#!/bin/sh set -e export VAULT_ADDR=http://vault:8200 INIT_FILE="/vault/file/init-keys.json" TOKEN_FILE="/vault/file/root-token" echo "[vault-init] Waiting for Vault to respond..." until wget -qO- ${VAULT_ADDR}/v1/sys/seal-status > /dev/null 2>&1; do sleep 1 done # Check if Vault is initialized (use HTTP API — vault CLI may suppress output when sealed) STATUS_JSON=$(wget -qO- ${VAULT_ADDR}/v1/sys/seal-status 2>/dev/null || echo '{}') INITIALIZED=$(echo "$STATUS_JSON" | grep -o '"initialized":[a-z]*' | cut -d: -f2) echo "[vault-init] Vault initialized=$INITIALIZED" FIRST_RUN="false" if [ "$INITIALIZED" != "true" ]; then echo "[vault-init] First run — initializing Vault..." FIRST_RUN="true" # Init with 1 key share for dev simplicity vault operator init -key-shares=1 -key-threshold=1 -format=json > "$INIT_FILE" UNSEAL_KEY=$(tr -d ' \n' < "$INIT_FILE" | grep -o '"unseal_keys_b64":\["[^"]*"' | cut -d'"' -f4) ROOT_TOKEN=$(tr -d ' \n' < "$INIT_FILE" | grep -o '"root_token":"[^"]*"' | cut -d'"' -f4) echo "[vault-init] Unsealing with key: ${UNSEAL_KEY:0:8}..." vault operator unseal "$UNSEAL_KEY" export VAULT_TOKEN="$ROOT_TOKEN" else echo "[vault-init] Vault already initialized." SEALED=$(echo "$STATUS_JSON" | grep -o '"sealed":[a-z]*' | cut -d: -f2) echo "[vault-init] Vault sealed=$SEALED" if [ "$SEALED" = "true" ]; then echo "[vault-init] Vault is sealed, unsealing..." if [ ! -f "$INIT_FILE" ]; then echo "[vault-init] ERROR: init-keys.json not found. Cannot unseal." exit 1 fi UNSEAL_KEY=$(tr -d ' \n' < "$INIT_FILE" | grep -o '"unseal_keys_b64":\["[^"]*"' | cut -d'"' -f4) vault operator unseal "$UNSEAL_KEY" echo "[vault-init] Vault unsealed." else echo "[vault-init] Vault already unsealed." fi # Load root token if [ -f "$INIT_FILE" ]; then ROOT_TOKEN=$(tr -d ' \n' < "$INIT_FILE" | grep -o '"root_token":"[^"]*"' | cut -d'"' -f4) export VAULT_TOKEN="$ROOT_TOKEN" fi fi # ── Write root-token file for other containers ── echo "$ROOT_TOKEN" > "$TOKEN_FILE" # ── Ensure secrets engines exist ── # Enable kv mount (wallet) — ignore error if already enabled vault secrets enable -path=kv -version=2 kv 2>/dev/null || true # Enable secrets mount (BITOK) — ignore error if already enabled vault secrets enable -path=secrets -version=2 kv 2>/dev/null || true # ── Wallet infrastructure secrets ── echo "[vault-init] Writing wallet secrets..." vault kv put kv/cryptowallet \ db_host=postgres \ db_port=5432 \ db_user=postgres \ db_password=postgres \ db_name=cryptowallet_devphase3 \ relay_api_key="" # ── BITOK database secret ── echo "[vault-init] Writing BITOK secrets..." vault kv put secrets/database \ HOST=postgres \ PORT=5432 \ USER=postgres \ PASSWORD=postgres \ NAME=bitok_dev # ── BITOK RabbitMQ secret ── vault kv put secrets/rabbitmq \ HOST=rabbitmq \ PORT=5672 \ USER=guest \ PASSWORD=guest \ VHOST=/ # ── BITOK CSRF secret ── vault kv put secrets/csrf \ KEY=dev-csrf-secret-key-minimum-32-characters-long # ── BITOK JWT RS256 key pair (only generate on first run) ── # Check if JWT keys already exist JWT_EXISTS=$(vault kv get -format=json secrets/jwt/kid 2>/dev/null && echo "yes" || echo "no") if [ "$JWT_EXISTS" = "no" ]; then echo "[vault-init] Generating RSA-2048 key pair for JWT..." apk add --no-cache openssl > /dev/null 2>&1 || true openssl genrsa -out /tmp/jwt_private.pem 2048 2>/dev/null openssl rsa -in /tmp/jwt_private.pem -pubout -out /tmp/jwt_public.pem 2>/dev/null PRIVATE_KEY=$(cat /tmp/jwt_private.pem) PUBLIC_KEY=$(cat /tmp/jwt_public.pem) vault kv put secrets/jwt/kid \ active=kid-dev-001 \ previous="" vault kv put secrets/jwt/kids/kid-dev-001 \ private_key="$PRIVATE_KEY" \ public_key="$PUBLIC_KEY" rm -f /tmp/jwt_private.pem /tmp/jwt_public.pem echo "[vault-init] JWT keys generated." else echo "[vault-init] JWT keys already exist, skipping generation." fi echo "[vault-init] All secrets ready (wallet + BITOK). Done."