# Vault Configuration Guide

## Overview

The current portfolio demo does not require Ansible Vault for `make test` or `make demo`. Secrets are intentionally kept out of the main validation path so reviewers can run the project offline.

Use Vault only when extending the simulator to manage real hosts or credentials.

## Recommended Pattern

1. Start from the example file:

```bash
cp group_vars/vault.example.yml group_vars/vault.yml
```

2. Replace placeholder values locally.

3. Encrypt the file before using it with real systems:

```bash
ansible-vault encrypt group_vars/vault.yml
```

4. Do not commit real secret values. Keep `group_vars/vault.example.yml` as the committed reference.

## Running With Vault

```bash
ansible-playbook -i inventory/hosts.ini playbooks/provision.yml --ask-vault-pass
```

or:

```bash
ansible-playbook -i inventory/hosts.ini playbooks/provision.yml --vault-password-file ~/.vault_pass.txt
```

## Notes

- The delivered playbooks do not import a vault file by default.
- Add `vars_files` only in an environment-specific branch or private overlay.
- Prefer a secret manager or automation controller for production use.