From ea80f312e27ebdab129f83a07e2e83752e28bb36 Mon Sep 17 00:00:00 2001
From: Akshay Karle <1443108+akshaykarle@users.noreply.github.com>
Date: Tue, 17 Sep 2024 14:27:19 +0100
Subject: [PATCH] add a script to help manage vault and configure a token to
 use

---
 flake.nix |  2 +-
 vault.sh  | 91 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100755 vault.sh

diff --git a/flake.nix b/flake.nix
index b5c94bb..593b695 100644
--- a/flake.nix
+++ b/flake.nix
@@ -16,7 +16,7 @@
           config.allowUnfree = true; # needed for vault
         };
         nativeBuildInputs = with pkgs; [ stdenv python311 poetry tesseract ];
-        buildInputs = with pkgs; [ vault ];
+        buildInputs = with pkgs; [ vault jq ];
 
         # see https://github.com/nix-community/poetry2nix/tree/master#api for more functions and examples.
         inherit (poetry2nix.lib.mkPoetry2Nix { inherit pkgs; })
diff --git a/vault.sh b/vault.sh
new file mode 100755
index 0000000..2e903d0
--- /dev/null
+++ b/vault.sh
@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+export VAULT_ADDR="http://127.0.0.1:8200"
+export VAULT_TOKEN=root
+# Start vault server locally
+
+function vault_running() {
+    curl --output /dev/null --silent --head --fail $VAULT_ADDR
+}
+
+function start_vault() {
+    if vault_running
+    then
+        echo 'Vault already running'
+    else
+        echo 'Starting vault'
+        vault server -dev -dev-root-token-id $VAULT_TOKEN &
+
+        until vault_running; do
+            echo "Waiting for vault server to start"
+            sleep 2
+        done
+    fi
+}
+
+function status_vault() {
+    if vault_running
+    then
+        echo 'Vault is running'
+    else
+        echo 'Vault is not running'
+    fi
+}
+
+function stop_vault() {
+    if vault_running
+    then
+        echo 'Stopping vault'
+        pgrep -f vault | xargs kill
+    else
+        echo 'Vault not running'
+    fi
+}
+
+function configure_transits() {
+    curl --output /dev/null \
+         --silent \
+         --header "X-Vault-Token: $VAULT_TOKEN" \
+         --request POST \
+         --data '{"type":"transit"}' \
+         $VAULT_ADDR/v1/sys/mounts/transit
+    curl --output /dev/null \
+         --silent \
+         --header "X-Vault-Token: $VAULT_TOKEN" \
+         --request POST \
+         $VAULT_ADDR/v1/transit/keys/orders
+
+    curl --output /dev/null \
+         --silent \
+         --header "X-Vault-Token: $VAULT_TOKEN" \
+         --request PUT \
+         --data '{"policy": "path \"transit/encrypt/orders\" {\n   capabilities = [ \"update\" ]\n}\n\npath \"transit/decrypt/orders\" {\n   capabilities = [ \"update\" ]\n}\n"}' \
+         $VAULT_ADDR/v1/sys/policies/acl/app-orders
+}
+
+function create_token() {
+    configure_transits
+
+    export APP_ORDER_TOKEN=$(curl --silent \
+                                  --header "X-Vault-Token: $VAULT_TOKEN" \
+                                  --request POST  \
+                                  --data '{ "policies": ["app-orders"] }' \
+                                  $VAULT_ADDR/v1/auth/token/create | jq -r '.auth | .client_token')
+
+    echo "export APP_ORDER_TOKEN=$APP_ORDER_TOKEN"
+}
+
+if [ $# == 0 ]; then
+    echo 'Setting up everything'
+    start_vault
+    create_token
+elif [ $1 = 'start' ]; then
+    start_vault
+elif [ $1 = 'status' ]; then
+    status_vault
+elif [ $1 = 'stop' ]; then
+    stop_vault
+elif [ $1 = 'token' ]; then
+    create_token
+fi