---
# Onboarding playbook: bootstrap Ansible Vault infrastructure for secrets management
# Concept: This is the entry point for beginners to safely set up vault on the control node.
#   It runs on localhost (control node) and prepares directories, validates prerequisites,
#   and provides guidance for encrypting the first secret.
# 
# Usage:
#   First run (setup only):
#     ansible-playbook playbooks/onboarding/setup_ansible_secrets.yml --tags bootstrap
#   
#   Validation (check infrastructure health):
#     ansible-playbook playbooks/onboarding/setup_ansible_secrets.yml --tags validate
#   
#   With vault password prompts (instead of password file):
#     ansible-playbook playbooks/onboarding/setup_ansible_secrets.yml --ask-vault-pass
#   
#   Example creation (for self-learning):
#     ansible-playbook playbooks/onboarding/setup_ansible_secrets.yml --tags example --extra-vars create_example_vault=true

- name: Bootstrap Ansible Vault for secrets management
  hosts: localhost
  gather_facts: false
  vars:
    # Override these to customize vault paths or behavior
    # Example: ansible-playbook ... --extra-vars vault_base_dir=/etc/ansible/vault
    vault_base_dir: "{{ lookup('env', 'HOME') }}/.ansible/vault"
    vault_password_file: "{{ vault_base_dir }}/password"
    vault_vars_dir: "{{ playbook_dir }}/../group_vars/vault"
  roles:
    - secrets_onboarding
  tags:
    - always