# HashiCorp Vault Configuration for BreakPilot
#
# Usage:
#   Development mode (unsealed, no auth required):
#     docker-compose -f docker-compose.vault.yml up -d vault
#
#   Production mode:
#     docker-compose -f docker-compose.vault.yml --profile production up -d
#
# After starting Vault in dev mode:
#   export VAULT_ADDR=http://localhost:8200
#   export VAULT_TOKEN=breakpilot-dev-token
#
# License: HashiCorp Vault is BSL 1.1 (open source for non-commercial use)
#          Vault clients (hvac) are Apache-2.0

services:
  # HashiCorp Vault - Secrets Management
  vault:
    image: hashicorp/vault:1.15
    container_name: breakpilot-pwa-vault
    ports:
      - "8200:8200"
    environment:
      # Development mode settings
      VAULT_DEV_ROOT_TOKEN_ID: ${VAULT_DEV_TOKEN:-breakpilot-dev-token}
      VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
      VAULT_ADDR: "http://127.0.0.1:8200"
      VAULT_API_ADDR: "http://0.0.0.0:8200"
    cap_add:
      - IPC_LOCK  # Required for mlock
    volumes:
      - vault_data:/vault/data
      - vault_logs:/vault/logs
      - ./vault/config:/vault/config:ro
      - ./vault/policies:/vault/policies:ro
    command: server -dev -dev-root-token-id=${VAULT_DEV_TOKEN:-breakpilot-dev-token}
    healthcheck:
      test: ["CMD", "vault", "status"]
      interval: 10s
      timeout: 5s
      retries: 3
    networks:
      - breakpilot-pwa-network
    restart: unless-stopped

  # Vault Agent for automatic secret injection (production)
  vault-agent:
    image: hashicorp/vault:1.15
    container_name: breakpilot-pwa-vault-agent
    profiles:
      - production
    depends_on:
      vault:
        condition: service_healthy
    environment:
      VAULT_ADDR: "http://vault:8200"
    volumes:
      - ./vault/agent-config.hcl:/vault/config/agent-config.hcl:ro
      - vault_agent_secrets:/vault/secrets
    command: agent -config=/vault/config/agent-config.hcl
    networks:
      - breakpilot-pwa-network
    restart: unless-stopped

  # Vault initializer - Seeds secrets in development
  vault-init:
    image: hashicorp/vault:1.15
    container_name: breakpilot-pwa-vault-init
    depends_on:
      vault:
        condition: service_healthy
    environment:
      VAULT_ADDR: "http://vault:8200"
      VAULT_TOKEN: ${VAULT_DEV_TOKEN:-breakpilot-dev-token}
    volumes:
      - ./vault/init-secrets.sh:/vault/init-secrets.sh:ro
    entrypoint: ["/bin/sh", "-c"]
    command:
      - |
        sleep 5
        chmod +x /vault/init-secrets.sh
        /vault/init-secrets.sh
        echo "Vault initialized with development secrets"
    networks:
      - breakpilot-pwa-network

volumes:
  vault_data:
    name: breakpilot_vault_data
  vault_logs:
    name: breakpilot_vault_logs
  vault_agent_secrets:
    name: breakpilot_vault_agent_secrets

networks:
  breakpilot-pwa-network:
    external: true