diff --git a/roles/shellserver/vault/config.sls b/roles/shellserver/vault/config.sls
new file mode 100644
--- /dev/null
+++ b/roles/shellserver/vault/config.sls
@@ -0,0 +1,45 @@
+# -------------------------------------------------------------
+# Salt — Shell server's units
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Eglide
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% from "map.jinja" import dirs, services with context %}
+
+# -------------------------------------------------------------
+# Vault server configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ dirs.etc }}/vault.d:
+ file.absent
+
+{{ dirs.etc }}/vault.hcl:
+ file.managed:
+ - source: salt://roles/shellserver/vault/files/vault.hcl
+ - mode: 644
+ - template: jinja
+ - context:
+ certificates_dir: {{ dirs.etc }}/certificates/vault
+ id: {{ grains['id'] }}
+
+# -------------------------------------------------------------
+# Vault directories
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/var/db/vault:
+ file.directory:
+ - user: vault
+ - group: vault
+ - mode: 700
+ - makedirs: True
+
+# -------------------------------------------------------------
+# Service
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% if services['manager'] == 'systemd' %}
+/lib/systemd/system/vault.service:
+ file.managed:
+ - source: salt://roles/shellserver/vault/files/vault.service
+{% endif %}
diff --git a/roles/shellserver/vault/files/vault.hcl b/roles/shellserver/vault/files/vault.hcl
new file mode 100644
--- /dev/null
+++ b/roles/shellserver/vault/files/vault.hcl
@@ -0,0 +1,33 @@
+# -------------------------------------------------------------
+# Vault configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/shellserver/vault/files/vault.hcl
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+
+listener "tcp" {
+ address = "127.0.0.1:8200"
+
+ tls_cert_file = "{{ certificates_dir }}/fullchain.pem"
+ tls_key_file = "{{ certificates_dir }}/private.key"
+}
+
+storage "raft" {
+ path = "/var/db/vault"
+ node_id = "{{ id }}"
+}
+
+disable_mlock = true
+
+cluster_addr = "http://127.0.0.1:8201"
+api_addr = "http://127.0.0.1:8200"
+ui = true
diff --git a/roles/shellserver/vault/files/vault.service b/roles/shellserver/vault/files/vault.service
new file mode 100644
--- /dev/null
+++ b/roles/shellserver/vault/files/vault.service
@@ -0,0 +1,33 @@
+[Unit]
+Description="HashiCorp Vault - A tool for managing secrets"
+Documentation=https://www.vaultproject.io/docs/
+Requires=network-online.target
+After=network-online.target
+ConditionFileNotEmpty=/etc/vault.hcl
+StartLimitIntervalSec=60
+StartLimitBurst=3
+
+[Service]
+Type=notify
+User=vault
+Group=vault
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+PrivateDevices=yes
+SecureBits=keep-caps
+AmbientCapabilities=CAP_IPC_LOCK
+CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
+NoNewPrivileges=yes
+ExecStart=/usr/bin/vault server -config /etc/vault.hcl
+ExecReload=/bin/kill --signal HUP $MAINPID
+KillMode=process
+KillSignal=SIGINT
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+LimitNOFILE=65536
+LimitMEMLOCK=infinity
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/shellserver/vault/init.sls b/roles/shellserver/vault/init.sls
--- a/roles/shellserver/vault/init.sls
+++ b/roles/shellserver/vault/init.sls
@@ -7,3 +7,4 @@
include:
- .software
+ - .config