# Deploy `Vault` server config:
template '/etc/vault.d/vault.hcl' do
  owner 'vault'
  group 'vault'
  mode '600'

  variables(HOSTNAME: node['vault']['hostname'],  IPADDR: node['vault']['ipaddr'], IPS: node['vault']['ips'])

  notifies :restart, 'service[vault]'
end

encrypted_remote_file '/etc/vault.d/vault.env' do
  owner 'vault'
  group 'vault'
  mode '600'
  source   'files/etc/vault.d/vault.env'
  password ENV['ITAMAE_PASSWORD']

  notifies :restart, 'service[vault]'
end

directory '/etc/vault.d/policies' do
  owner 'vault'
  group 'vault'
  mode '755'
end

%w( consul-auto-config consul-connect-vault ).each do |conf|
  remote_file "/etc/vault.d/policies/#{conf}.hcl" do
    owner 'vault'
    group 'vault'
    mode '644'
  end
end

remote_file '/etc/logrotate.d/vault' do
  owner 'root'
  group 'root'
  mode '644'
end


%w(8200 8201).each do |port|
  execute "ufw allow #{port}" do
    user 'root'

    not_if "LANG=c ufw status | grep #{port}"

    notifies :run, 'execute[ufw reload-or-enable]'
  end
end

service 'vault' do
  action [:enable, :start]
end