Hi there! I'm Maneshwar. Right now, I’m building LiveAPI, a first-of-its-kind tool that helps you automatically index API endpoints across all your repositories. LiveAPI makes it easier to discover, understand, and interact with APIs in large infrastructures.
When you're setting up secrets management, HashiCorp Vault is often the go-to. But doing it manually on every machine? Meh. Here's how to automate Vault installation and initial config using Ansible.
Prerequisites
- Ubuntu 20.04+ machines (adjust if needed)
- Ansible installed on your control node
- SSH access to target nodes
- TLS certs ready (for production-grade setup)
- A Nomad cluster (if you're integrating Vault with it)
Step 1: Install Vault using Ansible
Create a role like vault and start with a task to install Vault:
# roles/vault/tasks/main.yml
- name: Add HashiCorp GPG key
ansible.builtin.apt_key:
url: https://apt.releases.hashicorp.com/gpg
state: present
- name: Add HashiCorp repo
ansible.builtin.apt_repository:
repo: "deb [arch={{ ansible_architecture }} signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com {{ ansible_lsb.codename }} main"
filename: hashicorp
state: present
mode: 0644
- name: Install Vault
ansible.builtin.apt:
name: vault
state: present
update_cache: yes
Step 2: Vault Configuration (vault.hcl)
Use a template or copy the config as-is:
# roles/vault/tasks/config.yml
- name: Copy Vault config
copy:
src: vault.hcl
dest: /etc/vault.d/vault.hcl
owner: root
group: root
mode: 0644
- name: Ensure data directory exists
file:
path: /var/vault/data
state: directory
owner: vault
group: vault
mode: 0750
Here’s the sample vault.hcl:
listener "tcp" {
address = "127.0.0.1:8200"
tls_cert_file = "/etc/vault.d/tls/tls.crt"
tls_key_file = "/etc/vault.d/tls/tls.key"
}
api_addr = "https://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
storage "raft" {
path = "/var/vault/data"
node_id = "vault-1"
}
cluster_name = "hexmos-vault"
ui = true
telemetry {
prometheus_retention_time = "30s"
disable_hostname = true
}
Step 3: Policies and Roles
Drop your Vault policy and role files into roles/vault/files/.
Policy
nomad-server-policy.hcl
path "auth/token/create/nomad-cluster" {
capabilities = ["update"]
}
...
path "hex/*" {
capabilities = ["read", "list", "create", "update", "delete"]
}
Role
nomad-cluster-role.json
{
"allowed_policies": "nomad-job",
"token_explicit_max_ttl": 0,
"name": "nomad-cluster",
"orphan": true,
"token_period": 259200,
"renewable": true
}
Upload both:
- name: Upload Vault policies
copy:
src: nomad-server-policy.hcl
dest: /etc/vault.d/policies/nomad-server-policy.hcl
- name: Upload Vault roles
copy:
src: nomad-cluster-role.json
dest: /etc/vault.d/roles/nomad-cluster-role.json
Step 4: Enable and Start Vault
- name: Enable Vault service
systemd:
name: vault
enabled: yes
state: started
If you're bootstrapping for the first time, add a step to initialize Vault with vault operator init.
Bonus: Run It
Create your site.yml:
- hosts: vault-servers
become: yes
roles:
- vault
Run it:
ansible-playbook -i inventory.ini site.yml
What’s Next?
- Use Ansible to init and unseal Vault
- Enable secrets engines
- Configure dynamic secrets (e.g., PostgreSQL, AWS, etc.)
- Integrate with Nomad or Consul
LiveAPI helps you get all your backend APIs documented in a few minutes.
With LiveAPI, you can generate interactive API docs that allow users to search and execute endpoints directly from the browser.
If you're tired of updating Swagger manually or syncing Postman collections, give it a shot.
Top comments (1)
This is extremely impressive, especially all the Ansible breakdowns. I've spent so much time fumbling with Vault installs by hand, so this kind of end-to-end automation is a lifesaver