# ============================================== # OpenBao Secrets Vault - Swarm / Portainer Stack # ============================================== # # Deploy via Portainer or Docker Swarm: # docker stack deploy -c docker-compose.openbao.yml stack-openbao # # Connects to the main Mosaic stack's overlay network (mosaic_internal). # The init sidecar auto-initializes and unseals OpenBao on first run. # ============================================== services: # ====================== # OpenBao Secrets Vault # ====================== openbao: image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev} command: server -config=/openbao/config/config.hcl environment: OPENBAO_ADDR: http://0.0.0.0:8200 volumes: - openbao_data:/openbao/data - openbao_logs:/openbao/logs - openbao_init:/openbao/init cap_add: - IPC_LOCK healthcheck: test: [ "CMD-SHELL", "wget --spider --quiet 'http://localhost:8200/v1/sys/health?standbyok=true&uninitcode=200&sealedcode=200'", ] interval: 10s timeout: 5s retries: 5 start_period: 30s networks: - mosaic_internal deploy: restart_policy: condition: on-failure # ====================== # OpenBao Init Sidecar # ====================== # Auto-initializes and unseals OpenBao on first run. # Has built-in retry logic (polls OpenBao API for 60 seconds). # After init, runs an unseal watch loop to handle container restarts. openbao-init: image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev} command: /openbao/init.sh environment: VAULT_ADDR: http://openbao:8200 volumes: - openbao_init:/openbao/init networks: - mosaic_internal deploy: restart_policy: condition: on-failure max_attempts: 5 delay: 10s # ====================== # Volumes # ====================== volumes: openbao_data: name: mosaic-openbao-data driver: local openbao_logs: name: mosaic-openbao-logs driver: local openbao_init: name: mosaic-openbao-init driver: local # ====================== # Networks # ====================== networks: mosaic_internal: external: true name: mosaic_internal