Update to 2023-07-26 19:00

roles/vault/defaults/main.yml

@@ -12,9 +12,12 @@ vault_user: vault
 # expose your vault server on the public internet
 # vault_letsencrypt_cert: "{{ inventory_hostname }}"
 
-# A token having backup (raft snapshot) permission. If set, ansible will
-# take a snapshot of the data before upgrading vault
-# vault_bkp_token: XXXXX
+
+# A token having read access to sys/storage/raft/snapshot. If set, a snapshot will be taken
+# during pre-backup and removed in post-backup
+# vault_backup_token: XXXXX
+# You can also define a command to get the token, eg
+# vault_backup_token: $(cat /run/vault_agent/vault.token)
 
 # Ports used by vault, and the IP/CIDR for which the port will be opened on the local firewall
 vault_base_services:

roles/vault/tasks/install.yml

@@ -29,3 +29,10 @@
     dest: /etc/profile.d/vault.sh
     mode: 0755
   tags: vault
+
+- name: Install backup hooks
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/vault mode=700
+  loop:
+    - pre
+    - post
+  tags: vault

roles/vault/templates/post-backup.j2

@@ -0,0 +1,4 @@
+#!/bin/sh
+
+set -eo pipefail
+rm -f {{ vault_root_dir }}/backup/vault.snap

roles/vault/templates/pre-backup.j2

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -eo pipefail
+
+{% if vault_backup_token is defined %}
+if [ -e /etc/profile.d/vault.sh ]; then
+  source /etc/profile.d/vault.sh
+fi
+export VAULT_TOKEN={{ vault_backup_token }}
+vault operator raft snapshot save {{ vault_root_dir }}/backup/vault.snap
+{% endif %}