diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/initialize.yml b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/initialize.yml
index b77f064..9c13149 100644
--- a/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/initialize.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/initialize.yml
@@ -17,19 +17,19 @@
 - name: set init data filename
   no_log: true
   ansible.builtin.set_fact:
-    hc_vault_init_data_filename: "{{ hc_vault_init_data_filepath | default('/tmp', True) }}/vault_{{ ansible_facts['fqdn'] }}_init.yml"
+    hc_vault_init_data_filename: "{{ hc_vault_init_data_filepath | default(provisioner_facts.artifacts_dir, True) }}/hashicorp_vault_{{ ansible_facts['fqdn'] }}_init.yml"
 
 - name: save initialization data
   connection: local
   no_log: true
-  block:
-    - name: save content to temp file
-      ansible.builtin.copy:
-        content: '{{ init_data.stdout }}'
-        dest: '{{ hc_vault_init_data_filename }}'
-        mode: '0600'
-        owner: "{{ ansible_facts['user_id'] }}"
-        group: "{{ ansible_facts['user_id'] }}"
+  ansible.builtin.copy:
+    content: '{{ init_data.stdout }}'
+    dest: '{{ hc_vault_init_data_filename }}'
+    mode: '0600'
+    owner: "{{ ansible_facts['user_id'] }}"
+    group: "{{ ansible_facts['user_id'] }}"
+  vars:
+    ansible_python_interpreter: /usr/bin/python3
 
 - name: print init data file location
   no_log: true
diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/install_binary.yml b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/install_binary.yml
new file mode 100644
index 0000000..b9d9f70
--- /dev/null
+++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/install_binary.yml
@@ -0,0 +1,40 @@
+---
+- name: install vault binary
+  when: not hc_vault_binary_installed or hc_vault_local_binary_version != hc_vault_version
+  notify:
+    - 'vault : restart vault service'
+  block:
+    - name: download archive
+      ansible.builtin.get_url:
+        url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip'
+        dest: '{{ tmp_file.path }}/vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip'
+        mode: '0600'
+    - name: download SHASUMs file signature
+      ansible.builtin.get_url:
+        url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_SHA256SUMS.sig'
+        dest: '{{ tmp_file.path }}/shasums.sig'
+        mode: '0600'
+    - name: download SHASUMs files for vault releases
+      ansible.builtin.get_url:
+        url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_SHA256SUMS'
+        dest: '{{ tmp_file.path }}/shasums.txt'
+        mode: '0600'
+    - name: Verify downloaded files integrity
+      block:
+        - name: check SHASUMs file integrity
+          ansible.builtin.command: 'gpg --verify {{ tmp_file.path }}/shasums.sig {{ tmp_file.path }}/shasums.txt'
+        - name: check SHASUM of the downloaded archive
+          ansible.builtin.command:
+            cmd: 'sha256sum -c {{ tmp_file.path }}/shasums.txt'
+            chdir: '{{ tmp_file.path }}'
+          register: shasum_check
+          failed_when: 'search_string not in shasum_check.stdout'
+          vars:
+            search_string: 'vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip: OK'
+    - name: install vault package
+      become: true
+      ansible.builtin.shell: |
+        cd {{ tmp_file.path }}
+        unzip -o vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip
+        install -g {{ hc_vault_runas }} -o {{ hc_vault_runas }} -p -m 500 ./vault {{ hc_vault_binary_path }}
+        {{ hc_vault_binary_path }} -h > /dev/null || (echo "Unexpected return, binary might be invalid")
diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/install.yml b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/install_service.yml
similarity index 58%
rename from collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/install.yml
rename to collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/install_service.yml
index b048181..fd0f2b2 100644
--- a/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/install.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/install_service.yml
@@ -6,57 +6,18 @@
       - default_ipv4
       - dns
 
-- name: install vault binary
-  when: not hc_vault_binary_installed or hc_vault_local_binary_version != hc_vault_version
-  notify:
-    - 'vault : restart vault service'
-  block:
-    - name: download archive
-      ansible.builtin.get_url:
-        url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip'
-        dest: '{{ tmp_file.path }}/vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip'
-        mode: '0600'
-    - name: download SHASUMs file signature
-      ansible.builtin.get_url:
-        url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_SHA256SUMS.sig'
-        dest: '{{ tmp_file.path }}/shasums.sig'
-        mode: '0600'
-    - name: download SHASUMs files for vault releases
-      ansible.builtin.get_url:
-        url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_SHA256SUMS'
-        dest: '{{ tmp_file.path }}/shasums.txt'
-        mode: '0600'
-    - name: Verify downloaded files integrity
-      block:
-        - name: check SHASUMs file integrity
-          ansible.builtin.command: 'gpg --verify {{ tmp_file.path }}/shasums.sig {{ tmp_file.path }}/shasums.txt'
-        - name: check SHASUM of the downloaded archive
-          ansible.builtin.command:
-            cmd: 'sha256sum -c {{ tmp_file.path }}/shasums.txt'
-            chdir: '{{ tmp_file.path }}'
-          register: shasum_check
-          failed_when: 'search_string not in shasum_check.stdout'
-          vars:
-            search_string: 'vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip: OK'
-    - name: install vault package
-      become: true
-      ansible.builtin.shell: |
-        cd {{ tmp_file.path }}
-        unzip -o vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip
-        install -g {{ hc_vault_runas }} -o {{ hc_vault_runas }} -p -m 500 ./vault {{ hc_vault_binary_path }}
-        {{ hc_vault_binary_path }} -h > /dev/null || (echo "Unexpected return, binary might be invalid")
-    - name: prepare directory layout
-      become: true
-      ansible.builtin.file:
-        path: '{{ item }}'
-        owner: '{{ hc_vault_runas }}'
-        group: '{{ hc_vault_runas }}'
-        mode: '0700'
-        state: directory
-      loop:
-        - '{{ hc_vault_root_dir }}/config'
-        - '{{ hc_vault_root_dir }}/data'
-        - '{{ hc_vault_root_dir }}/tls'
+- name: prepare directory layout
+  become: true
+  ansible.builtin.file:
+    path: '{{ item }}'
+    owner: '{{ hc_vault_runas }}'
+    group: '{{ hc_vault_runas }}'
+    mode: '0700'
+    state: directory
+  loop:
+    - '{{ hc_vault_root_dir }}/config'
+    - '{{ hc_vault_root_dir }}/data'
+    - '{{ hc_vault_root_dir }}/tls'
 
 - name: install systemd unit file
   become: true
diff --git a/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/main.yml b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/main.yml
index 4e6c36e..c8e9f0c 100644
--- a/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/vault/tasks/main.yml
@@ -30,8 +30,11 @@
 - name: run prerequisite tasks
   ansible.builtin.import_tasks: prerequisites.yml
 
-- name: install vault
-  ansible.builtin.import_tasks: install.yml
+- name: install vault binary
+  ansible.builtin.import_tasks: install_binary.yml
+
+- name: install vault service
+  ansible.builtin.import_tasks: install_service.yml
 
 - name: run security configuration
   ansible.builtin.import_tasks: security.yml
diff --git a/inventory/group_vars/all/vars.yml b/inventory/group_vars/all/vars.yml
index c874a0e..705cfa0 100644
--- a/inventory/group_vars/all/vars.yml
+++ b/inventory/group_vars/all/vars.yml
@@ -2,6 +2,8 @@
 # global parameters
 custom_base_user_account: "{{ vault_custom_base_user_account }}"
 custom_github_token: "{{ vault_custom_github_token | default('') }}"
+hc_vault_instance: "{{ vault_hc_vault_instance }}"
+hc_vault_instance_options: "{{ vault_hc_vault_instance_options }}"
 
 # security parameters
 security_clamav_version: 1.3.1
diff --git a/inventory/group_vars/provisioner/vars.yml b/inventory/group_vars/provisioner/vars.yml
index f9ae430..0e0aca0 100644
--- a/inventory/group_vars/provisioner/vars.yml
+++ b/inventory/group_vars/provisioner/vars.yml
@@ -6,3 +6,4 @@ provisioner_kubeconfig_repository: /srv/ansible/kubeconfig
 provisioner_kubectl_binary_path: /usr/local/bin/kubectl
 provisioner_k3sup_binary_path: /usr/local/bin/k3sup
 provisioner_tofu_binary_path: /usr/bin/tofu #do not change this, the path is decided by the .deb package
+provisioner_vault_binary_path: /usr/local/bin/vault