#!/usr/bin/env bash
# vault-env — setzt 4 Vault-Envvars (ADDR, CACERT, CLIENT_CERT, CLIENT_KEY)
# Nutzung (muss *gesourct* werden):
#   source ~/.local/bin/vault-env
# Danach z.B.:
#   vault status
#   vault login -method=cert

set -Eeuo pipefail

# Minimal-Log
log(){ printf '[vault-env] %s\n' "$*"; }

# 1) Adresse (FQDN ⇒ kein SNI nötig)
export VAULT_ADDR="${VAULT_ADDR:-https://vault.test.privsec.ch:22300}"

# 2) CA-Bundle: erst die Proxy-Chain, sonst Agent-CA
CA_FILE="$HOME/nginx/ca/current-ca-chain.pem"
[[ -r "$CA_FILE" ]] || CA_FILE="$HOME/vault/ca/ca.pem"
export VAULT_CACERT="$CA_FILE"

# 3–4) mTLS Client-Zert & Key
export VAULT_CLIENT_CERT="${VAULT_CLIENT_CERT:-$HOME/vault/mtls/agent.crt}"
export VAULT_CLIENT_KEY="${VAULT_CLIENT_KEY:-$HOME/vault/mtls/agent.key}"

export VAULT_TOKEN="$(cat ~/.vault-token)"
# kleine Hinweise
[[ -r "$VAULT_CACERT" ]]       && log "CA ok: $VAULT_CACERT" \
                                || log "WARN: CA fehlt/unerreichbar → $VAULT_CACERT"
[[ -r "$VAULT_CLIENT_CERT" ]]  && log "mTLS cert ok: $VAULT_CLIENT_CERT" \
                                || log "WARN: mTLS cert fehlt → $VAULT_CLIENT_CERT"
[[ -r "$VAULT_CLIENT_KEY" ]]   && log "mTLS key ok:  $VAULT_CLIENT_KEY" \
                                || log "WARN: mTLS key fehlt → $VAULT_CLIENT_KEY"

log "VAULT_ADDR=$VAULT_ADDR"
log "Fertig. (Hinweis: Script muss *gesourct* werden, sonst gelten die Exports nur im Sub-Shell.)"
