{% extends "base.html" %}
{% import "_macros.html" as m %}
{% block title %}Vault — rosbackup-ng{% endblock %}
{% block page_title %}Vault{% endblock %}
{% block head_actions %}{% if unlocked %}<a class="btn primary" href="/vault/new">+ Add secret</a>{% endif %}{% endblock %}
{% block content %}
<div class="card">
  {% if not unlocked %}
  <div class="banner banner-warn">The vault is <strong>locked</strong>. Set the
    <span class="mono">{{ env_var }}</span> environment variable before starting the server to
    enable encrypted storage of SSH keys and credentials.</div>
  <p class="muted">Secrets are encrypted at rest with a key derived from
    <span class="mono">{{ env_var }}</span>. While it is unset, nothing can be stored — the store
    fails closed rather than keeping plaintext.</p>
  {% else %}
  <p class="muted">SSH private keys and passwords, encrypted at rest. They are
    <strong>write-only</strong> — the plaintext is never shown again after saving; only the backup
    engine decrypts them. Reference a secret by name from a device or storage/SMTP config.</p>
  {% if secrets %}
  <table>
    <thead><tr><th>Name</th><th>Kind</th><th>Added</th><th>Last used</th><th class="actions-col"></th></tr></thead>
    <tbody>
      {% for s in secrets %}
      <tr>
        <td class="mono">{{ s.name }}</td>
        <td><span class="chip">{{ 'SSH key' if s.kind == 'ssh_key' else 'password' }}</span></td>
        <td>{{ s.created_at | datetime }}</td>
        <td>{{ (s.last_used_at | datetime) if s.last_used_at else '—' }}</td>
        <td class="row-actions">{{ m.icon_delete('/ui/vault/' ~ (s.name|urlencode) ~ '/delete', 'Delete secret “' ~ s.name ~ '”? Devices referencing it will fall back to inline config.', 'Delete secret') }}</td>
      </tr>
      {% endfor %}
    </tbody>
  </table>
  {% else %}
  <p class="muted">No secrets stored. <a href="/vault/new">Add one →</a></p>
  {% endif %}
  {% endif %}
</div>
{% endblock %}