# ==============================================
# OpenBao Standalone Deployment - Portainer Version
# ==============================================
#
# This file is optimized for Portainer deployment:
# - No env_file directive (define variables in Portainer's environment editor)
# - Port exposed on all interfaces (Portainer limitation)
# - All environment variables explicitly defined
#
# Usage in Portainer:
#   1. Stacks -> Add Stack
#   2. Name: mosaic-openbao
#   3. Paste this file content
#   4. Add environment variables in "Environment variables" section:
#      - IMAGE_TAG=dev
#      - OPENBAO_PORT=8200
#   5. Deploy
#
# SECURITY NOTE: Port 8200 will be exposed on 0.0.0.0 (all interfaces)
# Use firewall rules to restrict access if needed.
# ==============================================

services:
  # ======================
  # OpenBao Secrets Vault
  # ======================
  openbao:
    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
    container_name: mosaic-openbao
    entrypoint: ["dumb-init", "--"]
    command: ["bao", "server", "-config=/openbao/config/config.hcl"]
    environment:
      OPENBAO_ADDR: http://0.0.0.0:8200
    ports:
      - "${OPENBAO_PORT:-8200}:8200"
    volumes:
      - openbao_data:/openbao/data
      - openbao_logs:/openbao/logs
      - openbao_init:/openbao/init
    cap_add:
      - IPC_LOCK
    healthcheck:
      test:
        [
          "CMD-SHELL",
          "wget --spider --quiet 'http://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200'",
        ]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    restart: unless-stopped
    networks:
      - mosaic_internal

  # ======================
  # OpenBao Init Sidecar
  # ======================
  # Auto-initializes and unseals OpenBao on first run
  openbao-init:
    image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev}
    container_name: mosaic-openbao-init
    command: /openbao/init.sh
    environment:
      OPENBAO_ADDR: http://openbao:8200
    volumes:
      - openbao_init:/openbao/init
    depends_on:
      - openbao
    restart: "no"
    networks:
      - mosaic_internal

# ======================
# Volumes
# ======================
volumes:
  openbao_data:
    name: mosaic-openbao-data
    driver: local
  openbao_logs:
    name: mosaic-openbao-logs
    driver: local
  openbao_init:
    name: mosaic-openbao-init
    driver: local

# ======================
# Networks
# ======================
# Connect to the swarm stack's internal network
networks:
  mosaic_internal:
    external: true
    name: mosaic_internal