fix: [nomad-step-2] S2-fix — 4 bugs block Step 2 verification: kv/ mount missing, VAULT_ADDR, --sops required, template fallback (#912)

tools/vault-apply-policies.sh

@@ -82,6 +82,16 @@ if [ "${#POLICY_FILES[@]}" -eq 0 ]; then
   die "no *.hcl files in ${POLICIES_DIR}"
 fi
 
+# Default VAULT_ADDR if not set (fixes issue #2)
+VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
+export VAULT_ADDR
+
+# Resolve VAULT_TOKEN if not set (fixes issue #2)
+if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then
+  VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
+  export VAULT_TOKEN
+fi
+
 # ── Dry-run: print plan + exit (no Vault calls) ──────────────────────────────
 if [ "$dry_run" = true ]; then
   log "dry-run — ${#POLICY_FILES[@]} policy file(s) in ${POLICIES_DIR}"
@@ -94,9 +104,6 @@ if [ "$dry_run" = true ]; then
 fi
 
 # ── Live run: Vault connectivity check ───────────────────────────────────────
-[ -n "${VAULT_ADDR:-}" ] \
-  || die "VAULT_ADDR is not set — export VAULT_ADDR=http://127.0.0.1:8200"
-
 # hvault_token_lookup both resolves the token (env or /etc/vault.d/root.token)
 # and confirms the server is reachable with a valid token. Fail fast here so
 # the per-file loop below doesn't emit N identical "HTTP 403" errors.

tools/vault-import.sh

@@ -236,14 +236,14 @@ vault-import.sh — Import .env and sops-decrypted secrets into Vault KV
 Usage:
   vault-import.sh \
     --env /path/to/.env \
-    --sops /path/to/.env.vault.enc \
-    --age-key /path/to/age/keys.txt \
+    [--sops /path/to/.env.vault.enc] \
+    [--age-key /path/to/age/keys.txt] \
     [--dry-run]
 
 Options:
   --env       Path to .env file (required)
-  --sops      Path to sops-encrypted .env.vault.enc file (required)
-  --age-key   Path to age keys file (required)
+  --sops      Path to sops-encrypted .env.vault.enc file (optional)
+  --age-key   Path to age keys file (required if --sops is provided)
   --dry-run   Print import plan without writing to Vault (optional)
   --help      Show this help message
 
@@ -256,11 +256,12 @@ Mapping:
     - WOODPECKER_* → kv/disinto/shared/woodpecker/<lowercase_key>
     - FORWARD_AUTH_SECRET, CHAT_OAUTH_* → kv/disinto/shared/chat/<lowercase_key>
 
-  From sops-decrypted .env.vault.enc:
+  From sops-decrypted .env.vault.enc (if --sops provided):
     - GITHUB_TOKEN, CODEBERG_TOKEN, CLAWHUB_TOKEN, DEPLOY_KEY, NPM_TOKEN, DOCKER_HUB_TOKEN
       → kv/disinto/runner/<NAME>/value
 
 Examples:
+  vault-import.sh --env .env                          # Import .env only (no sops)
   vault-import.sh --env .env --sops .env.vault.enc --age-key age-keys.txt
   vault-import.sh --env .env --sops .env.vault.enc --age-key age-keys.txt --dry-run
 EOF
@@ -276,26 +277,28 @@ EOF
   if [ -z "$env_file" ]; then
     _die "Missing required argument: --env"
   fi
-  if [ -z "$sops_file" ]; then
-    _die "Missing required argument: --sops"
-  fi
-  if [ -z "$age_key_file" ]; then
-    _die "Missing required argument: --age-key"
+  # --sops and --age-key are optional:
+  #   - If --sops is provided, --age-key is required
+  #   - If --sops is not provided, --age-key is not needed
+  if [ -n "$sops_file" ] && [ -z "$age_key_file" ]; then
+    _die "Missing required argument: --age-key (required when --sops is provided)"
   fi
 
   # Validate files exist
   if [ ! -f "$env_file" ]; then
     _die "Environment file not found: $env_file"
   fi
-  if [ ! -f "$sops_file" ]; then
+  if [ -n "$sops_file" ] && [ ! -f "$sops_file" ]; then
     _die "Sops file not found: $sops_file"
   fi
-  if [ ! -f "$age_key_file" ]; then
+  if [ -n "$age_key_file" ] && [ ! -f "$age_key_file" ]; then
     _die "Age key file not found: $age_key_file"
   fi
 
-  # Security check: age key permissions
-  _validate_age_key_perms "$age_key_file"
+  # Security check: age key permissions (only if age key is provided)
+  if [ -n "$age_key_file" ]; then
+    _validate_age_key_perms "$age_key_file"
+  fi
 
   # Security check: VAULT_ADDR must be localhost
   _check_vault_addr
@@ -307,12 +310,16 @@ EOF
   _log "Loading environment from: $env_file"
   _load_env_file "$env_file"
 
-  # Decrypt sops file
-  _log "Decrypting sops file: $sops_file"
-  local sops_env
-  sops_env="$(_decrypt_sops "$sops_file" "$age_key_file")"
-  # shellcheck disable=SC2086
-  eval "$sops_env"
+  # Decrypt sops file if --sops was provided
+  local sops_env=""
+  if [ -n "$sops_file" ]; then
+    _log "Decrypting sops file: $sops_file"
+    sops_env="$(_decrypt_sops "$sops_file" "$age_key_file")"
+    # shellcheck disable=SC2086
+    eval "$sops_env"
+  else
+    _log "No --sops provided — skipping sops decryption"
+  fi
 
   # Collect all import operations
   declare -a operations=()
@@ -397,8 +404,12 @@ EOF
   if $dry_run; then
     _log "=== DRY-RUN: Import plan ==="
     _log "Environment file: $env_file"
-    _log "Sops file: $sops_file"
-    _log "Age key: $age_key_file"
+    if [ -n "$sops_file" ]; then
+      _log "Sops file: $sops_file"
+      _log "Age key: $age_key_file"
+    else
+      _log "Sops file: (not provided)"
+    fi
     _log ""
     _log "Planned operations:"
     for op in "${operations[@]}"; do
@@ -413,8 +424,12 @@ EOF
 
   _log "=== Starting Vault import ==="
   _log "Environment file: $env_file"
-  _log "Sops file: $sops_file"
-  _log "Age key: $age_key_file"
+  if [ -n "$sops_file" ]; then
+    _log "Sops file: $sops_file"
+    _log "Age key: $age_key_file"
+  else
+    _log "Sops file: (not provided — skipping sops-based imports)"
+  fi
   _log ""
 
   local created=0