[Unit]
Description=Vault secret management service
After=network.target

[Service]
User=vault
Group=vault
WorkingDirectory=/var/lib/vault/
EnvironmentFile=/etc/sysconfig/vault
Environment=SHELL=/bin/bash
ExecStart=/bin/bash -c "export GOMAXPROCS=$$(nproc); exec /usr/bin/vault server $VAULT_SERVER_OPTS -config ${VAULT_CONFIG}"
ExecStartPost=/bin/bash -c "cat $VAULT_KEYS | sed -e 's/#.*$//' -e '/^\s*$/d' | while read key; do /usr/bin/vault unseal -address ${VAULT_ADDR} $VAULT_UNSEAL_OPTS $${key}; done"
CapabilityBoundingSet=CAP_IPC_LOCK
Restart=on-failure
SyslogIdentifier=vault

[Install]
WantedBy=multi-user.target