Ephemeral Castle: Vault Ansible Scripts Detail
Level 3 (Detail) — The 4 shell scripts executed by the vault-runtime Ansible role.
vault-phase-a-bootstrap.sh
Purpose: First initialization of the Vault instance.
Location: ansible/roles/vault-runtime/files/vault-phase-a-bootstrap.sh
Behavior:
- Creates a staging workdir on the host
- Initializes Vault via
vault operator init -format=json(2-of-3 Shamir) - Extracts unseal keys and root token
- Unseals Vault using 2 unseal shares
- Logs in with root token
- Creates admin policy
- Creates admin token with the admin policy
- Writes lifecycle receipt JSON with lineage ID
- All artifacts written to the staging workdir for Ansible to collect
Arguments:
| Arg | Description |
|---|---|
$1 | Staging workdir path |
$2 | Structured log file path |
Environment: CONTAINER_NAME, VAULT_ADDR, VAULT_CACERT, VAULT_TLS_SERVER_NAME, POLICY_NAME, TOKEN_ROLE, HOST_IDENTITY, SERVICE_IDENTITY, SCHEMA_VERSION, ORIGIN_TYPE, SECRET_SHARES, SECRET_THRESHOLD
vault-local-unseal.sh
Purpose: Automated Vault unseal using 2 of 3 Shamir shares.
Location: ansible/roles/vault-runtime/files/vault-local-unseal.sh
Behavior:
- Reads unseal share 1 and 2 from
{{ vault_bootstrap_dir }}/ - Calls
vault operator unsealfor each share viapodman exec - Verifies Vault status after unseal
Called by: vault-local-unseal.service on system start, and explicitly after Ansible convergence.
vault-snapshot-backup.sh
Purpose: Scheduled S3 snapshot backup.
Location: ansible/roles/vault-runtime/files/vault-snapshot-backup.sh
Behavior:
- Takes a Raft snapshot:
vault operator raft snapshot save - Uploads to S3 with lineage-aware naming
- Rotates between
slot-aandslot-b - Updates
latest.jsonpointer
Called by: vault-snapshot-backup.timer (scheduled, no explicit schedule in defaults).
vault-remote-restore.sh
Purpose: Restore Vault from S3 snapshot.
Location: ansible/roles/vault-runtime/files/vault-remote-restore.sh
Behavior:
- Reads S3 lineage pointer
- Downloads the latest snapshot
- Starts a temporary Vault instance
- Executes
vault operator raft snapshot restore - Restarts Vault with the restored data
Called by: vault-remote-restore.service during restore flow.
Supporting Scripts
render-tailscale-inventory.sh
Location: scripts/render-tailscale-inventory.sh
Purpose: Generates inventory.tailscale.ini with Tailscale IPs for Ansible transport switch.
Behavior:
- Resolves the tailnet IP for the target hostname (
lushycorp-vault) via Tailscale API ortailscale ip - Writes
ansible/inventory.tailscale.iniwith the resolved IP - Used in
create.shPhase 4 (Transport Switch)
Arguments: --hostname (required), --output (required)
validate-device-tags.sh
Location: scripts/validate-device-tags.sh
Purpose: Confirms that a Tailscale device has the expected tags.
Behavior:
- Queries Tailscale API for device by hostname
- Checks that device has all required tags
- Outputs validation JSON to
configs/tailscale-tags.json
Arguments: --hostname (required), --required-tags (required), --output (required)
See Also
- Detail: Ansible Vault Detail
- Detail: Systemd Detail
- Topic: Bootstrap and Restore
- Hub: Ephemeral Castle