#!/usr/bin/env bash
# vault-unseal.sh — unseal Vault after a container restart
# Decrypts the GPG-encrypted keys file and unseals automatically.
# Add to startup: after `docker compose up`, call this script.

set -euo pipefail

VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
KEYS_FILE="${HOME}/.vault-keys.gpg"

export VAULT_ADDR

if vault status 2>/dev/null | grep -q "Sealed.*false"; then
  echo "Vault is already unsealed."
  exit 0
fi

if [[ ! -f "${KEYS_FILE}" ]]; then
  echo "ERROR: ${KEYS_FILE} not found — run vault-init.sh first"
  exit 1
fi

echo "Decrypting unseal key ..."
UNSEAL_KEY=$(gpg --decrypt "${KEYS_FILE}" 2>/dev/null \
  | python3 -c "import json,sys; d=json.load(sys.stdin); print(d['unseal_keys_b64'][0])")

echo "Unsealing Vault at ${VAULT_ADDR} ..."
vault operator unseal "${UNSEAL_KEY}"
echo "Vault unsealed."