry_join:\n - leader_api_addr: \"http://127.0.0.2:8200\"\n openbao_cluster_addr: \"https://127.0.0.1:8201\"\n openbao_api_addr: \"https://127.0.0.1:8200\"\n openbao_listeners:\n - name: tcp\n address: \"127.0.0.1:8200\"\n tls_disable: true\n openbao_telemetry:\n prometheus_retention_time: \"30s\"\n disable_hostname: true\n openbao_log_requests_level: \"info\"\n openbao_audit_devices:\n - type: file\n path: \"audit\"\n description: \"Audit logs to file\"\n options:\n file_path: \"/openbao/logs/audit.log\"\n log_raw: false\n openbao_seal:\n - name: static\n current_key_id: \"20250606-1\"\n current_key: \"file:///openbao/secrets/unseal-20250606-1.key\"\n # Install plugin binaries\n openbao_plugin_directory: \"/opt/openbao/plugins\"\n openbao_plugin_validate_certs: false\n openbao_plugins:\n - name: openbao-plugin-auth-aws\n version: \"0.1.0\"\n download_url: https://github.com/openbao/openbao-plugins/releases/download/auth-aws-v0.1.0/openbao-plugin-auth-aws_linux_amd64_v1.tar.gz\n - name: openbao-plugin-secrets-aws\n version: \"0.1.0\"\n download_url: https://github.com/openbao/openbao-plugins/releases/download/secrets-aws-v0.1.0/openbao-plugin-secrets-aws_linux_amd64_v1.tar.gz\n openbao_plugin_cleanup: false\n # Configure OpenBao Agent with AppRole authentication\n openbao_agent_config: |\n vault {\n address = \"http://127.0.0.1:8200\"\n }\n auto_auth {\n method \"approle\" {\n config {\n role_id_file_path = \"/opt/openbao/approle-role-id\"\n secret_id_file_path = \"/opt/openbao/approle-secret-id\"\n }\n }\n sink \"file\" {\n config {\n path = \"/opt/openbao/agent-token\"\n }\n }\n }\n openbao_agent_environment:\n BAO_ADDR: \"http://127.0.0.1:8200\"\n```\n\nThe machine needs to be prepared. In CI this is done using [`molecule/default/prepare.yml`](https://github.com/robertdebock/ansible-role-openbao/blob/master/molecule/default/prepare.yml):\n\n```yaml\n---\n- name: Prepare\n hosts: all\n become: true\n gather_facts: false\n\n roles:\n - role: robertdebock.bootstrap\n\n tasks:\n # To unseal using a static key, we need to generate a key and set the ownership and permissions.\n # This is not a part of the Ansible role and needs to be done before applying this role.\n\n # This package is required to generate a static unseal key.\n - name: Install OpenSSL to generate static unseal key\n ansible.builtin.package:\n name: openssl\n state: present\n\n # This group is created by the OpenBao package, but since we're using a static unseal key, we need to create it ourselves.\n - name: Create OpenBao group\n ansible.builtin.group:\n name: openbao\n system: true\n state: present\n\n # This user is created by the OpenBao package, but since we're using a static unseal key, we need to create it ourselves.\n - name: Create OpenBao user\n ansible.builtin.user:\n name: openbao\n group: openbao\n system: true\n shell: /bin/false\n home: /opt/openbao\n create_home: false\n state: present\n\n - name: Create OpenBao directories\n ansible.builtin.file:\n path: \"{{ item }}\"\n state: directory\n mode: '0750'\n owner: openbao\n group: openbao\n loop:\n - /openbao/secrets\n - /openbao/logs\n\n - name: Generate static unseal key\n ansible.builtin.command: openssl rand -out /openbao/secrets/unseal-20250606-1.key 32\n args:\n creates: /openbao/secrets/unseal-20250606-1.key\n\n - name: Set ownership and permissions for static unseal key\n ansible.builtin.file:\n path: /openbao/secrets/unseal-20250606-1.key\n owner: openbao\n group: openbao\n mode: '0640'\n```\n\nAlso see a [full explanation and example](https://robertdebock.nl/how-to-use-these-roles.html) on how to use these roles.\n\n## [Role Variables](#role-variables)\n\nThe default values for the variables are set in [`defaults/main.yml`](https://github.com/robertdebock/ansible-role-openbao/blob/master/defaults/main.yml):\n\n```yaml\n---\n\n# defaults file for openbao\n\n# Whether to configure and manage the OpenBao server. When false,\n# only the OpenBao package will be installed (required for the agent).\n# Set to false to use this role for agent-only deployments.\nopenbao_server_enable: true\n\n# Version of OpenBao to install. This value is used to select the\n# package version from your configured package repositories.\n# Example: \"2.5.0\"\nopenbao_version: \"2.5.0\"\n\n# Directory to store temporary downloaded artifacts (for example,\n# plugin archives). This directory is created before any downloads.\nopenbao_download_dir: \"/tmp\"\n\n# Whether to validate TLS certificates when downloading the OpenBao\n# GPG key. When false, TLS certificate validation is disabled\n# (insecure; use only in controlled environments).\nopenbao_validate_certs: false\n\n# Enable or disable the OpenBao web UI. When true, the UI will be\n# accessible at the configured listener address.\nopenbao_ui: true\n\n# Storage backend configuration for OpenBao.\n# Supported types: file, inmem, raft, postgresql\n# Example for file storage:\n# openbao_storage:\n# type: file\n# path: /opt/openbao/data\n#\n# Example for in-memory storage:\n# openbao_storage:\n# type: inmem\n#\n# Example for raft storage:\n# openbao_storage:\n# type: raft\n# path: /opt/openbao/raft\n# node_id: node1\n# performance_multiplier: 1\n# trailing_logs: 10000\n# snapshot_threshold: 8192\n# snapshot_interval: 120\n# max_entry_size: 1048576\n# max_transaction_size: 8388608\n# autopilot_reconcile_interval: \"10s\"\n# autopilot_update_interval: \"2s\"\n# retry_join_as_non_voter: false\n# retry_join:\n# - leader_api_addr: \"https://127.0.0.2:8200\"\n# leader_ca_cert_file: \"/path/to/ca1\"\n# leader_client_cert_file: \"/path/to/client/cert1\"\n# leader_client_key_file: \"/path/to/client/key1\"\n# - auto_join: \"provider=aws region=eu-west-1 tag_key=openbao tag_value=...\"\n# openbao_cluster_addr: \"https://127.0.0.1:8201\"\n#\n# Example for PostgreSQL storage:\n# openbao_storage:\n# type: postgresql\n# connection_url: postgresql://user:pass@localhost:5432/openbao\nopenbao_storage:\n type: file\n path: /opt/openbao/data\n\n# Listener configuration for OpenBao.\n# Each listener can have different parameters based on its type.\n# Example for HTTP listener:\n# openbao_listeners:\n# - name: tcp\n# address: \"127.0.0.1:8200\"\n# tls_disable: true\n#\n# Example for HTTPS listener:\n# openbao_listeners:\n# - name: tcp\n# address: \"0.0.0.0:8200\"\n# tls_cert_file: \"/opt/openbao/tls/tls.crt\"\n# tls_key_file: \"/opt/openbao/tls/tls.key\"\n# proxy_protocol_behavior: \"use_always\"\n# proxy_protocol_authorized_addrs: \"10.10.20.0/24\"\n#\n# Example for multiple listeners:\n# openbao_listeners:\n# - name: tcp\n# address: \"127.0.0.1:8200\"\n# tls_disable: true\n# - name: tcp\n# address: \"0.0.0.0:8200\"\n# tls_cert_file: \"/opt/openbao/tls/tls.crt\"\n# tls_key_file: \"/opt/openbao/tls/tls.key\"\nopenbao_listeners:\n - name: tcp\n address: \"0.0.0.0:8200\"\n tls_cert_file: \"/opt/openbao/tls/tls.crt\" # This certificate is part of the openbao package.\n tls_key_file: \"/opt/openbao/tls/tls.key\" # This key is part of the openbao package.\n\n# Cluster address for OpenBao. Required when using raft storage.\n# This is the address that other nodes in the cluster will use to communicate.\nopenbao_cluster_addr: \"\"\n\n# API address for OpenBao. This is the address that other nodes will use\n# to communicate with this node's API. Required when using raft storage.\nopenbao_api_addr: \"\"\n\n# Seal configuration for OpenBao.\n# Currently OpenBao supports only one seal method, but this structure\n# allows for future extensibility.\n# Example for AWS KMS:\n# openbao_seal:\n# - name: awskms\n# region: us-east-1\n# access_key: \"XYZ\"\n# secret_key: \"ZYX\"\n# kms_key_id: \"1-2-3\"\n#\n# Example for AliCloud KMS:\n# openbao_seal:\n# - name: alicloudkms\n# region: cn-hangzhou\n# access_key: \"XYZ\"\n# secret_key: \"ZYX\"\n# key_id: \"1-2-3\"\n#\n# Example for Azure Key Vault (with client credentials):\n# openbao_seal:\n# - name: azurekeyvault\n# tenant_id: \"tenant-id\"\n# client_id: \"client-id\"\n# client_secret: \"client-secret\"\n# vault_name: \"vault-name\"\n# key_name: \"key-name\"\n#\n# Example for Azure Key Vault (with machine identity / Managed Identity):\n# openbao_seal:\n# - name: azurekeyvault\n# tenant_id: \"tenant-id\"\n# vault_name: \"vault-name\"\n# key_name: \"key-name\"\n#\n# Example for GCP Cloud KMS:\n# openbao_seal:\n# - name: gcpckms\n# credentials: \"/path/to/credentials.json\"\n# project: \"project-id\"\n# region: \"global\"\n# key_ring: \"keyring\"\n# crypto_key: \"key\"\n#\n# Example for KMIP:\n# openbao_seal:\n# - name: kmip\n# server: \"server:5696\"\n# certificate: \"/path/to/cert.pem\"\n# key: \"/path/to/key.pem\"\n# ca_cert: \"/path/to/ca.pem\"\n#\n# Example for OCI KMS:\n# openbao_seal:\n# - name: ocikms\n# auth_type: \"user_principal\"\n# key_id: \"ocid1.key.region1.tenant1.xyz\"\n# crypto_endpoint: \"https://crypto.kms.us-ashburn-1.oraclecloud.com\"\n#\n# Example for PKCS#11:\n# openbao_seal:\n# - name: pkcs11\n# lib: \"/usr/lib/libpkcs11.so\"\n# slot: \"0\"\n# pin: \"1234\"\n# key_label: \"label\"\n#\n#\n# Example for Transit:\n# openbao_seal:\n# - name: transit\n# address: \"http://127.0.0.1:8200\"\n# token: \"s.xyz123\"\n# key_name: \"autounseal\"\n# mount_path: \"transit/\"\n#\n# Example for Static Key:\n# openbao_seal:\n# - name: static\n# current_key_id: \"20250606-1\"\n# current_key: \"file:///openbao/secrets/unseal-20250606-1.key\"\n# previous_key_id: \"20250306-1\"\n# previous_key: \"file:///openbao/secrets/unseal-20250306-1.key\"\n#\n# Example for no seal (Shamir's Secret Sharing):\n# openbao_seal: []\nopenbao_seal: []\n\n# Telemetry configuration for OpenBao.\n# Example for Prometheus:\n# openbao_telemetry:\n# prometheus_retention_time: \"30s\"\n# disable_hostname: true\n#\n# Example for StatsD:\n# openbao_telemetry:\n# statsd_address: \"statsd.company.local:8125\"\n# metrics_prefix: \"openbao\"\n#\n# Example for DogStatsD:\n# openbao_telemetry:\n# dogstatsd_addr: \"localhost:8125\"\n# dogstatsd_tags:\n# - \"env:production\"\n# - \"service:openbao\"\n#\n# Example for Stackdriver:\n# openbao_telemetry:\n# stackdriver_project_id: \"my-test-project\"\n# stackdriver_location: \"us-east1-a\"\n# stackdriver_namespace: \"openbao-cluster-a\"\n# disable_hostname: true\n# enable_hostname_label: true\nopenbao_telemetry: {}\n\n# Logging configuration for OpenBao.\n# Example for debug level logging:\n# openbao_log_requests_level: \"debug\"\n#\n# Example for info level logging:\n# openbao_log_requests_level: \"info\"\n#\n# Example for disabling request logging:\n# openbao_log_requests_level: \"off\"\n#\n# Valid levels: error, warn, info, debug, trace, off\nopenbao_log_requests_level: \"info\"\n\n# Audit device configuration for OpenBao.\n# Audit devices provide detailed logs of all requests and responses to OpenBao.\n# Multiple audit devices can be configured to log to different destinations.\n#\n# Example for file audit device:\n# openbao_audit_devices:\n# - type: file\n# path: \"audit\"\n# description: \"Audit logs to file\"\n# options:\n# file_path: \"/var/log/openbao/audit.log\"\n# log_raw: false\n#\n# Example for syslog audit device:\n# openbao_audit_devices:\n# - type: syslog\n# path: \"syslog\"\n# description: \"Audit logs to syslog\"\n# options:\n# facility: \"AUTH\"\n# tag: \"openbao\"\n# log_raw: false\n#\n# Example for socket audit device:\n# openbao_audit_devices:\n# - type: socket\n# path: \"socket\"\n# description: \"Audit logs to socket\"\n# options:\n# address: \"127.0.0.1:9000\"\n# socket_type: \"tcp\"\n# log_raw: false\n#\n# Example for multiple audit devices:\n# openbao_audit_devices:\n# - type: file\n# path: \"file-audit\"\n# description: \"File audit device\"\n# options:\n# file_path: \"/var/log/openbao/audit.log\"\n# log_raw: false\n# - type: syslog\n# path: \"syslog-audit\"\n# description: \"Syslog audit device\"\n# options:\n# facility: \"AUTH\"\n# tag: \"openbao\"\n# log_raw: false\nopenbao_audit_devices: []\n\n# File mode used for directories that hold file-based audit logs.\n# The role always creates the parent directory of each file_path from\n# file-type entries in openbao_audit_devices with this mode.\nopenbao_audit_directories_mode: \"0750\"\n\n# TLS certificate management for OpenBao.\n# When this map is populated, the role will manage TLS certificates.\n# Leave empty to skip certificate management.\n#\n# Example for inline certificate content:\n# openbao_tls:\n# directory: \"/opt/openbao/tls\"\n# cert_file: \"tls.crt\"\n# key_file: \"tls.key\"\n# ca_file: \"ca.crt\"\n# cert_content: |\n# -----BEGIN CERTIFICATE-----\n# MIIDXTCCAkWgAwIBAgIJAKoK...\n# -----END CERTIFICATE-----\n# key_content: |\n# -----BEGIN PRIVATE KEY-----\n# MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7VJTUt9Us8cKB...\n# -----END PRIVATE KEY-----\n# ca_content: |\n# -----BEGIN CERTIFICATE-----\n# MIIDXTCCAkWgAwIBAgIJAKoK...\n# -----END CERTIFICATE-----\n#\n# Example for external file sources:\n# openbao_tls:\n# directory: \"/opt/openbao/tls\"\n# cert_content: \"{{ lookup('file', '/path/to/cert.pem') }}\"\n# key_content: \"{{ lookup('file', '/path/to/key.pem') }}\"\n# ca_content: \"{{ lookup('file', '/path/to/ca.pem') }}\"\n#\n# Example for custom filenames and directory:\n# openbao_tls:\n# directory: \"/etc/openbao/tls\"\n# cert_file: \"server.crt\"\n# key_file: \"server.key\"\n# ca_file: \"ca.crt\"\n# cert_content: \"{{ lookup('file', '/path/to/cert.pem') }}\"\n# key_content: \"{{ lookup('file', '/path/to/key.pem') }}\"\n# ca_content: \"{{ lookup('file', '/path/to/ca.pem') }}\"\nopenbao_tls: {}\n\n# Declarative self-initialization blocks (executed once on first startup).\n# Keep empty on non-bootstrap nodes.\n# Example matching the RFC (requires env var INITIAL_ADMIN_PASSWORD):\n# openbao_initialize:\n# - name: identity\n# requests:\n# - name: mount-userpass\n# operation: update\n# path: sys/auth/userpass\n# data:\n# type: userpass\n# path: userpass/\n# description: admin\n# - name: userpass-add-admin\n# operation: update\n# path: auth/userpass/users/admin\n# data:\n# password:\n# # Example: env source (requires env_var)\n# eval_type: string\n# eval_source: env\n# env_var: INITIAL_ADMIN_PASSWORD\n# token_policies:\n# - superuser\n# - name: enable-oidc\n# operation: update\n# path: sys/auth/oidc\n# data:\n# type: oidc\n# - name: configure-oidc\n# operation: update\n# path: auth/oidc/config\n# data:\n# # Example: file source (requires path)\n# oidc_client_id:\n# eval_type: string\n# eval_source: file\n# path: /etc/openbao/oidc-client-id\n# # Example: response source (requires initialize_name, response_name, field_selector)\n# mount_accessor:\n# eval_type: string\n# eval_source: response\n# initialize_name: identity\n# response_name: enable-oidc\n# field_selector: mount_accessor\n# - name: policy\n# requests:\n# - name: add-superuser-policy\n# operation: update\n# path: sys/policies/acl/superuser\n# data:\n# policy: |\n# path \"*\" {\n# capabilities = [\"create\", \"update\", \"read\", \"delete\", \"list\", \"scan\", \"sudo\"]\n# }\nopenbao_initialize: []\n\n# Environment variables to inject into the OpenBao systemd service.\n# Use this to pass secrets needed for self-initialization (e.g., INITIAL_ADMIN_PASSWORD).\n# Example:\n# openbao_service_environment:\n# INITIAL_ADMIN_PASSWORD: \"changeme\"\nopenbao_service_environment: {}\n\n# Plugin installation for OpenBao.\n# This role can download and install plugin binaries and set the\n# plugin_directory in the OpenBao configuration. Registration/enabling\n# of plugins in the catalog is intentionally out of scope.\n#\n# Directory where plugin binaries are installed and from which OpenBao\n# loads plugins. This will be rendered into openbao.hcl as\n# plugin_directory = \"...\" when non-empty.\nopenbao_plugin_directory: \"/opt/openbao/plugins\"\n\n# Whether to validate TLS certificates when downloading plugins.\nopenbao_plugin_validate_certs: true\n\n# List of plugins to install. Each item should contain:\n# - name: Binary name inside the archive (and final installed name)\n# - version: Version string used for naming the downloaded archive\n# - download_url: Direct URL to the plugin archive (.tar.gz)\n# Example:\n# openbao_plugins:\n# - name: openbao-plugin-auth-aws\n# version: \"0.1.0\"\n# download_url: https://github.com/openbao/openbao-plugins/releases/download/auth-aws-v0.1.0/openbao-plugin-auth-aws_linux_amd64_v1.tar.gz\nopenbao_plugins: []\n\n# Remove downloaded archives and temporary extracted files after install.\nopenbao_plugin_cleanup: false\n\n# Plugin registration is intentionally not performed by this role.\n# To register plugins, see the OpenBao docs and perform registration\n# in your playbook after the server is initialized.\n#\n# Example (in your playbook):\n# - name: Register plugin\n# command:\n# argv:\n# - bao\n# - plugin\n# - register\n# - \"-sha256=\u003cchecksum\u003e\"\n# - \"\u003ctype\u003e\" # auth|database|secret\n# - \"\u003cname\u003e\"\n# environment:\n# BAO_ADDR: \"http://127.0.0.1:8200\"\n# BAO_TOKEN: \"\u003croot or admin token\u003e\"\n\n# OpenBao Agent configuration.\n# When openbao_agent_config is filled (non-empty string), the agent will be\n# configured and started. Leave empty to skip agent configuration.\n#\n# The agent configuration should be provided as HCL (HashiCorp Configuration Language).\n# You can provide it inline, via lookup('file', '...'), or using your own template.\n#\n# Example minimal agent configuration:\n# openbao_agent_config: |\n# vault {\n# address = \"http://127.0.0.1:8200\"\n# }\n# auto_auth {\n# method \"token_file\" {\n# config {\n# token_file_path = \"/tmp/vault-token\"\n# }\n# }\n# sink \"file\" {\n# config {\n# path = \"/tmp/agent-token\"\n# }\n# }\n# }\nopenbao_agent_config: \"\"\n\n# Path where the agent configuration file will be placed.\nopenbao_agent_config_path: \"/etc/openbao/openbao-agent.hcl\"\n\n# Environment variables to inject into the OpenBao agent systemd service.\n# Use this to pass secrets or configuration needed by the agent.\n# Example:\n# openbao_agent_environment:\n# BAO_ADDR: \"http://127.0.0.1:8200\"\nopenbao_agent_environment: {}\n\n# Path to the environment file for the OpenBao agent systemd service.\nopenbao_agent_env_path: \"/etc/openbao/openbao-agent.env\"\n\n# Binary path for OpenBao agent command. This is needed for the agent service to start.\nopenbao_agent_binary: \"/usr/bin/bao\"\n```\n\n## [Requirements](#requirements)\n\n- pip packages listed in [requirements.txt](https://github.com/robertdebock/ansible-role-openbao/blob/master/requirements.txt).\n\n## [State of used roles](#state-of-used-roles)\n\nThe following roles are used to prepare a system. You can prepare your system in another way.\n\n| Requirement | GitHub | GitLab |\n|-------------|--------|--------|\n|[robertdebock.bootstrap](https://galaxy.ansible.com/robertdebock/bootstrap)|[![Build Status GitHub](https://github.com/robertdebock/ansible-role-bootstrap/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-bootstrap/actions)|[![Build Status GitLab](https://gitlab.com/robertdebock-iac/ansible-role-bootstrap/badges/master/pipeline.svg)](https://gitlab.com/robertdebock-iac/ansible-role-bootstrap)|\n\n## [Context](#context)\n\nThis role is part of many compatible roles. Have a look at [the documentation of these roles](https://robertdebock.nl/) for further information.\n\nHere is an overview of related roles:\n![dependencies](https://raw.githubusercontent.com/robertdebock/ansible-role-openbao/png/requirements.png \"Dependencies\")\n\n## [Compatibility](#compatibility)\n\nThis role has been tested on these [container images](https://hub.docker.com/u/robertdebock):\n\n|container|tags|\n|---------|----|\n|[Debian](https://hub.docker.com/r/robertdebock/debian)|all|\n|[EL](https://hub.docker.com/r/robertdebock/enterpriselinux)|all|\n|[Fedora](https://hub.docker.com/r/robertdebock/fedora)|all|\n|[Ubuntu](https://hub.docker.com/r/robertdebock/ubuntu)|jammy, noble|\n\nThe minimum version of Ansible required is 2.12, tests have been done on:\n\n- The previous version.\n- The current version.\n- The development version.\n\nIf you find issues, please register them on [GitHub](https://github.com/robertdebock/ansible-role-openbao/issues).\n\n## [License](#license)\n\n[Apache-2.0](https://github.com/robertdebock/ansible-role-openbao/blob/master/LICENSE).\n\n## [Author Information](#author-information)\n\n[robertdebock](https://robertdebock.nl/)\n\nPlease consider [sponsoring me](https://github.com/sponsors/robertdebock).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frobertdebock%2Fansible-role-openbao","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frobertdebock%2Fansible-role-openbao","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frobertdebock%2Fansible-role-openbao/lists"}