#!/bin/sh
set -e

# Start Vault server in background
vault server -config=/vault/config/vault.hcl &
VAULT_PID=$!

# Wait for Vault to be ready
export VAULT_ADDR="http://127.0.0.1:8200"
echo "Waiting for Vault to start..."
until vault status -format=json 2>/dev/null | grep -q '"initialized"'; do
  sleep 1
done

# Auto-unseal if VAULT_UNSEAL_KEY is set
if [ -n "$VAULT_UNSEAL_KEY" ]; then
  SEALED=$(vault status -format=json 2>/dev/null | grep '"sealed"' | grep -c 'true' || true)
  if [ "$SEALED" = "1" ]; then
    echo "Vault is sealed, auto-unsealing..."
    vault operator unseal "$VAULT_UNSEAL_KEY"
    echo "Vault unsealed."
  else
    echo "Vault is already unsealed."
  fi
else
  echo "VAULT_UNSEAL_KEY not set, skipping auto-unseal."
fi

# Wait for Vault process
wait $VAULT_PID