# profiles::vault::unseal
class profiles::vault::unseal (
  Array[String] $unseal_keys = lookup('vault::unseal_keys', Array[String], 'first', []),
  Variant[
    Stdlib::HTTPSUrl,
    Stdlib::HTTPUrl
  ]         $vault_address = 'http://127.0.0.1:8200',
){

  # deploy the unseal keys file
  file { '/etc/vault/unseal_keys':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0600',
    content => Sensitive(template('profiles/vault/unseal_keys.erb')),
    require => Class['vault'],
  }

  # deploy the unseal script
  file { '/usr/local/bin/vault-unseal.sh':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0750',
    content => template('profiles/vault/vault_unseal.sh.erb'),
  }

  # create systemd service unit
  systemd::unit_file { 'vault-unseal.service':
    content   => template('profiles/vault/vault-unseal.service.erb'),
    active    => true,
    enable    => true,
    require   => File['/usr/local/bin/vault-unseal.sh'],
    subscribe => [Service['vault'],File['/etc/vault/unseal_keys']],
  }

  # restart the vault-unseal service hourly to ensure vault is unsealled
  cron { 'restart_vault_unseal':
    ensure  => 'present',
    user    => 'root',
    command => '/bin/systemctl restart vault-unseal',
    minute  => fqdn_rand(60),
    hour    => '*',
    require => Service['vault-unseal.service'],
  }
}