Protect vault secret with GPG

Encrypting the vault password with GPG protects the key when stored on
disk and allows it to be accessed non-interactively, as long as the
GnuPG agent is set up correctly.

.gitignore

@@ -1 +1,2 @@
+/.vault-secret.gpg
 .fact-cache

.vault-secret.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec gpg --quiet --batch --decrypt "${0%.sh}.gpg"

ansible.cfg

@@ -6,3 +6,5 @@ inventory = hosts
 gathering = smart
 fact_caching = jsonfile
 fact_caching_connection = .fact-cache
+
+vault_password_file = .vault-secret.sh