#!/usr/bin/env bash
#
# ansible-vault password client.
#
# Prints the boma master vault password to stdout by fetching it from Vaultwarden
# via the `rbw` agent. Wired in as `vault_password_file` (ansible.cfg) and used by
# the Makefile vault targets, so every ansible-vault / ansible-playbook / lint run
# obtains the password the same way.
#
# The password lives only in Vaultwarden (encrypted at rest) and in the rbw agent's
# memory while unlocked — never in a plaintext file on disk.
#
# Unlock once per terminal session before running any vault operation:
#     rbw unlock
#
# Override the Vaultwarden item name via BOMA_VAULT_ITEM if it ever changes.
#
set -euo pipefail

item="${BOMA_VAULT_ITEM:-boma-ansible-vault}"

if ! command -v rbw >/dev/null 2>&1; then
  echo "vault-pass-client: 'rbw' is not installed — see docs/runbooks/rotate-secrets.md." >&2
  exit 1
fi

# Only the password reaches stdout; all diagnostics go to stderr so they can never
# be mistaken for the password by ansible-vault.
if ! pw="$(rbw get "$item" 2>/dev/null)"; then
  echo "vault-pass-client: could not read '$item' from Vaultwarden via rbw." >&2
  echo "  The agent is probably locked. Run:  rbw unlock" >&2
  exit 1
fi

printf '%s\n' "$pw"