vault {
  address      = "{{ consul_vault_secrets.vault_address }}"
  token        = "{{ consul_vault_secrets.vault_token }}"
  unwrap_token = false
}

template {
  source          = "{{ consul_root_dir }}/consul-template/ca.crt.tpl"
  left_delimiter  = "[["
  right_delimiter = "]]"
  destination     = "{{ consul_conf.tls.defaults.ca_file }}"
  perms           = 0644
  exec {
    command = "sh -c 'systemctl reload consul || true'"
  }
}

{% if consul_vault_secrets.pki.enabled %}
{% if consul_conf.server %}
template {
  source          = "{{ consul_root_dir }}/consul-template/agent.crt.tpl"
  left_delimiter  = "[["
  right_delimiter = "]]"
  destination     = "{{ consul_conf.tls.defaults.cert_file }}"
  perms           = 0644
  exec {
    command = "sh -c 'systemctl reload consul || true'"
  }
}

template {
  source          = "{{ consul_root_dir }}/consul-template/agent.key.tpl"
  left_delimiter  = "[["
  right_delimiter = "]]"
  destination     = "{{ consul_conf.tls.defaults.key_file }}"
  perms           = 0640
  exec {
    command = "sh -c 'chgrp {{ consul_user }} {{ consul_conf.tls.defaults.key_file }} && systemctl reload consul || true'"
  }
}

template {
  source          = "{{ consul_root_dir }}/consul-template/cli.crt.tpl"
  left_delimiter  = "[["
  right_delimiter = "]]"
  destination     = "{{ consul_root_dir }}/tls/cli.crt"
}

template {
  source          = "{{ consul_root_dir }}/consul-template/cli.key.tpl"
  left_delimiter  = "[["
  right_delimiter = "]]"
  destination     = "{{ consul_root_dir }}/tls/cli.key"
  perms           = 0640
}
{% endif %}
{% endif %}

{% if consul_vault_secrets.tokens.enabled %}
template {
  source          = "{{ consul_root_dir }}/consul-template/agent.token.tpl"
  left_delimiter  = "[["
  right_delimiter = "]]"
  destination     = "{{ consul_root_dir }}/tmp/agent.token"
  perms           = 0600
  exec {
    command = "sh -c 'consul acl set-agent-token default $(grep -P \'^[^\s]\' {{ consul_root_dir }}/tmp/agent.token)'"
  }
}
{% endif %}