OPC # 0001: Extract OPC into standalone repo

infra/vault/entrypoint.sh

@@ -0,0 +1,48 @@
+#!/bin/sh
+set -e
+
+KEYS_FILE="/vault/file/init.json"
+VAULT_ADDR="http://127.0.0.1:8200"
+export VAULT_ADDR
+
+# Start Vault server in the background
+vault server -config=/vault/config/vault.hcl &
+VAULT_PID=$!
+
+# Wait for Vault to be ready
+echo "[vault-init] Waiting for Vault to start..."
+until vault status > /dev/null 2>&1 || vault status 2>&1 | grep -q "Sealed\|Initialized"; do
+  sleep 1
+done
+echo "[vault-init] Vault is up."
+
+# Check if already initialised
+INIT_STATUS=$(vault status -format=json 2>/dev/null | grep '"initialized"' | grep -c "true" || true)
+
+if [ "$INIT_STATUS" = "0" ]; then
+  echo "[vault-init] First run — initialising Vault..."
+  vault operator init -key-shares=1 -key-threshold=1 -format=json > "$KEYS_FILE"
+  echo "[vault-init] Keys saved to $KEYS_FILE"
+fi
+
+# Unseal using saved key
+UNSEAL_KEY=$(grep '"unseal_keys_b64"' "$KEYS_FILE" -A1 | grep '"' | tail -1 | tr -d ' ",' )
+ROOT_TOKEN=$(grep '"root_token"' "$KEYS_FILE" | sed 's/.*: *"\(.*\)".*/\1/')
+
+echo "[vault-init] Unsealing..."
+vault operator unseal "$UNSEAL_KEY"
+echo "[vault-init] Vault is unsealed. Root token is stored in $KEYS_FILE"
+
+# Authenticate and bootstrap Transit engine + master key (idempotent)
+export VAULT_TOKEN="$ROOT_TOKEN"
+
+echo "[vault-init] Enabling Transit secrets engine..."
+vault secrets enable -path=clarity-transit transit 2>/dev/null || echo "[vault-init] clarity-transit already enabled."
+
+echo "[vault-init] Creating master-key..."
+vault write -f clarity-transit/keys/master-key 2>/dev/null || echo "[vault-init] master-key already exists."
+
+echo "[vault-init] Vault bootstrap complete."
+
+# Keep container alive by waiting on the Vault process
+wait $VAULT_PID