# Vault Agent for Development Environment
# AppRole credentials are injected as files from environment variables
pid_file = "/tmp/vault-agent.pid"

auto_auth {
  method "approle" {
    mount_path = "auth/approle"
    config = {
      role_id_file_path   = "/vault/secrets/role_id"
      secret_id_file_path = "/vault/secrets/secret_id"
    }
  }
  sink "file" {
    config = { path = "/vault/token" }
  }
}

vault {
  address = "{{ env `VAULT_ADDR` }}"
}

# MongoDB root credentials
template {
  source      = "/etc/vault/templates/mongo/user.ctmpl"
  destination = "/vault/secrets/MONGO_ROOT_USER"
}

template {
  source      = "/etc/vault/templates/mongo/pass.ctmpl"
  destination = "/vault/secrets/MONGO_ROOT_PASSWORD"
}

# MongoDB replica set keyFile (strict perms for MongoDB)
template {
  source      = "/etc/vault/templates/mongo/keyfile.ctmpl"
  destination = "/vault/secrets/mongo.kf"
  command     = "sh -lc 'chmod 0400 /vault/secrets/mongo.kf'"
}

# NATS credentials
template {
  source      = "/etc/vault/templates/nats/user.ctmpl"
  destination = "/vault/secrets/NATS_USER"
}

template {
  source      = "/etc/vault/templates/nats/pass.ctmpl"
  destination = "/vault/secrets/NATS_PASSWORD"
}