# Vagrantfile pro 3-node Vault cluster s Integrated Raft Storage
NUM_NODES = 3
NODE_MEMORY = 2048
NODE_CPUS = 2
NETWORK = "192.168.56"
IP_START = 10

Vagrant.configure("2") do |config|
  config.vm.box = "utm/ubuntu-24.04"
  
  # Globální konfig
  config.vm.synced_folder ".", "/vagrant", create: true
  config.ssh.username = "vagrant"
  
  # Shared provisioning pro všechny VMs
  config.vm.provision "shell", inline: <<-SHELL
    apt-get update
    apt-get install -y curl wget unzip python3 python3-pip
    
    # Instalace Vault binary
    VAULT_VERSION="1.16.1"
    cd /tmp
    wget -q https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_arm64.zip
    unzip -o vault_${VAULT_VERSION}_linux_arm64.zip
    mv vault /usr/local/bin/
    chmod +x /usr/local/bin/vault
    useradd --system --home /etc/vault.d --shell /bin/false vault || true
    
    # Systemd service pro Vault
    cat > /etc/systemd/system/vault.service << 'EOF'
[Unit]
Description=HashiCorp Vault
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault.d/vault.hcl

[Service]
Type=notify
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
ExecStart=/usr/local/bin/vault server -config=/etc/vault.d/vault.hcl
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
LimitMEMLOCK=infinity
StandardOutput=journal
StandardError=journal
SyslogIdentifier=vault
SyslogFacility=AUTH

[Install]
WantedBy=multi-user.target
EOF
    
    systemctl daemon-reload
    systemctl enable vault
  SHELL
  
  # Vytvoř 3 VM s Vaultem
  (1..NUM_NODES).each do |i|
    node_name = "vault#{i}"
    node_ip = "#{NETWORK}.#{IP_START + i - 1}"
    
    config.vm.define node_name do |node|
      node.vm.hostname = node_name
      node.vm.network "private_network", ip: node_ip
      
      node.vm.provider "utm" do |utm|
        utm.cpus = NODE_CPUS
        utm.memory = NODE_MEMORY
      end
      
      # Vault config per node
      node.vm.provision "shell", inline: <<-SHELL
        mkdir -p /etc/vault.d /opt/vault/data
        chown -R vault:vault /etc/vault.d /opt/vault/data
        chmod 700 /etc/vault.d /opt/vault/data
        
        cat > /etc/vault.d/vault.hcl << 'EOF'
ui = true
node_id = "#{node_name}"

# Listener na 0.0.0.0:8200
listener "tcp" {
  address       = "0.0.0.0:8200"
  tls_disable   = true
  cluster_addr  = "#{node_ip}:8201"
}

# Integrated Raft Storage (bez Consulu)
storage "raft" {
  path = "/opt/vault/data"
  node_id = "#{node_name}"
}

# API address (intra-cluster komunikace)
api_addr = "http://#{node_ip}:8200"
cluster_addr = "http://#{node_ip}:8201"

# Telemetry
telemetry {
  prometheus_retention_time = "30s"
  disable_hostname = false
}
EOF
        
        chown vault:vault /etc/vault.d/vault.hcl
        chmod 640 /etc/vault.d/vault.hcl
      SHELL
      
      # Spusti Vault service - jen na prvním nodu
      if i == 1
        node.vm.provision "shell", inline: <<-SHELL
          systemctl start vault
          sleep 2
          vault status || true
          
          # Init cluster (jen poprvé)
          export VAULT_ADDR="http://#{node_ip}:8200"
          if ! vault operator raft list-peers 2>/dev/null | grep -q "vault1"; then
            vault operator raft bootstrap-init-raft \
              --leader-api-addr "http://#{node_ip}:8200" \
              --recovery-shares 3 \
              --recovery-threshold 2 || true
          fi
        SHELL
      else
        # Ostatní nody se připojí po inicializaci
        node.vm.provision "shell", inline: <<-SHELL
          sleep 5
          systemctl start vault
          sleep 2
          
          # Join raft cluster (po inicializaci)
          export VAULT_ADDR="http://#{node_ip}:8200"
          sleep 3
          vault operator raft join "http://#{NETWORK}.#{IP_START}:8200" || true
        SHELL
      end
    end
  end
  
  # Post-up message
  config.vm.post_up_message = <<-MSG
    
    ╔═══════════════════════════════════════════════════════════════╗
    ║          3-Node Vault Cluster (Raft Storage)                 ║
    ╚═══════════════════════════════════════════════════════════════╝
    
    Nodes:
      • vault1: #{NETWORK}.#{IP_START}
      • vault2: #{NETWORK}.#{IP_START + 1}
      • vault3: #{NETWORK}.#{IP_START + 2}
    
    Příkazy:
      vagrant ssh vault1           # Připoj se k prvnímu nodu
      vault status                 # Check status (uvnitř VM)
      vault operator raft list-peers  # Peer status
      vault operator init              # Inicializuj (potřeba jen jednou!)
    
    Poznámky:
      - Vault běží bez TLS (lab)
      - Raft storage == keine Consul potřeba
      - Port 8200 je dostupný na VM IP
      - Data se ukládají do /opt/vault/data
    
    MSG
end