fix: ensure redis secrets flow from vault

deployment/ansible/roles/application/tasks/sync.yml

@@ -44,7 +44,32 @@
 
 - name: Determine application redis password
   set_fact:
-    application_redis_password: "{{ vault_redis_password | default(lookup('password', '/dev/null length=32 chars=ascii_letters,digits,punctuation')) }}"
+    application_redis_password: "{{ redis_password | default(vault_redis_password | default('')) }}"
+  no_log: yes
+
+- name: Ensure redis password provided via vault
+  fail:
+    msg: >-
+      Redis credentials are missing. Define vault_redis_password in
+      {{ application_vault_file }} (encrypted with ansible-vault) or pass
+      redis_password via extra vars.
+  when: (application_redis_password | string | trim) == ''
+
+- name: Determine application app key
+  set_fact:
+    application_app_key: "{{ app_key | default(vault_app_key | default('')) }}"
+  no_log: yes
+
+- name: Ensure application app key provided via vault
+  fail:
+    msg: >-
+      Application key missing. Define vault_app_key in
+      {{ application_vault_file }} (ansible-vault) or pass app_key via extra vars.
+  when: (application_app_key | string | trim) == ''
+
+- name: Determine encryption key (optional)
+  set_fact:
+    application_encryption_key: "{{ encryption_key | default(vault_encryption_key | default('')) }}"
   no_log: yes
 
 - name: Check if application docker-compose source exists locally
@@ -83,6 +108,8 @@
   set_fact:
     db_password: "{{ application_db_password }}"
     redis_password: "{{ application_redis_password }}"
+    app_key: "{{ application_app_key }}"
+    encryption_key: "{{ application_encryption_key }}"
     db_username: "{{ db_user | default(db_user_default) }}"
     db_name: "{{ db_name | default(db_name_default) }}"
   no_log: yes