#!/bin/sh

set -eo pipefail

{% if vault_letsencrypt_cert is defined %}

if [ $1 == "{{ vault_letsencrypt_cert }}" ]; then
  cp /var/lib/dehydrated/certificates/certs/{{ vault_letsencrypt_cert }}/fullchain.pem {{ vault_root_dir }}/tls/vault.crt
  cp /var/lib/dehydrated/certificates/certs/{{ vault_letsencrypt_cert }}/privkey.pem {{ vault_root_dir }}/tls/vault.key
  chown root:vault {{ vault_root_dir }}/tls/vault.key
  chown root:root {{ vault_root_dir }}/tls/vault.crt
  chmod 640 {{ vault_root_dir }}/tls/vault.key
  chmod 644 {{ vault_root_dir }}/tls/vault.crt
  systemctl reload vault
fi

{% else %}

# No Let's Encrypt cert configured, nothing to do
exit 0

{% endif %}