From d69e7999a35a27f62b411fd719fede268455e896 Mon Sep 17 00:00:00 2001
From: thomas-VIGINUM <191891091+thomas-VIGINUM@users.noreply.github.com>
Date: Fri, 21 Mar 2025 14:51:09 +0100
Subject: [PATCH] feat: allow additional environment variables

---
 defaults/main.yml                  |  3 +++
 role_variables.md                  | 12 ++++++++++++
 templates/vault_service_systemd.j2 |  3 +++
 3 files changed, 18 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index dc46b363..7ec98832 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -92,6 +92,9 @@ vault_listener_localhost_enable: false
 vault_http_proxy: ""
 vault_https_proxy: ""
 vault_no_proxy: ""
+vault_additional_environment_variables: {}
+# FOO: bar
+# FOO2: bar2
 
 # ---------------------------------------------------------------------------
 # TCP listeners
diff --git a/role_variables.md b/role_variables.md
index afcfbd87..0ffbdf32 100644
--- a/role_variables.md
+++ b/role_variables.md
@@ -816,6 +816,18 @@ available starting at Vault version 1.4.
 - Comma separated values which specify hosts that should be exluded from proxying.  Follows [golang conventions](https://godoc.org/golang.org/x/net/http/httpproxy)
 - Default value: `""`
 
+## `vault_additional_environment_variables`
+
+- Dict of items of type `Dict[str, str]` to add additional environment variables to the systemd service
+- Default value: `{}`
+
+Example:
+
+```yaml
+vault_additional_environment_variables:
+  FOO: bar
+```
+
 ## `vault_cluster_address`
 
 - Address to bind to for cluster server-to-server requests
diff --git a/templates/vault_service_systemd.j2 b/templates/vault_service_systemd.j2
index 5f1482f1..3054bbe1 100644
--- a/templates/vault_service_systemd.j2
+++ b/templates/vault_service_systemd.j2
@@ -37,6 +37,9 @@ Environment=HTTPS_PROXY={{ vault_https_proxy }}
 {% if vault_no_proxy -%}
 Environment=NO_PROXY={{ vault_no_proxy }}
 {% endif -%}
+{% for _vault_variable_name, _vault_variable_value in vault_additional_environment_variables.items() -%}
+Environment={{ _vault_variable_name }}={{ _vault_variable_value }}
+{% endfor -%}
 ExecStart=/bin/sh -c 'exec {{ vault_bin_path }}/vault server -config={{ vault_config_path if vault_use_config_path else vault_main_config }} -log-level={{ vault_log_level | lower }} {{ vault_exec_output }}'
 ExecReload=/bin/kill --signal HUP $MAINPID
 KillMode=process