services:

  # ── OpenBao (secrets vault) ────────────────────────────────────────────────
  openbao:
    image: quay.io/openbao/openbao:latest
    container_name: openbao
    restart: unless-stopped
    command: server
    cap_add:
      - IPC_LOCK  # prevents secrets from being swapped to disk
    environment:
      BAO_ADDR: "http://0.0.0.0:8200"
    volumes:
      - ./config/openbao/server.hcl:/openbao/config/server.hcl:ro
      - openbao-data:/openbao/data
    ports:
      - "8200:8200"  # remove if you don't need local CLI access
    networks:
      - spindle-net
    healthcheck:
      test: ["CMD", "bao", "status", "-address=http://127.0.0.1:8200"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 5s

  # ── OpenBao proxy (AppRole auto-auth sidecar) ──────────────────────────────
  openbao-proxy:
    image: quay.io/openbao/openbao:latest
    container_name: openbao-proxy
    restart: unless-stopped
    command: proxy -config=/openbao/config/proxy.hcl
    depends_on:
      openbao:
        condition: service_healthy
    volumes:
      - ./config/openbao/proxy.hcl:/openbao/config/proxy.hcl:ro
      - openbao-approle:/openbao/approle:ro  # role-id + secret-id written by init-openbao.sh
    networks:
      - spindle-net
    healthcheck:
      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:8201/v1/sys/health"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 10s

  # ── Spindle (CI runner) ────────────────────────────────────────────────────
  spindle:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: spindle
    restart: unless-stopped
    depends_on:
      openbao-proxy:
        condition: service_healthy
    environment:
      SPINDLE_SERVER_HOSTNAME: ""            # set to your public hostname
      SPINDLE_SERVER_OWNER: ""               # set to your ATProto DID
      SPINDLE_SERVER_LISTEN_ADDR: "0.0.0.0:6555"
      SPINDLE_SERVER_DB_PATH: "/data/spindle.db"
      SPINDLE_SERVER_SECRETS_PROVIDER: "openbao"
      SPINDLE_SERVER_SECRETS_OPENBAO_PROXY_ADDR: "http://openbao-proxy:8201"
      SPINDLE_SERVER_SECRETS_OPENBAO_MOUNT: "spindle"
      SPINDLE_PIPELINES_LOG_DIR: "/var/log/spindle"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock  # spindle spawns pipeline containers on the host daemon
      - spindle-db:/data
      - spindle-logs:/var/log/spindle
    ports:
      - "6555:6555"
    networks:
      - spindle-net

volumes:
  openbao-data:
    name: openbao-data
    driver: local
  openbao-approle:
    name: openbao-approle
    driver: local
  spindle-db:
    name: spindle-db
    driver: local
  spindle-logs:
    name: spindle-logs
    driver: local

networks:
  spindle-net:
    driver: bridge