# Issue: Fix Vault Security Risk in Proxmox Role

**Status**: Open
**Priority**: High
**Component**: proxmox/15_create_secret.yaml
**Assignee**: Junior Dev

## Description
The current vault handling in `roles/proxmox/tasks/15_create_secret.yaml` uses insecure shell commands to decrypt/encrypt vault files, creating temporary plaintext files that pose a security risk.

## Current Problematic Code
```yaml
- name: Decrypt vm vault file
  ansible.builtin.shell: cd ../; ansible-vault decrypt "./playbooks/{{ proxmox_vault_file }}"
  no_log: true

- name: Encrypt vm vault file
  ansible.builtin.shell: cd ../; ansible-vault encrypt "./playbooks/{{ proxmox_vault_file }}"
  no_log: true
```

## Required Changes

### Step 1: Replace shell commands with Ansible vault module
Replace the shell-based decryption/encryption with `ansible.builtin.ansible_vault` module.

### Step 2: Remove temporary plaintext file operations
Eliminate the need for temporary plaintext files by using in-memory operations.

### Step 3: Add proper error handling
Include error handling for vault operations (missing files, decryption failures).

## Implementation Steps

1. **Read the current vault file securely**:
   ```yaml
   - name: Load vault content securely
     ansible.builtin.include_vars:
       file: "{{ proxmox_vault_file }}"
       name: vault_data
     no_log: true
   ```

2. **Use ansible_vault module for operations**:
   ```yaml
   - name: Update vault data securely
     ansible.builtin.set_fact:
       new_vault_data: "{{ vault_data | combine({vm_name_secret: cipassword}) }}"
     when: not variable_exists
     no_log: true
   ```

3. **Write encrypted vault directly**:
   ```yaml
   - name: Write encrypted vault
     ansible.builtin.copy:
       content: "{{ new_vault_data | ansible.builtin.ansible_vault.encrypt('vault_password') }}"
       dest: "{{ proxmox_vault_file }}"
       mode: "0600"
     when: not variable_exists
     no_log: true
   ```

## Testing Requirements
- Test with existing vault files
- Verify no plaintext files are created during operation
- Confirm vault can be decrypted properly after updates

## Acceptance Criteria
- [ ] No shell commands used for vault operations
- [ ] No temporary plaintext files created
- [ ] All vault operations use Ansible built-in modules
- [ ] Existing functionality preserved
- [ ] Proper error handling implemented