#!/bin/sh

set -euo pipefail

TMP=$(mktemp -d)

INITIAL_SETUP=false
if [ "$(vault secrets list -format json | jq -r '.["[[ .vault.root | regexp.Replace "^/" "" ]]transit/"].type')" != "transit" ]; then
  INITIAL_SETUP=true
fi

if [ "${INITIAL_SETUP}" = "true" ]; then
  # Enable the transit engine
  echo "Mounting new PKI secret engine at [[ .vault.root ]]transit"
  vault secrets enable -path=[[ .vault.root ]]transit transit
else
  echo "Secret engine already mounted at [[ .vault.root ]]transit"
fi

if ! vault read [[ .vault.root ]]transit/keys/[[ .instance ]] > /dev/null 2>&1; then
  echo "Creating transit key [[ .vault.root ]]transit/keys/[[ .instance ]]"
  vault write [[ .vault.root ]]transit/keys/[[ .instance ]] \
[[- $last_param := "" ]]
[[- range $k, $v := .vault.transit.params ]]
  [[- $last_param = $k ]]
[[- end ]]
[[- range $k, $v := .vault.transit.params ]]
    [[ $k ]]=[[ $v ]][[- if ne $k $last_param ]] \[[ end ]]
[[- end ]]
else
  echo "Transit key [[ .vault.root ]]transit/keys/[[ .instance ]] is already configured"
fi