terraform-certificate-automation/ansible/roles/vault_agent/templates/vault-agent-config.hcl.j2

pid_file = "{{ vault_agent_data_dir }}/pidfile"

vault {
  address = "{{ vault_address }}"
  tls_skip_verify = {{ vault_tls_skip_verify | lower }}
}

auto_auth {
  method "approle" {
    mount_path = "auth/approle"
    config = {
      role_id_file_path = "{{ vault_agent_config_dir }}/role_id"
      secret_id_file_path = "{{ vault_agent_config_dir }}/secret_id"
    }
  }

  sink "file" {
    config = {
      path = "{{ vault_agent_data_dir }}/vault-token"
    }
  }
}

template {
  source = "{{ vault_agent_config_dir }}/certificate.tpl"
  destination = "{{ ssl_certs_dir }}/{{ short_hostname | default(inventory_hostname) }}.crt"
  perms = 0644
  command = "systemctl is-active nginx >/dev/null 2>&1 && systemctl reload nginx || true"
}

template {
  source = "{{ vault_agent_config_dir }}/chain_pem.tpl"
  destination = "{{ ssl_private_dir }}/le-chaincert.pem"
  perms = 0600
  command = "systemctl is-active nginx >/dev/null 2>&1 && systemctl reload nginx || true"
}

template {
  source = "{{ vault_agent_config_dir }}/private_key.tpl"
  destination = "{{ ssl_private_dir }}/{{ short_hostname | default(inventory_hostname) }}.key"
  perms = 0600
  command = "systemctl is-active nginx >/dev/null 2>&1 && systemctl reload nginx || true"
}