From bd85fdfe91960ab2352d479f6af4aa4e1890e307 Mon Sep 17 00:00:00 2001
From: Bert-Jan Fikse <bert-jan@whatwedo.ch>
Date: Fri, 27 Mar 2026 16:46:18 +0100
Subject: [PATCH] chore: add readme entry and configration for openbao secrets
 management

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
---
 .gitignore       |  1 +
 README.md        | 16 ++++++++++++++++
 ansible.cfg      |  6 +++++-
 requirements.yml |  1 +
 4 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 061b691..75839df 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,3 +15,4 @@
 # Ansible
 /collections/ansible_collections/
 .vagrant/
+bao
diff --git a/README.md b/README.md
index afc3aa2..346be0c 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,17 @@
 # reference-ansible
+
+
+
+### Secrets
+Secrets are managed using [OpenBao](https://bao.digitalboard.ch).
+Download the CLI binary once (not checked in):
+```bash
+curl -L https://github.com/openbao/openbao/releases/latest/download/bao_linux_amd64 -o ./bao && chmod +x ./bao
+```
+
+Authenticate and export token before running playbooks:
+```bash
+export BAO_ADDR=https://bao.digitalboard.ch
+./bao login -method=oidc -path=Digitalboard
+export VAULT_TOKEN=$(./bao print token)
+``` 
\ No newline at end of file
diff --git a/ansible.cfg b/ansible.cfg
index 2fb7196..4535abd 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,3 +1,7 @@
 [defaults]
 collections_path = ./collections:~/.ansible/collections:/usr/share/ansible/collections
-remote_user = root
\ No newline at end of file
+remote_user = root
+
+[hashi_vault_collection]
+url = https://bao.digitalboard.ch
+auth_method = token
\ No newline at end of file
diff --git a/requirements.yml b/requirements.yml
index e021769..2f10e15 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -1,4 +1,5 @@
 collections:
+  - name: community.hashi_vault
   - name: https://git.digitalboard.ch/Digitalboard/digitalboard.core.git
     type: git
     version: main