Add vault-unseal.service for auto-unseal on reboot

Deploy unseal key to /etc/vault.d/unseal.key (root:root 0400) and a
oneshot vault-unseal.service that runs after vault.service on boot.
Fixes stale template paths (port 8200 → 8202, wrong init file location).
New vault-autounseal tag deploys key+script+unit independently of init.

playbooks/01_vault.yml

@@ -235,6 +235,47 @@
       tags:
         - vault-unseal
 
+    # ── Auto-unseal on reboot ─────────────────────────────────────────
+    - name: "Vault | Deploy unseal key to server"
+      ansible.builtin.copy:
+        content: "{{ vault_init_data.unseal_keys_b64[0] }}"
+        dest: /etc/vault.d/unseal.key
+        owner: root
+        group: root
+        mode: "0400"
+      tags:
+        - vault-unseal
+        - vault-autounseal
+
+    - name: "Vault | Deploy vault-unseal.sh"
+      ansible.builtin.template:
+        src: "{{ playbook_dir }}/../templates/vault/vault-unseal.sh.j2"
+        dest: /usr/local/bin/vault-unseal.sh
+        owner: root
+        group: root
+        mode: "0750"
+      tags:
+        - vault-autounseal
+
+    - name: "Vault | Deploy vault-unseal.service"
+      ansible.builtin.template:
+        src: "{{ playbook_dir }}/../templates/vault/vault-unseal.service.j2"
+        dest: /etc/systemd/system/vault-unseal.service
+        owner: root
+        group: root
+        mode: "0644"
+      notify: Reload systemd and restart vault-unseal
+      tags:
+        - vault-autounseal
+
+    - name: "Vault | Enable vault-unseal.service"
+      ansible.builtin.systemd:
+        name: vault-unseal.service
+        enabled: true
+        daemon_reload: true
+      tags:
+        - vault-autounseal
+
     - name: "Vault | Set root token fact"
       ansible.builtin.set_fact:
         vault_root_token: "{{ vault_init_data.root_token }}"
@@ -516,3 +557,9 @@
         name: vault
         state: restarted
         daemon_reload: true
+
+    - name: Reload systemd and restart vault-unseal
+      ansible.builtin.systemd:
+        name: vault-unseal.service
+        state: restarted
+        daemon_reload: true

templates/vault/vault-unseal.service.j2

@@ -0,0 +1,15 @@
+[Unit]
+Description=HashiCorp Vault Auto-Unseal
+Documentation=https://developer.hashicorp.com/vault/docs/concepts/seal
+After=vault.service network.target
+Requires=vault.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/vault-unseal.sh
+RemainAfterExit=no
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target

templates/vault/vault-unseal.sh.j2

@@ -1,25 +1,25 @@
 #!/bin/bash
-# Vault auto-unseal script
-# Reads unseal key from vault-init.json and unseals Vault
+# Vault auto-unseal script — managed by Ansible, do not edit manually
+# Reads unseal key from /etc/vault.d/unseal.key and unseals Vault
 
 set -e
 
-VAULT_ADDR="http://127.0.0.1:8200"
-INIT_FILE="/docker_mounts/vault/vault-init.json"
+VAULT_ADDR="http://127.0.0.1:{{ vault_port }}"
+UNSEAL_KEY_FILE="/etc/vault.d/unseal.key"
 
-if [ ! -f "$INIT_FILE" ]; then
-    echo "ERROR: vault-init.json not found at $INIT_FILE"
+if [ ! -f "$UNSEAL_KEY_FILE" ]; then
+    echo "ERROR: unseal key not found at $UNSEAL_KEY_FILE"
     exit 1
 fi
 
-UNSEAL_KEY=$(jq -r '.unseal_keys_b64[0]' "$INIT_FILE")
+UNSEAL_KEY=$(cat "$UNSEAL_KEY_FILE")
 
 if [ -z "$UNSEAL_KEY" ]; then
-    echo "ERROR: Could not extract unseal key from $INIT_FILE"
+    echo "ERROR: unseal key file is empty"
     exit 1
 fi
 
-# Wait for Vault to be ready
+# Wait for Vault API to become ready (up to 60 s)
 for i in $(seq 1 30); do
     STATUS=$(curl -sf "${VAULT_ADDR}/v1/sys/health" 2>/dev/null || true)
     if [ -n "$STATUS" ]; then
@@ -30,7 +30,7 @@ for i in $(seq 1 30); do
         fi
         break
     fi
-    echo "Waiting for Vault... ($i/30)"
+    echo "Waiting for Vault API... ($i/30)"
     sleep 2
 done
 
@@ -38,5 +38,5 @@ echo "Unsealing Vault..."
 curl -sf -X PUT "${VAULT_ADDR}/v1/sys/unseal" \
     -H "Content-Type: application/json" \
     -d "{\"key\": \"${UNSEAL_KEY}\"}"
-
+echo ""
 echo "Vault unsealed successfully."