services:

  # ── OpenBao server (production) ────────────────────────────────────────────
  openbao:
    image: quay.io/openbao/openbao:latest
    container_name: openbao
    restart: unless-stopped
    cap_add:
      - IPC_LOCK           # required to prevent secrets being swapped to disk
    command: server
    volumes:
      - ./config/openbao/server.hcl:/openbao/config/server.hcl:ro
      - openbao-data:/openbao/data
    ports:
      - "8200:8200"        # expose only if you need CLI access from the host
    environment:
      BAO_ADDR: "http://0.0.0.0:8200"
    networks:
      - spindle-net
    healthcheck:
      test: ["CMD", "bao", "status", "-address=http://127.0.0.1:8200"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 5s

  # ── OpenBao proxy (AppRole auto-auth sidecar) ──────────────────────────────
  openbao-proxy:
    image: quay.io/openbao/openbao:latest
    container_name: openbao-proxy
    restart: unless-stopped
    command: proxy -config=/openbao/config/proxy.hcl
    depends_on:
      openbao:
        condition: service_healthy
    volumes:
      - ./config/openbao/proxy.hcl:/openbao/config/proxy.hcl:ro
      - openbao-approle:/openbao/approle:ro  # role-id + secret-id written by init script
    networks:
      - spindle-net
    healthcheck:
      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:8201/v1/sys/health"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 10s

  # ── Spindle (built from tangled.org/core) ──────────────────────────────────
  spindle:
    build:
      context: .
      dockerfile: Dockerfile.spindle
    container_name: spindle
    restart: unless-stopped
    depends_on:
      openbao-proxy:
        condition: service_healthy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock  # spindle spawns pipeline containers
      - spindle-db:/data
      - spindle-logs:/var/log/spindle
    ports:
      - "6555:6555"
    env_file:
      - .env                                       # SPINDLE_SERVER_HOSTNAME, SPINDLE_SERVER_OWNER
    environment:
      SPINDLE_SERVER_LISTEN_ADDR: "0.0.0.0:6555"
      SPINDLE_SERVER_DB_PATH: "/data/spindle.db"
      SPINDLE_SERVER_SECRETS_PROVIDER: "openbao"
      SPINDLE_SERVER_SECRETS_OPENBAO_PROXY_ADDR: "http://openbao-proxy:8201"
      SPINDLE_SERVER_SECRETS_OPENBAO_MOUNT: "spindle"
      SPINDLE_PIPELINES_LOG_DIR: "/var/log/spindle"
    networks:
      - spindle-net

volumes:
  openbao-data:
  openbao-approle:
  spindle-db:
  spindle-logs:

networks:
  spindle-net:
    driver: bridge