From a5b9850e8203a4e1e75dd6172152645b5b8bf2af Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 15 Nov 2025 21:17:11 +1100
Subject: [PATCH] feat: add audit log for openbao

- openbao requires audit-log configured in config file
---
 hieradata/roles/infra/storage/vault.yaml |  1 +
 site/profiles/manifests/vault/server.pp  | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/hieradata/roles/infra/storage/vault.yaml b/hieradata/roles/infra/storage/vault.yaml
index fcce710..c7b0ff1 100644
--- a/hieradata/roles/infra/storage/vault.yaml
+++ b/hieradata/roles/infra/storage/vault.yaml
@@ -4,6 +4,7 @@ profiles::vault::server::members_lookup: true
 profiles::vault::server::data_dir: /data/vault
 profiles::vault::server::manage_storage_dir: true
 profiles::vault::server::tls_disable: false
+profiles::vault::server::audit_log: /data/vault/audit.log
 vault::package_name: openbao
 vault::package_ensure: latest
 
diff --git a/site/profiles/manifests/vault/server.pp b/site/profiles/manifests/vault/server.pp
index d73a4a3..e5dcf9c 100644
--- a/site/profiles/manifests/vault/server.pp
+++ b/site/profiles/manifests/vault/server.pp
@@ -65,6 +65,17 @@ class profiles::vault::server (
       api_addr           => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
       extra_config       => {
         cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
+        audit        => [
+          {
+            file => {
+              'audit-file' => {
+                options => {
+                  file_path => $audit_log,
+                }
+              }
+            }
+          }
+        ],
       },
       listener           => [
         {