version: '3.8'

services:
  vault:
    build: ./hc_vault
    image: tepichord/vault:latest
    hostname: vault
    command: server
    cap_add:
      - IPC_LOCK 
    security_opt:
      - label=disable
    privileged: true
    volumes:
      - ./hc_vault/config:/vault/config:z
      - ./hc_vault/certs:/opt/vault/certs:z
      - ./hc_vault/vault_data:/opt/vault/data:z  # Host directory (easy to backup)
    environment:
      - VAULT_ADDR=https://127.0.0.1:8200
      - VAULT_API_ADDR=https://0.0.0.0:8200
      - VAULT_CACERT=/opt/vault/certs/rootCA.pem
    ports:
      - "8200:8200"  # Only for direct access if needed
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "vault", "status", "-format=json"]
      interval: 5m
      timeout: 10s
      retries: 3

  nginx:
    image: nginx:alpine
    hostname: nginx
    volumes:
      - ./nginx/conf:/etc/nginx:z
      - ./ssl-certs:/etc/ssl:z
      - ./hc_vault/certs:/etc/vault-certs:z  # For trusting Vault's cert
    ports:
      - "8443:443"
      - "8080:80"    # Optional: redirect HTTP to HTTPS
    depends_on:
      - vault
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "nginx", "-t"]
      interval: 5m
      timeout: 10s
      retries: 3

networks:
  default:
    name: vault-network
    driver: bridge