# Vault Agent Configuration for BreakPilot SSL Certificates
# Automatically renews certificates and updates nginx

pid_file = "/tmp/vault-agent.pid"

vault {
  address = "http://vault:8200"
  retry {
    num_retries = 5
  }
}

auto_auth {
  method "approle" {
    mount_path = "auth/approle"
    config = {
      role_id_file_path   = "/vault/agent/data/role-id"
      secret_id_file_path = "/vault/agent/data/secret-id"
      remove_secret_id_file_after_reading = false
    }
  }

  sink "file" {
    config = {
      path = "/vault/agent/data/token"
      mode = 0600
    }
  }
}

# Single template that generates all certificate components
# Uses a single pkiCert call to ensure cert/key match
template {
  source      = "/vault/agent/templates/all.tpl"
  destination = "/vault/certs/combined.pem"
  perms       = 0600
  command     = "sh /vault/agent/split-certs.sh"
}

# Listener for debugging (optional)
listener "tcp" {
  address     = "127.0.0.1:8100"
  tls_disable = true
}