# Vault Agent for DB stack. AppRole creds are files on the host.
pid_file = "/tmp/vault-agent.pid"

auto_auth {
  method "approle" {
    mount_path = "auth/approle"
    config = {
      role_id_file_path   = "/vault/secrets/role_id"
      secret_id_file_path = "/vault/secrets/secret_id"
    }
  }
  sink "file" { config = { path = "/vault/token" } }
}

vault { address = "{{ env `VAULT_ADDR` }}" }

# Mongo root credentials
template {
  source      = "/etc/vault/templates/mongo/user.ctmpl"
  destination = "/vault/secrets/MONGO_INITDB_ROOT_USERNAME"
}
template {
  source      = "/etc/vault/templates/mongo/pass.ctmpl"
  destination = "/vault/secrets/MONGO_INITDB_ROOT_PASSWORD"
}

# Replica set keyFile (strict perms)
template {
  source      = "/etc/vault/templates/mongo/keyfile.ctmpl"
  destination = "/vault/secrets/mongo.kf"
  command     = "sh -lc 'chown 999:999 /vault/secrets/mongo.kf && chmod 0400 /vault/secrets/mongo.kf'"
}

# PBM: backup user/pass + S3 creds env
template {
  source      = "/etc/vault/templates/backup/user.ctmpl"
  destination = "/etc/backup/.u"
}
template {
  source      = "/etc/vault/templates/backup/pass.ctmpl"
  destination = "/etc/backup/.p"
}
template {
  source      = "/etc/vault/templates/pbm/env.ctmpl"
  destination = "/etc/backup/pbm.env"
}
template {
  source      = "/etc/vault/templates/pbm/config.ctmpl"
  destination = "/etc/backup/pbm-config.yaml"
}