bump version

Cargo.lock

@@ -437,7 +437,7 @@ checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d"
 
 [[package]]
 name = "vault-unseal"
-version = "0.2.0"
+version = "0.3.0"
 dependencies = [
  "dotenv",
  "serde",

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "vault-unseal"
-version = "0.2.0"
+version = "0.3.0"
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

flake.nix

@@ -16,8 +16,7 @@
               pname = toml.package.name;
               version = toml.package.version;
               src = self;
-              cargoSha256 =
+              cargoLock.lockFile = ./Cargo.lock;
-                "sha256-eOvTR7TpFpi83J3G8HPXgOBryTzkq4XWp6CER6UDCbo=";
             };
         };
       });

src/main.rs

@@ -9,7 +9,6 @@ use std::{env, fs::File};
 use tracing::{info, subscriber, warn};
 use tracing_subscriber::FmtSubscriber;
 use ureq::Error::Status;
-use ureq::Response;
 
 #[derive(Debug, Deserialize)]
 struct KeyFile {
@@ -17,28 +16,30 @@ struct KeyFile {
 }
 
 #[derive(Debug, Deserialize)]
-struct HealthCheck {
+struct UnsealResponse {
     sealed: bool,
+    t: u8,
+    n: u8,
+    progress: u8,
 }
 
+/// returns true if the vault is sealed
+///
+/// see: https://developer.hashicorp.com/vault/api-docs/system/health
 fn is_sealed(health_url: &str) -> bool {
-    fn parse_hc(x: Response) -> bool {
-        match x.into_json() {
-            Ok(HealthCheck { sealed }) => sealed,
-            Err(_) => false,
-        }
-    }
-
     let resp = ureq::get(health_url).call();
     match resp {
-        Ok(x) => parse_hc(x),
+        Ok(r) if r.status() == 200 => false,
-        Err(Status(503, resp)) => parse_hc(resp),
+        Ok(r) => {
-        Err(Status(429, _)) => {
+            warn!(
-            info!("got code 429: too many requests, waiting");
+                "unexpected status code: '{}': {}",
-            // too many requests
+                r.status(),
-            thread::sleep(Duration::from_secs(15));
+                r.status_text()
+            );
             false
         }
+        Err(Status(429, _)) => false, // Unsealed and standby
+        Err(Status(503, _)) => true,  // Sealed
         Err(Status(code, resp)) => {
             info!(
                 "error checking health, got code: '{code}', with message: {}",
@@ -47,25 +48,31 @@ fn is_sealed(health_url: &str) -> bool {
             false
         }
         Err(e) => {
-            warn!("Got error: {e}");
+            warn!("error checking health: {e}");
             false
         }
     }
 }
 
 fn unseal(keyfile: &KeyFile, unseal_url: &str) {
-    let len = keyfile.keys.len();
+    for key in keyfile.keys.iter() {
-    for (i, key) in keyfile.keys.iter().enumerate() {
-        let i = i + 1;
         match ureq::post(unseal_url).send_json(json!({ "key": key })) {
             Ok(resp) if resp.status() == 200 => {
-                if i < len {
+                if let Ok(UnsealResponse {
-                    info!("unsealed vault partially {i}/{len}");
+                    sealed,
-                } else {
+                    t,
-                    info!("fully unsealed vault {i}/{len}");
+                    progress,
+                    ..
+                }) = resp.into_json()
+                {
+                    if !sealed {
+                        info!("vault unsealed");
+                        return;
+                    }
+                    info!("unsealed vault partially {progress}/{t}");
                 }
             }
-            Ok(resp) => warn!(
+            Ok(resp) | Err(Status(_, resp)) => warn!(
                 "error unsealing vault, got code '{}', with message: {}",
                 resp.status(),
                 resp.status_text()