From 65029a27c8c8f9ab783adadca5eabb7aad2604ea Mon Sep 17 00:00:00 2001
From: "max.bed4d" <max.bed4d@googlemail.com>
Date: Thu, 18 Jul 2024 15:58:12 +0100
Subject: [PATCH] Generate Wazuh password and encrypt the file at the end.

---
 etc/kayobe/ansible/wazuh-secrets.yml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/etc/kayobe/ansible/wazuh-secrets.yml b/etc/kayobe/ansible/wazuh-secrets.yml
index 1d40b358d..1aaf2b615 100644
--- a/etc/kayobe/ansible/wazuh-secrets.yml
+++ b/etc/kayobe/ansible/wazuh-secrets.yml
@@ -26,13 +26,16 @@
         wazuh_password: "{{ random_password.stdout }}"
 
     - name: Template new secrets
+      no_log: True
       template:
         src: wazuh-secrets.yml.j2
         dest: "{{ wazuh_secrets_path }}"
-      notify: Please encrypt keys
 
-  handlers:
-    - name: Please encrypt keys
-      debug:
-        msg: >-
-          Please encrypt the keys using Ansible Vault.
+    - name: In-place encrypt wazuh-secrets
+      copy:
+        content: "{{ lookup('ansible.builtin.file', wazuh_secrets_path) | ansible.builtin.vault(ansible_vault_password) }}"
+        dest: "{{ wazuh_secrets_path }}"
+        decrypt: false
+      vars:
+       ansible_vault_password: "{{ lookup('ansible.builtin.env', 'KAYOBE_VAULT_PASSWORD') }}"
+