name: un-seal
base: core22
version: '5.4.0'

title: un-seal
license: GPL-3.0-only
contact: pablo.degreiff@canonical.com

summary: Tool to initialize and unseal a Juju-deployed Vault cluster.
description: |
  Automates the initialization or unsealing of a Juju-deployed Vault cluster.
  It handles leader-finding, unsealing all units, and automatically
  authorizing the Juju charm.

  This tool securely manages credentials by storing the root token and each
  unseal key in separate GPG-encrypted files, enabling hardware-backed
  security (YubiKey) and separation of duties.

  It features a robust 3-tier loading system:
  1. Auto-detects keys in the credentials directory.
  2. Falls back to prompting for individual file paths.
  3. Provides a final fallback for raw, manual key entry.

  This snap bundles 'jq', 'vault', and 'gpg'. It requires the 'juju'
  command to be installed on the host system.

  How to install:

     sudo snap install un-seal

  then, connect the necessary interfaces:

     sudo snap connect un-seal:dot-local-share-juju
     sudo snap connect un-seal:gpg-keys
     sudo snap connect un-seal:pcscd

  Source code: https://github.com/Ankow99/un-seal

website: https://github.com/Ankow99/un-seal
issues: https://github.com/Ankow99/un-seal/issues
source-code: https://github.com/Ankow99/un-seal

grade: stable
confinement: strict

plugs:
  # Binary Access
  juju-bin:
    interface: content
    content: juju
    target: $SNAP/juju-snap
    default-provider: juju

  # Juju Config Access (Needs Write)
  dot-local-share-juju:
    interface: personal-files
    write:
      - $HOME/.local/share/juju
    read:
      - $HOME/.local/share/juju

# Layouts to fix the bundled GPG paths
layout:
  /usr/bin/dirmngr:
    bind-file: $SNAP/usr/bin/dirmngr
  /usr/bin/gpg-agent:
    bind-file: $SNAP/usr/bin/gpg-agent
  /usr/lib/gnupg/scdaemon:
    bind-file: $SNAP/usr/lib/gnupg/scdaemon
  /usr/bin/shred:
    bind-file: $SNAP/usr/bin/shred

parts:
  un-seal:
    plugin: dump
    source: .
    organize:
      un-seal: usr/bin/un-seal
    stage-packages:
      - coreutils

  # Part to bundle jq
  jq:
    plugin: nil
    stage-packages:
      - jq
      - libjq1
      - libonig5

  # Part to bundle vault
  vault:
    plugin: nil
    stage-snaps:
      - vault

  # Part to bundle GPG and smart card tools
  gpg:
    plugin: nil
    stage-packages:
      - gpg
      - gnupg-agent
      - dirmngr
      - scdaemon
      - pcscd
      - libccid
      - libusb-1.0-0
      - libgnutls30
      - libldap-2.5-0
      - libksba8
      - libnpth0

apps:
  un-seal:
    command: usr/bin/un-seal
    plugs:
      - network
      - network-bind
      - home
      - removable-media
      - pcscd
      - gpg-keys
      - juju-bin
      - dot-local-share-juju
    environment:
      PATH: $SNAP/bin:$SNAP/usr/bin:$PATH
      LD_LIBRARY_PATH: $SNAP/usr/lib/x86_64-linux-gnu:$SNAP/lib/x86_64-linux-gnu:${LD_LIBRARY_PATH:-}
      GNUPGHOME: $SNAP_USER_DATA/.gnupg