#!/bin/bash
# Simple Vault Backup using known paths
# For use when you know the secret paths to backup

set -euo pipefail

# R2 Configuration
R2_ACCOUNT_ID="${R2_ACCOUNT_ID:?R2_ACCOUNT_ID is required}"
R2_ACCESS_KEY="${R2_ACCESS_KEY:?R2_ACCESS_KEY is required}"
R2_SECRET_KEY="${R2_SECRET_KEY:?R2_SECRET_KEY is required}"
R2_BUCKET="${R2_BUCKET:-vault-backup}"
R2_ENDPOINT="https://${R2_ACCOUNT_ID}.r2.cloudflarestorage.com"

VAULT_ADDR="${VAULT_ADDR:-https://vault.anvil.it.com}"
VAULT_TOKEN="${VAULT_TOKEN:?VAULT_TOKEN is required}"

TIMESTAMP=$(date +%Y%m%d-%H%M%S)
BACKUP_FILE="/tmp/vault-backup-${TIMESTAMP}.json"

echo "[INFO] Starting Vault backup at $(date)"

# Known secret paths to backup (add your paths here)
PATHS=(
    "app/config"
    "app/database"
    "shared/api-keys"
    # Add more paths as needed
)

echo '{"backup_time": "'$(date -Iseconds)'", "secrets": [' > "$BACKUP_FILE"

first=true
for path in "${PATHS[@]}"; do
    echo "[INFO] Backing up: $path"

    secret=$(curl -s -H "X-Vault-Token: ${VAULT_TOKEN}" \
        "${VAULT_ADDR}/v1/secret/data/${path}" 2>/dev/null | \
        jq '.data.data // empty' 2>/dev/null || echo "")

    if [[ -n "$secret" && "$secret" != "null" ]]; then
        if [[ "$first" == "true" ]]; then
            first=false
        else
            echo "," >> "$BACKUP_FILE"
        fi
        echo "{\"path\": \"${path}\", \"data\": ${secret}}" >> "$BACKUP_FILE"
    else
        echo "[WARN] Path not found or empty: $path"
    fi
done

echo ']}' >> "$BACKUP_FILE"

# Compress
gzip "$BACKUP_FILE"
BACKUP_FILE="${BACKUP_FILE}.gz"

# Upload to R2
echo "[INFO] Uploading to R2..."
export AWS_ACCESS_KEY_ID="$R2_ACCESS_KEY"
export AWS_SECRET_ACCESS_KEY="$R2_SECRET_KEY"

aws s3 cp "$BACKUP_FILE" "s3://${R2_BUCKET}/$(basename $BACKUP_FILE)" \
    --endpoint-url "$R2_ENDPOINT"

# Cleanup
rm -f "$BACKUP_FILE"

echo "[INFO] Backup complete: s3://${R2_BUCKET}/$(basename $BACKUP_FILE)"