# Vault Agent Configuration - PgBouncer
# Renders pgbouncer.ini with dynamic database credentials from Vault
# Sends SIGHUP to PgBouncer on credential refresh

pid_file = "/tmp/vault-agent.pid"

vault {
  address = "http://vault.example.local:8200"
}

auto_auth {
  method "approle" {
    config = {
      role_id_file_path   = "/vault/role-id"
      secret_id_file_path = "/vault/secret-id"
      remove_secret_id_file_after_reading = false
    }
  }

  sink "file" {
    config = {
      path = "/vault/token"
      mode = 0644
    }
  }
}

template_config {
  static_secret_render_interval = "5m"
  exit_on_retry_failure         = true
}

template {
  source      = "/vault/templates/pgbouncer.ini.ctmpl"
  destination = "/etc/pgbouncer/pgbouncer.ini"
  perms       = 0644

  exec {
    command = ["sh", "-c", "PID=$(cat /var/run/pgbouncer/pgbouncer.pid 2>/dev/null); echo \"Sending SIGHUP to PgBouncer PID: $PID\"; kill -HUP $PID && echo 'SIGHUP sent successfully' || echo 'Failed to send SIGHUP (PgBouncer may not be running yet)'"]
  }
}