#!/bin/bash
set -e

# Load environment variables
source infra/environments/production/.env

VAULT_ADDR="http://127.0.0.1:8200"
CONTAINER_NAME="apa-vault"
KEYS_FILE="infra/environments/production/.vault-keys"

echo "Checking Vault status..."

# Helper function to run vault commands inside docker
vault_cmd() {
    docker exec -i -e VAULT_ADDR=$VAULT_ADDR $CONTAINER_NAME vault "$@"
}

# Check if Vault is initialized
if vault_cmd status -format=json | grep -q '"initialized": true'; then
    echo "Vault is already initialized."
else
    echo "Vault is NOT initialized. Initializing..."
    INIT_OUTPUT=$(vault_cmd operator init -key-shares=1 -key-threshold=1 -format=json)

    echo "$INIT_OUTPUT" > "$KEYS_FILE"
    chmod 600 "$KEYS_FILE"

    echo "Vault initialized! Keys saved to $KEYS_FILE"
    echo "WARNING: BACK UP THIS FILE SECURELY!"
fi

# Read keys
# Extract first key from the array (assuming 1 key share)
UNSEAL_KEY=$(grep -A 1 '"unseal_keys_b64":' "$KEYS_FILE" | tail -n 1 | cut -d'"' -f2)
ROOT_TOKEN=$(grep '"root_token":' "$KEYS_FILE" | cut -d'"' -f4)

# Unseal
echo "Unsealing Vault..."
vault_cmd operator unseal "$UNSEAL_KEY"

echo "Vault is Unsealed!"
echo "Root Token: $ROOT_TOKEN"

# Export Root Token for setup script
export VAULT_TOKEN=$ROOT_TOKEN