#!/usr/bin/env bash
# -------------------------------------------------------
# HashiCorp Vault Installation and Configuration Script
# -------------------------------------------------------
set -e
# -------------------------------------------------------
# 1. Install Vault
# -------------------------------------------------------
# yum install -y yum-utils 
# yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo 
# yum -y install vault 
# echo "[+] Vault installed successfully."
# -------------------------------------------------------
# 2. Create directories and set permissions
# -------------------------------------------------------
useradd --system --home /opt/vault --shell /bin/false vault
mkdir -p /opt/vault/data
chown -R vault:vault /opt/vault
mkdir -p /etc/vault
chown -R vault:vault /etc/vault
echo "[+] Directories and permissions set."
# -------------------------------------------------------
# 3. Create Vault configuration file
# -------------------------------------------------------
cat > /etc/vault/config.hcl <<'EOF'
storage "file" {
  path = "/opt/vault/data"
}

listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = 1
}

disable_mlock = true
ui = true
EOF

echo "[+] Vault configuration file created at /etc/vault/config.hcl."
# -------------------------------------------------------
# 4. Create systemd service file
# -------------------------------------------------------
cat > /etc/systemd/system/vault.service <<'EOF'
[Unit]
Description=HashiCorp Vault
After=network-online.target
Wants=network-online.target

[Service]
User=vault
Group=vault
ExecStart=/usr/bin/vault server -config=/etc/vault/config.hcl
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

echo "[+] Vault systemd service file created at /etc/systemd/system/vault.service."
# -------------------------------------------------------
# 5. Enable and start Vault service
# -------------------------------------------------------
restorecon -v /usr/bin/vault
systemctl daemon-reload
systemctl enable vault
systemctl start vault
echo "[+] Vault service started and enabled."
# -------------------------------------------------------
# 6. Final status
# -------------------------------------------------------
systemctl --no-pager status vault | grep "Active:" || echo "[+] Vault service may need manual check."