# profiles::vault::unseal
class profiles::vault::unseal (
  Array[String] $unseal_keys = lookup('vault::unseal_keys', Array[String], 'first', []),
  Variant[
    Stdlib::HTTPSUrl,
    Stdlib::HTTPUrl
  ]         $vault_address = 'http://127.0.0.1:8200',
){

  # deploy the unseal keys file
  file { '/etc/vault/unseal_keys':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0600',
    content => Sensitive(template('profiles/vault/unseal_keys.erb')),
    require => Class['vault'],
  }

  # deploy the unseal script
  file { '/usr/local/bin/vault-unseal.sh':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0750',
    content => template('profiles/vault/vault_unseal.sh.erb'),
  }

  # create systemd service unit
  systemd::unit_file { 'vault-unseal.service':
    content   => template('profiles/vault/vault-unseal.service.erb'),
    active    => true,
    enable    => true,
    require   => File['/usr/local/bin/vault-unseal.sh'],
    subscribe => Service['vault'],
  }
}