##
##  vault.spec -- OpenPKG RPM Package Specification
##  Copyright (c) 2000-2022 OpenPKG Project <http://openpkg.org/>
##
##  Permission to use, copy, modify, and distribute this software for
##  any purpose with or without fee is hereby granted, provided that
##  the above copyright notice and this permission notice appear in all
##  copies.
##
##  THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
##  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
##  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
##  IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
##  CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
##  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
##  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
##  USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
##  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
##  OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
##  OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
##  SUCH DAMAGE.
##

#   package version
%define       V_vault_opkg 1.9.2
%define       V_vault_base 1.9.2
%define       V_vault_snap 20211222

#   package information
Name:         vault
Summary:      Security Manager
URL:          https://www.vaultproject.io/
Vendor:       Hashicorp
Packager:     OpenPKG Project
Distribution: OpenPKG Community
Class:        EVAL
Group:        Networking
License:      MPL
Version:      %{V_vault_opkg}.%{V_vault_snap}
Release:      20211222

#   list of sources
Source0:      http://download.openpkg.org/components/versioned/vault/vault-%{V_vault_snap}.tar.xz
Source1:      rc.vault
Source2:      vault.hcl
Source3:      vault-tls.sh

#   build information
BuildPreReq:  OpenPKG, openpkg >= 20160101, go
PreReq:       OpenPKG, openpkg >= 20160101, cfssl

%description
    Vault is a tool for securely accessing secrets. A secret is
    anything that you want to tightly control access to, such as API
    keys, passwords, certificates, and more. Vault provides a unified
    interface to any secret, while providing tight access control and
    recording a detailed audit log.

%track
    prog vault:release = {
        version   = %{V_vault_base}
        url       = https://github.com/hashicorp/vault/releases
        regex     = v(\d+\.\d+\.\d+)\.tar\.gz
    }
    prog vault:snapshot = {
        version   = %{V_vault_snap}
        url       = http://download.openpkg.org/components/versioned/vault/
        regex     = vault-(__VER__)\.tar\.xz
    }

%prep
    %setup -q -n vault

%build
    #   build program
    export GOPATH=`pwd`
    cd src/github.com/hashicorp/vault
    go build -v -o vault main.go

%install
    #   create directory hierarchy
    %{l_shtool} mkdir -f -p -m 755 \
        $RPM_BUILD_ROOT%{l_prefix}/bin \
        $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d \
        $RPM_BUILD_ROOT%{l_prefix}/etc/vault \
        $RPM_BUILD_ROOT%{l_prefix}/var/vault/log \
        $RPM_BUILD_ROOT%{l_prefix}/var/vault/run \
        $RPM_BUILD_ROOT%{l_prefix}/var/vault/db

    #   install program
    %{l_shtool} install -c -s -m 755 \
        src/github.com/hashicorp/vault/vault \
        $RPM_BUILD_ROOT%{l_prefix}/bin/vault

    #   install default configuration
    %{l_shtool} install -c -m 644 %{l_value -s -a} \
        %{SOURCE vault.hcl} \
        $RPM_BUILD_ROOT%{l_prefix}/etc/vault/
    %{l_shtool} install -c -m 644 %{l_value -s -a} \
        %{SOURCE vault-tls.sh} \
        $RPM_BUILD_ROOT%{l_prefix}/etc/vault/

    #   install run-command script
    %{l_shtool} install -c -m 755 %{l_value -s -a} \
        %{SOURCE rc.vault} $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/

    #   determine installation files
    %{l_rpmtool} files -v -ofiles -r$RPM_BUILD_ROOT \
        %{l_files_std} \
        '%config %{l_prefix}/etc/vault/*' \
        '%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/vault/*'

%files -f files

%clean

%post
    if [ $1 -eq 1 ]; then
        #   on initial installation, generate initial credentials
        echo "Generate initial TLS credentials..." | \
            %{l_rpmtool} msg -b -t notice
        ( cd $RPM_INSTALL_PREFIX/etc/vault && %{l_bash} vault-tls.sh ) || exit $?

        #   on initial installation, display information about first steps
        ( echo "Your next steps should be:"
          echo "1. optionally (re)configure and (re)generate your TLS credentials:"
          echo "   \$ cd $RPM_INSTALL_PREFIX/etc/vault"
          echo "   \$ vi vault-tls.sh"
          echo "   \$ sh vault-tls.sh"
          echo "2. start Vault server:"
          echo "   \$ $RPM_INSTALL_PREFIX/bin/openpkg rc vault start"
          echo "3. prepare your client environment:"
          echo "   \$ export VAULT_ADDR=\"https://127.0.0.1:8200\""
          echo "   \$ export VAULT_CACERT=\"$RPM_INSTALL_PREFIX/etc/vault/vault-tls-ca.crt\""
          echo "4. check status (understand it is still sealed):"
          echo "   \$ $RPM_INSTALL_PREFIX/bin/vault status"
          echo "5. initialize database (remember unseal key and root token):"
          echo "   \$ $RPM_INSTALL_PREFIX/bin/vault operator init \\%{l_nil}"
          echo "       -key-shares=1 -key-threshold=1 \\%{l_nil}"
          echo "       -recovery-shares=1 -recovery-threshold=1"
          echo "   In case of a Vault cluster of N nodes use (N>K>1):"
          echo "   \$ $RPM_INSTALL_PREFIX/bin/vault operator init \\%{l_nil}"
          echo "       -key-shares=N -key-threshold=K \\%{l_nil}"
          echo "       -recovery-shares=N -recovery-threshold=K"
          echo "6. unseal database (with remembered unseal key):"
          echo "   \$ $RPM_INSTALL_PREFIX/bin/vault operator unseal <key>"
          echo "7. authenticate against database (use remembered root token):"
          echo "   \$ $RPM_INSTALL_PREFIX/bin/vault login -method=token"
          echo "8. create key/value secret engine:"
          echo "   \$ $RPM_INSTALL_PREFIX/bin/vault secrets enable \\%{l_nil}"
          echo "     -version=2 -description=\"key-value store\" -path=kv kv"
          echo "9. write key/value data under <name>:"
          echo "   \$ $RPM_INSTALL_PREFIX/bin/vault kv put kv/<name> <key>=<value>"
          echo "10. read key/value data under <name>:"
          echo "   \$ $RPM_INSTALL_PREFIX/bin/vault kv get -field=<key> kv/<name>"
        ) | %{l_rpmtool} msg -b -t notice
    elif [ $1 -eq 2 ]; then
        #   after upgrade, restart service
        eval `%{l_rc} vault status 2>/dev/null`
        [ ".$vault_active" = .yes ] && %{l_rc} vault restart
    fi
    exit 0

%preun
    if [ $1 -eq 0 ]; then
        #   before erase, stop service and remove log files
        %{l_rc} vault stop 2>/dev/null
        rm -f  $RPM_INSTALL_PREFIX/etc/vault/vault-tls-ca.crt >/dev/null 2>&1 || true
        rm -f  $RPM_INSTALL_PREFIX/etc/vault/vault-tls-ca.key >/dev/null 2>&1 || true
        rm -f  $RPM_INSTALL_PREFIX/etc/vault/vault-tls-sv.crt >/dev/null 2>&1 || true
        rm -f  $RPM_INSTALL_PREFIX/etc/vault/vault-tls-sv.key >/dev/null 2>&1 || true
        rm -rf $RPM_INSTALL_PREFIX/var/vault/log/*            >/dev/null 2>&1 || true
        rm -rf $RPM_INSTALL_PREFIX/var/vault/run/*            >/dev/null 2>&1 || true
        rm -rf $RPM_INSTALL_PREFIX/var/vault/db/*             >/dev/null 2>&1 || true
    fi
    exit 0