#!/bin/sh
set -e

KEYS_FILE="/vault/file/init.json"
VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_ADDR

# Start Vault server in the background
vault server -config=/vault/config/vault.hcl &
VAULT_PID=$!

# Wait for Vault to be ready
echo "[vault-init] Waiting for Vault to start..."
until vault status > /dev/null 2>&1 || vault status 2>&1 | grep -q "Sealed\|Initialized"; do
  sleep 1
done
echo "[vault-init] Vault is up."

# Check if already initialised
INIT_STATUS=$(vault status -format=json 2>/dev/null | grep '"initialized"' | grep -c "true" || true)

if [ "$INIT_STATUS" = "0" ]; then
  echo "[vault-init] First run — initialising Vault..."
  vault operator init -key-shares=1 -key-threshold=1 -format=json > "$KEYS_FILE"
  echo "[vault-init] Keys saved to $KEYS_FILE"
fi

# Unseal using saved key
UNSEAL_KEY=$(grep '"unseal_keys_b64"' "$KEYS_FILE" -A1 | grep '"' | tail -1 | tr -d ' ",' )
ROOT_TOKEN=$(grep '"root_token"' "$KEYS_FILE" | sed 's/.*: *"\(.*\)".*/\1/')

echo "[vault-init] Unsealing..."
vault operator unseal "$UNSEAL_KEY"
echo "[vault-init] Vault is unsealed. Root token is stored in $KEYS_FILE"

# Authenticate and bootstrap Transit engine + master key (idempotent)
export VAULT_TOKEN="$ROOT_TOKEN"

echo "[vault-init] Enabling Transit secrets engine..."
vault secrets enable -path=clarity-transit transit 2>/dev/null || echo "[vault-init] clarity-transit already enabled."

echo "[vault-init] Creating master-key..."
vault write -f clarity-transit/keys/master-key 2>/dev/null || echo "[vault-init] master-key already exists."

echo "[vault-init] Vault bootstrap complete."

# Keep container alive by waiting on the Vault process
wait $VAULT_PID