vagrant/openBao/ansible/site.yaml

---
- name: Install and configure OpenBao
  hosts: all
  connection: local
  become: true

  vars:
    openbao_version: "2.5.0"
    openbao_arch: "Linux_arm64"
    openbao_zip: "bao_{{ openbao_version }}_{{ openbao_arch }}.tar.gz"
    openbao_url: "https://github.com/openbao/openbao/releases/download/v{{ openbao_version }}/{{ openbao_zip }}"

  tasks:
    - name: Install packages
      ansible.builtin.apt:
        name:
          - unzip
          - curl
        state: present
        update_cache: true

    - name: Create OpenBao config dir
      ansible.builtin.file:
        path: /etc/openbao
        state: directory
        mode: "0755"

    - name: Create OpenBao data dir
      ansible.builtin.file:
        path: /opt/openbao/data
        state: directory
        mode: "0755"

    - name: Download OpenBao binary zip
      ansible.builtin.get_url:
        url: "{{ openbao_url }}"
        dest: "/tmp/{{ openbao_zip }}"
        mode: "0644"

    - name: Unarchive OpenBao binary
      ansible.builtin.unarchive:
        src: "/tmp/{{ openbao_zip }}"
        dest: /usr/local/bin/
        remote_src: true
        mode: "0755"

    - name: Write OpenBao config
      ansible.builtin.copy:
        dest: /etc/openbao/openbao.hcl
        mode: "0644"
        content: |
          ui = true
          disable_mlock = true

          storage "file" {
            path = "/opt/openbao/data"
          }

          listener "tcp" {
            address     = "0.0.0.0:8200"
            tls_disable = true
          }

          api_addr = "http://127.0.0.1:8200"

    - name: Create systemd unit
      ansible.builtin.copy:
        dest: /etc/systemd/system/openbao.service
        mode: "0644"
        content: |
          [Unit]
          Description=OpenBao
          After=network-online.target
          Wants=network-online.target

          [Service]
          User=root
          Group=root
          ExecStart=/usr/local/bin/bao server -config=/etc/openbao/openbao.hcl
          ExecReload=/bin/kill --signal HUP $MAINPID
          KillMode=process
          Restart=on-failure
          RestartSec=5
          LimitNOFILE=65536
          MemorySwapMax=0

          [Install]
          WantedBy=multi-user.target
      notify: Restart OpenBao

    - name: Enable and start OpenBao
      ansible.builtin.systemd:
        name: openbao
        enabled: true
        state: started
        daemon_reload: true

  handlers:
    - name: Restart OpenBao
      ansible.builtin.systemd:
        name: openbao
        state: restarted