puppet-prod/hieradata/roles/infra/storage/vault.yaml

---
profiles::vault::server::members_role: roles::infra::storage::vault
profiles::vault::server::members_lookup: true
profiles::vault::server::data_dir: /data/vault
profiles::vault::server::manage_storage_dir: true
profiles::vault::server::tls_disable: false
profiles::vault::server::audit_devices:
  - file:
      audit_raw:
        options:
          path: audit_raw
          type: file
          file_path: /data/vault/audit_raw.log
          log_raw: "true"
  - file:
      audit_file:
        options:
          path: audit_file
          type: file
          file_path: /data/vault/audit.log
          log_raw: "false"
vault::package_name: openbao
vault::package_ensure: latest

# additional altnames
profiles::pki::vault::alt_names:
  - vault.main.unkin.net
  - vault.service.consul
  - vault.service.consul
  - vault

# manage a simple nginx reverse proxy
profiles::nginx::simpleproxy::nginx_vhost: 'vault.service.consul'
profiles::nginx::simpleproxy::nginx_aliases:
  - vault.main.unkin.net
  - vault
profiles::nginx::simpleproxy::proxy_scheme: 'http'
profiles::nginx::simpleproxy::proxy_host: '127.0.0.1'
profiles::nginx::simpleproxy::proxy_port: 8200
profiles::nginx::simpleproxy::proxy_path: '/'