configuration for self hosting a spindle in docker
1# Changelog
2
3All notable changes to this project will be documented in this file.
4
5The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
8## [Unreleased]
9
10## [0.1.0] - 2026-04-02
11
12First working release. Tested on Ubuntu Linux.
13
14### Added
15- Docker Compose stack with OpenBao (vault), OpenBao proxy (AppRole sidecar), and Spindle (CI runner)
16- One-time vault bootstrap script (`init-openbao.sh`) with interactive AppRole Secret ID TTL prompt
17- `.env`-based configuration with documented variables and defaults; Compose loads it automatically
18- All images pinned to versioned SHA256 digests (OpenBao `2.5.2`, Go `1.25.8-alpine3.23`, Alpine `3.23.3`)
19- Spindle source pinned to `v1.13.0-alpha` (commit `c3f60dc1`) with SHA verification at build time
20- CGO enabled in builder with `gcc`/`musl-dev` for go-sqlite3 support
21- OpenBao port bound to `127.0.0.1` only — not reachable from the network
22- `IPC_LOCK` capability on both OpenBao and OpenBao proxy to prevent secrets from swapping to disk
23- AppRole credentials owned by OpenBao user (uid 100) with `640` permissions; volume mounted `:ro`
24- AppRole credential handling documented in README (`:ro` tradeoff and alternative setup)
25
26[Unreleased]: https://tangled.org/daniel.gay/spindle-docker/compare/v0.1.0...HEAD
27[0.1.0]: https://tangled.org/daniel.gay/spindle-docker/releases/tag/v0.1.0