#!/bin/sh

set -eo pipefail

{% if vault_backup_token is defined %}
if [ -e /etc/profile.d/vault.sh ]; then
  source /etc/profile.d/vault.sh
fi
export VAULT_TOKEN={{ vault_backup_token }}
# Direct snapshot requ to the active leader, see
# https://support.hashicorp.com/hc/en-us/articles/22097624571155-Vault-snapshot-save-fails-with-message-Error-taking-snapshot-incomplete-snapshot-unable-to-read-SHA256SUMS-sealed-file
export VAULT_ADDR=$(vault status -format json | jq -r .leader_address)
vault operator raft snapshot save {{ vault_root_dir }}/backup/vault.snap
{% endif %}