services:

  # ── OpenBao (secrets vault) ────────────────────────────────────────────────
  openbao:
    image: quay.io/openbao/openbao:2.5.2@sha256:6c75c97223873807260352f269640935a07db0c26b3dbf12a98a36ec43ad9878
    container_name: openbao
    restart: unless-stopped
    command: server
    cap_add:
      - IPC_LOCK  # prevents secrets from being swapped to disk
    environment:
      BAO_ADDR: "http://0.0.0.0:8200"
    volumes:
      - ./config/openbao/server:/openbao/config
      - openbao-data:/openbao/data
    ports:
      - "127.0.0.1:${OPENBAO_PORT:-8200}:8200"  # localhost-only; remove entirely if you don't need local CLI access
    networks:
      - spindle-net
    healthcheck:
      test: ["CMD", "bao", "status", "-address=http://127.0.0.1:8200"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 5s

  # ── OpenBao proxy (AppRole auto-auth sidecar) ──────────────────────────────
  openbao-proxy:
    image: quay.io/openbao/openbao:2.5.2@sha256:6c75c97223873807260352f269640935a07db0c26b3dbf12a98a36ec43ad9878
    container_name: openbao-proxy
    restart: unless-stopped
    command: proxy -config=/openbao/config/proxy.hcl
    cap_add:
      - IPC_LOCK
    depends_on:
      openbao:
        condition: service_healthy
    volumes:
      - ./config/openbao/proxy:/openbao/config
      - openbao-approle:/openbao/approle:ro  # role-id + secret-id written by init-openbao.sh
    networks:
      - spindle-net
    healthcheck:
      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:8201/v1/sys/health"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 10s

  # ── Spindle (CI runner) ────────────────────────────────────────────────────
  spindle:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: spindle
    restart: unless-stopped
    depends_on:
      openbao-proxy:
        condition: service_healthy
    environment:
      SPINDLE_SERVER_HOSTNAME: "${SPINDLE_SERVER_HOSTNAME}"
      SPINDLE_SERVER_OWNER: "${SPINDLE_SERVER_OWNER}"
      SPINDLE_SERVER_LISTEN_ADDR: "${SPINDLE_SERVER_LISTEN_ADDR:-0.0.0.0:6555}"
      SPINDLE_SERVER_DB_PATH: "${SPINDLE_SERVER_DB_PATH:-/data/spindle.db}"
      SPINDLE_SERVER_SECRETS_PROVIDER: "${SPINDLE_SERVER_SECRETS_PROVIDER:-openbao}"
      SPINDLE_SERVER_SECRETS_OPENBAO_PROXY_ADDR: "${SPINDLE_SERVER_SECRETS_OPENBAO_PROXY_ADDR:-http://openbao-proxy:8201}"
      SPINDLE_SERVER_SECRETS_OPENBAO_MOUNT: "${SPINDLE_SERVER_SECRETS_OPENBAO_MOUNT:-spindle}"
      SPINDLE_PIPELINES_LOG_DIR: "${SPINDLE_PIPELINES_LOG_DIR:-/var/log/spindle}"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock  # spindle spawns pipeline containers on the host daemon
      - spindle-db:/data
      - spindle-logs:/var/log/spindle
    ports:
      - "${SPINDLE_PORT:-6555}:6555"
    networks:
      - spindle-net

volumes:
  openbao-data:
    name: openbao-data
    driver: local
  openbao-approle:
    name: openbao-approle
    driver: local
  spindle-db:
    name: spindle-db
    driver: local
  spindle-logs:
    name: spindle-logs
    driver: local

networks:
  spindle-net:
    driver: bridge