From 8137fbbb8bf63e89222dbf54dfe6351e71ccadb3 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 26 Apr 2025 22:00:45 +1000
Subject: [PATCH] feat: vault mlock

- enable mlock by default
- disable mlock on lxd/incus nodes (lxc doesnt support it)
---
 hieradata/common.yaml      | 2 +-
 hieradata/virtual/lxc.yaml | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 1df21ad..ae0a661 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -180,7 +180,7 @@ vault::manage_repo: false
 vault::bin_dir: /usr/bin
 vault::manage_service_file: true
 vault::manage_config_dir: true
-vault::disable_mlock: true
+vault::disable_mlock: false
 
 profiles::dns::master::basedir: '/var/named/sources'
 profiles::dns::base::ns_role: 'roles::infra::dns::resolver'
diff --git a/hieradata/virtual/lxc.yaml b/hieradata/virtual/lxc.yaml
index 8309995..f2d7929 100644
--- a/hieradata/virtual/lxc.yaml
+++ b/hieradata/virtual/lxc.yaml
@@ -2,3 +2,6 @@
 profiles::packages::include:
   chrony:
     ensure: absent
+
+# disable mlock for vault nodes on lxd/incus
+vault::disable_mlock: true