[infra] vault + chsettle + aurora for dev

ci/prod/compose/aurora_gateway.dockerfile

@@ -0,0 +1,37 @@
+# syntax=docker/dockerfile:1.7
+
+ARG TARGETOS=linux
+ARG TARGETARCH=amd64
+
+FROM golang:alpine AS build
+ARG APP_VERSION=dev
+ARG GIT_REV=unknown
+ARG BUILD_BRANCH=unknown
+ARG BUILD_DATE=unknown
+ARG BUILD_USER=ci
+ENV GO111MODULE=on
+ENV PATH="/go/bin:${PATH}"
+WORKDIR /src
+COPY . .
+RUN apk add --no-cache git build-base
+WORKDIR /src/api/gateway/aurora
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -trimpath -ldflags "\
+      -s -w \
+      -X github.com/tech/sendico/gateway/aurora/internal/appversion.Version=${APP_VERSION} \
+      -X github.com/tech/sendico/gateway/aurora/internal/appversion.Revision=${GIT_REV} \
+      -X github.com/tech/sendico/gateway/aurora/internal/appversion.Branch=${BUILD_BRANCH} \
+      -X github.com/tech/sendico/gateway/aurora/internal/appversion.BuildUser=${BUILD_USER} \
+      -X github.com/tech/sendico/gateway/aurora/internal/appversion.BuildDate=${BUILD_DATE}" \
+    -o /out/aurora-gateway .
+
+FROM alpine:latest AS runtime
+RUN apk add --no-cache ca-certificates tzdata wget
+WORKDIR /app
+COPY api/gateway/aurora/config.yml /app/config.yml
+COPY --from=build /out/aurora-gateway /app/aurora-gateway
+EXPOSE 50075 9404 8084
+ENTRYPOINT ["/app/aurora-gateway"]
+CMD ["--config.file", "/app/config.yml"]

ci/prod/compose/aurora_gateway.yml

@@ -0,0 +1,46 @@
+# Compose v2 - Aurora Gateway
+
+x-common-env: &common-env
+  env_file:
+    - ../env/.env.runtime
+    - ../env/.env.version
+
+networks:
+  sendico-net:
+    external: true
+    name: sendico-net
+
+services:
+  sendico_aurora_gateway:
+    <<: *common-env
+    container_name: sendico-aurora-gateway
+    platform: linux/amd64
+    restart: unless-stopped
+    image: ${REGISTRY_URL}/gateway/aurora:${IMAGE_TAG:-${APP_V}}
+    pull_policy: always
+    environment:
+      AURORA_GATEWAY_MONGO_HOST: ${AURORA_GATEWAY_MONGO_HOST}
+      AURORA_GATEWAY_MONGO_PORT: ${AURORA_GATEWAY_MONGO_PORT}
+      AURORA_GATEWAY_MONGO_DATABASE: ${AURORA_GATEWAY_MONGO_DATABASE}
+      AURORA_GATEWAY_MONGO_USER: ${AURORA_GATEWAY_MONGO_USER}
+      AURORA_GATEWAY_MONGO_PASSWORD: ${AURORA_GATEWAY_MONGO_PASSWORD}
+      AURORA_GATEWAY_MONGO_AUTH_SOURCE: ${AURORA_GATEWAY_MONGO_AUTH_SOURCE}
+      AURORA_GATEWAY_MONGO_REPLICA_SET: ${AURORA_GATEWAY_MONGO_REPLICA_SET}
+      NATS_URL: ${NATS_URL}
+      NATS_HOST: ${NATS_HOST}
+      NATS_PORT: ${NATS_PORT}
+      NATS_USER: ${NATS_USER}
+      NATS_PASSWORD: ${NATS_PASSWORD}
+    command: ["--config.file", "/app/config.yml"]
+    ports:
+      - "0.0.0.0:${AURORA_GATEWAY_GRPC_PORT}:50075"
+      - "0.0.0.0:${AURORA_GATEWAY_METRICS_PORT}:9404"
+      - "0.0.0.0:${AURORA_GATEWAY_HTTP_PORT}:8084"
+    healthcheck:
+      test: ["CMD-SHELL","wget -qO- http://localhost:9404/health | grep -q '\"status\":\"ok\"'"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 60s
+    networks:
+      - sendico-net

ci/prod/compose/bff.dockerfile

@@ -28,9 +28,10 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     -o /out/bff .
 
 FROM alpine:latest AS runtime
+ARG APP_CONFIG_PATH=api/edge/bff/config.yml
 RUN apk add --no-cache ca-certificates tzdata wget
 WORKDIR /app
-COPY api/edge/bff/config.yml /app/config.yml
+COPY ${APP_CONFIG_PATH} /app/config.yml
 COPY api/edge/bff/assets /app/assets
 COPY api/edge/bff/env /app/env
 COPY api/pkg/auth/internal/casbin/models/auth.conf /app/env/permissions_model.conf

ci/prod/compose/bff.yml

@@ -60,7 +60,7 @@ services:
       PERMISSION_COLLECTION: ${PERMISSION_COLLECTION}
       PERMISSION_TIMEOUT: ${PERMISSION_TIMEOUT}
       PERMISSION_IS_FILTERED: ${PERMISSION_IS_FILTERED}
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
       VAULT_TOKEN_FILE: /run/vault/token
     ports:
       - "0.0.0.0:${BFF_HTTP_PORT}:8081"
@@ -86,7 +86,7 @@ services:
     pull_policy: always
     cap_add: ["IPC_LOCK"]
     environment:
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
       BFF_VAULT_ROLE_ID: ${BFF_VAULT_ROLE_ID}
       BFF_VAULT_SECRET_ID: ${BFF_VAULT_SECRET_ID}
     command: >

ci/prod/compose/callbacks.dockerfile

@@ -28,9 +28,10 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     -o /out/callbacks .
 
 FROM alpine:latest AS runtime
+ARG APP_CONFIG_PATH=api/edge/callbacks/config.yml
 RUN apk add --no-cache ca-certificates tzdata wget
 WORKDIR /app
-COPY api/edge/callbacks/config.yml /app/config.yml
+COPY ${APP_CONFIG_PATH} /app/config.yml
 COPY api/edge/callbacks/entrypoint.sh /app/entrypoint.sh
 COPY --from=build /out/callbacks /app/callbacks
 RUN chmod +x /app/entrypoint.sh

ci/prod/compose/callbacks.yml

@@ -40,7 +40,7 @@ services:
       NATS_USER: ${NATS_USER}
       NATS_PASSWORD: ${NATS_PASSWORD}
       CALLBACKS_METRICS_PORT: ${CALLBACKS_METRICS_PORT}
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
       VAULT_TOKEN_FILE: /run/vault/token
     command: ["--config.file", "/app/config.yml"]
     ports:
@@ -67,7 +67,7 @@ services:
     pull_policy: always
     cap_add: ["IPC_LOCK"]
     environment:
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
       CALLBACKS_VAULT_ROLE_ID: ${CALLBACKS_VAULT_ROLE_ID}
       CALLBACKS_VAULT_SECRET_ID: ${CALLBACKS_VAULT_SECRET_ID}
     command: >

ci/prod/compose/chain_gateway.dockerfile

@@ -28,9 +28,10 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     -o /out/chain-gateway .
 
 FROM alpine:latest AS runtime
+ARG APP_CONFIG_PATH=api/gateway/chain/config.yml
 RUN apk add --no-cache ca-certificates tzdata wget
 WORKDIR /app
-COPY api/gateway/chain/config.yml /app/config.yml
+COPY ${APP_CONFIG_PATH} /app/config.yml
 COPY api/gateway/chain/env /app/env
 COPY api/gateway/chain/entrypoint.sh /app/entrypoint.sh
 COPY --from=build /out/chain-gateway /app/chain-gateway

ci/prod/compose/chain_gateway.yml

@@ -75,7 +75,7 @@ services:
     pull_policy: always
     cap_add: ["IPC_LOCK"]
     environment:
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
       CHAIN_GATEWAY_VAULT_ROLE_ID: ${CHAIN_GATEWAY_VAULT_ROLE_ID}
       CHAIN_GATEWAY_VAULT_SECRET_ID: ${CHAIN_GATEWAY_VAULT_SECRET_ID}
     command: >

ci/prod/compose/chsettle_gateway.dockerfile

@@ -0,0 +1,37 @@
+# syntax=docker/dockerfile:1.7
+
+ARG TARGETOS=linux
+ARG TARGETARCH=amd64
+
+FROM golang:alpine AS build
+ARG APP_VERSION=dev
+ARG GIT_REV=unknown
+ARG BUILD_BRANCH=unknown
+ARG BUILD_DATE=unknown
+ARG BUILD_USER=ci
+ENV GO111MODULE=on
+ENV PATH="/go/bin:${PATH}"
+WORKDIR /src
+COPY . .
+RUN apk add --no-cache git build-base
+WORKDIR /src/api/gateway/chsettle
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \
+    go build -trimpath -ldflags "\
+      -s -w \
+      -X github.com/tech/sendico/gateway/chsettle/internal/appversion.Version=${APP_VERSION} \
+      -X github.com/tech/sendico/gateway/chsettle/internal/appversion.Revision=${GIT_REV} \
+      -X github.com/tech/sendico/gateway/chsettle/internal/appversion.Branch=${BUILD_BRANCH} \
+      -X github.com/tech/sendico/gateway/chsettle/internal/appversion.BuildUser=${BUILD_USER} \
+      -X github.com/tech/sendico/gateway/chsettle/internal/appversion.BuildDate=${BUILD_DATE}" \
+    -o /out/chsettle-gateway .
+
+FROM alpine:latest AS runtime
+RUN apk add --no-cache ca-certificates tzdata wget
+WORKDIR /app
+COPY api/gateway/chsettle/config.yml /app/config.yml
+COPY --from=build /out/chsettle-gateway /app/chsettle-gateway
+EXPOSE 50080 9406
+ENTRYPOINT ["/app/chsettle-gateway"]
+CMD ["--config.file", "/app/config.yml"]

ci/prod/compose/chsettle_gateway.yml

@@ -0,0 +1,46 @@
+# Compose v2 - ChimeraSettle Gateway
+
+x-common-env: &common-env
+  env_file:
+    - ../env/.env.runtime
+    - ../env/.env.version
+
+networks:
+  sendico-net:
+    external: true
+    name: sendico-net
+
+services:
+  sendico_chsettle_gateway:
+    <<: *common-env
+    container_name: sendico-chsettle-gateway
+    platform: linux/amd64
+    restart: unless-stopped
+    image: ${REGISTRY_URL}/gateway/chsettle:${IMAGE_TAG:-${APP_V}}
+    pull_policy: always
+    environment:
+      CHSETTLE_GATEWAY_MONGO_HOST: ${CHSETTLE_GATEWAY_MONGO_HOST}
+      CHSETTLE_GATEWAY_MONGO_PORT: ${CHSETTLE_GATEWAY_MONGO_PORT}
+      CHSETTLE_GATEWAY_MONGO_DATABASE: ${CHSETTLE_GATEWAY_MONGO_DATABASE}
+      CHSETTLE_GATEWAY_MONGO_USER: ${CHSETTLE_GATEWAY_MONGO_USER}
+      CHSETTLE_GATEWAY_MONGO_PASSWORD: ${CHSETTLE_GATEWAY_MONGO_PASSWORD}
+      CHSETTLE_GATEWAY_MONGO_AUTH_SOURCE: ${CHSETTLE_GATEWAY_MONGO_AUTH_SOURCE}
+      CHSETTLE_GATEWAY_MONGO_REPLICA_SET: ${CHSETTLE_GATEWAY_MONGO_REPLICA_SET}
+      NATS_URL: ${NATS_URL}
+      NATS_HOST: ${NATS_HOST}
+      NATS_PORT: ${NATS_PORT}
+      NATS_USER: ${NATS_USER}
+      NATS_PASSWORD: ${NATS_PASSWORD}
+      CHSETTLE_GATEWAY_CHAT_ID: ${CHSETTLE_GATEWAY_CHAT_ID}
+    command: ["--config.file", "/app/config.yml"]
+    ports:
+      - "0.0.0.0:${CHSETTLE_GATEWAY_GRPC_PORT}:50080"
+      - "0.0.0.0:${CHSETTLE_GATEWAY_METRICS_PORT}:9406"
+    healthcheck:
+      test: ["CMD-SHELL","wget -qO- http://localhost:9406/health | grep -q '\"status\":\"ok\"'"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 60s
+    networks:
+      - sendico-net

ci/prod/compose/db.dev.yml

@@ -0,0 +1,163 @@
+# Compose v2 - Dev DB stack without PBM
+
+x-common-env: &common-env
+  env_file:
+    - ../env/.env.runtime
+
+volumes:
+  mongo1_data: {}
+  mongo2_data: {}
+  mongo3_data: {}
+  # In-memory store for secrets/material rendered by Vault Agent (no host persistence)
+  vault_secrets:
+    driver: local
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+      o: size=32m,uid=999,gid=999,mode=0750
+
+networks:
+  sendico-net:
+    external: true
+    name: sendico-net
+
+services:
+  vault-agent-sendico:
+    <<: *common-env
+    image: hashicorp/vault:latest
+    container_name: vault-agent-sendico
+    restart: unless-stopped
+    cap_add: ["IPC_LOCK"]
+    environment:
+      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ROLE_ID: ${VAULT_ROLE_ID}
+      VAULT_SECRET_ID: ${VAULT_SECRET_ID}
+    volumes:
+      - ./vault/agent.dev.hcl:/etc/vault/agent.hcl:ro
+      - ./vault/templates:/etc/vault/templates:ro
+      - vault_secrets:/vault/secrets:rw
+    command: >
+      sh -lc 'set -euo pipefail; umask 077;
+              : "$${VAULT_ADDR:?}"; : "$${VAULT_ROLE_ID:?}"; : "$${VAULT_SECRET_ID:?}";
+              printf "%s" "$${VAULT_ROLE_ID}"   > /vault/secrets/role_id;
+              printf "%s" "$${VAULT_SECRET_ID}" > /vault/secrets/secret_id;
+              unset VAULT_ROLE_ID VAULT_SECRET_ID;
+              exec vault agent -config=/etc/vault/agent.hcl'
+    healthcheck:
+      test: ["CMD-SHELL","test -s /vault/secrets/MONGO_INITDB_ROOT_USERNAME -a -s /vault/secrets/MONGO_INITDB_ROOT_PASSWORD -a -s /vault/secrets/mongo.kf"]
+      interval: 5s
+      timeout: 3s
+      retries: 30
+      start_period: 5s
+    networks:
+      - sendico-net
+
+  sendico_db1:
+    <<: *common-env
+    image: docker.io/library/mongo:latest
+    container_name: sendico_db1
+    restart: unless-stopped
+    depends_on:
+      vault-agent-sendico:
+        condition: service_healthy
+    entrypoint: ["/usr/local/bin/mongo-entrypoint-wrapper.sh"]
+    command: >
+      mongod --replSet ${MONGO_REPLICA_SET} --bind_ip_all --auth
+             --keyFile /vault/secrets/mongo.kf --port ${MONGO_PORT}
+    volumes:
+      - mongo1_data:/data/db
+      - vault_secrets:/vault/secrets:ro
+      - ./ops/mongo-entrypoint.sh:/usr/local/bin/mongo-entrypoint-wrapper.sh:ro
+    healthcheck:
+      test: ["CMD-SHELL","mongosh --quiet --host localhost --port ${MONGO_PORT} --eval 'db.runCommand({ ping: 1 }).ok' || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+      start_period: 30s
+    ports: [ "0.0.0.0:${MONGO_PORT}:${MONGO_PORT}" ]
+    networks:
+      - sendico-net
+
+  sendico_db2:
+    <<: *common-env
+    image: docker.io/library/mongo:latest
+    container_name: sendico_db2
+    restart: unless-stopped
+    depends_on:
+      vault-agent-sendico:
+        condition: service_healthy
+    entrypoint: ["/usr/local/bin/mongo-entrypoint-wrapper.sh"]
+    command: >
+      mongod --replSet ${MONGO_REPLICA_SET} --bind_ip_all --auth
+             --keyFile /vault/secrets/mongo.kf --port ${MONGO_PORT}
+    volumes:
+      - mongo2_data:/data/db
+      - vault_secrets:/vault/secrets:ro
+      - ./ops/mongo-entrypoint.sh:/usr/local/bin/mongo-entrypoint-wrapper.sh:ro
+    healthcheck:
+      test: ["CMD-SHELL","mongosh --quiet --host localhost --port ${MONGO_PORT} --eval 'db.runCommand({ ping: 1 }).ok' || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+      start_period: 30s
+    networks:
+      - sendico-net
+
+  sendico_db3:
+    <<: *common-env
+    image: docker.io/library/mongo:latest
+    container_name: sendico_db3
+    restart: unless-stopped
+    depends_on:
+      vault-agent-sendico:
+        condition: service_healthy
+    entrypoint: ["/usr/local/bin/mongo-entrypoint-wrapper.sh"]
+    command: >
+      mongod --replSet ${MONGO_REPLICA_SET} --bind_ip_all --auth
+             --keyFile /vault/secrets/mongo.kf --port ${MONGO_PORT}
+    volumes:
+      - mongo3_data:/data/db
+      - vault_secrets:/vault/secrets:ro
+      - ./ops/mongo-entrypoint.sh:/usr/local/bin/mongo-entrypoint-wrapper.sh:ro
+    healthcheck:
+      test: ["CMD-SHELL","mongosh --quiet --host localhost --port ${MONGO_PORT} --eval 'db.runCommand({ ping: 1 }).ok' || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+      start_period: 30s
+    networks:
+      - sendico-net
+
+  mongo_setup:
+    <<: *common-env
+    image: docker.io/library/mongo:latest
+    depends_on:
+      sendico_db1: { condition: service_healthy }
+      sendico_db2: { condition: service_healthy }
+      sendico_db3: { condition: service_healthy }
+    volumes:
+      - vault_secrets:/vault/secrets:ro
+    entrypoint: |
+      bash -c '
+        set -euo pipefail
+        u=$(cat /vault/secrets/MONGO_INITDB_ROOT_USERNAME)
+        p=$(cat /vault/secrets/MONGO_INITDB_ROOT_PASSWORD)
+        until mongosh --quiet --host sendico_db1 --port ${MONGO_PORT} --eval "db.adminCommand({ ping: 1 })"; do
+          echo "waiting for MongoDB…"; sleep 2;
+        done
+        mongosh --host sendico_db1 --port ${MONGO_PORT} -u "$$u" -p "$$p" --authenticationDatabase admin <<'EOJS'
+          try { rs.status() } catch (e) {
+            rs.initiate({
+              _id: "${MONGO_REPLICA_SET}",
+              members: [
+                { _id: 0, host: "sendico_db1:${MONGO_PORT}", priority: 2 },
+                { _id: 1, host: "sendico_db2:${MONGO_PORT}", priority: 1 },
+                { _id: 2, host: "sendico_db3:${MONGO_PORT}", priority: 1 }
+              ]
+            })
+          }
+        EOJS
+      '
+    restart: "no"
+    networks:
+      - sendico-net

ci/prod/compose/tron_gateway.dockerfile

@@ -28,9 +28,10 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     -o /out/tron-gateway .
 
 FROM alpine:latest AS runtime
+ARG APP_CONFIG_PATH=api/gateway/tron/config.yml
 RUN apk add --no-cache ca-certificates tzdata wget
 WORKDIR /app
-COPY api/gateway/tron/config.yml /app/config.yml
+COPY ${APP_CONFIG_PATH} /app/config.yml
 COPY api/gateway/tron/env /app/env
 COPY api/gateway/tron/entrypoint.sh /app/entrypoint.sh
 COPY --from=build /out/tron-gateway /app/tron-gateway

ci/prod/compose/tron_gateway.yml

@@ -79,7 +79,7 @@ services:
     pull_policy: always
     cap_add: ["IPC_LOCK"]
     environment:
-      VAULT_ADDR: ${VAULT_ADDR}
+      VAULT_ADDR: ${APP_VAULT_ADDR:-${VAULT_ADDR}}
       TRON_GATEWAY_VAULT_ROLE_ID: ${TRON_GATEWAY_VAULT_ROLE_ID}
       TRON_GATEWAY_VAULT_SECRET_ID: ${TRON_GATEWAY_VAULT_SECRET_ID}
     command: >

ci/prod/compose/vault-agent/bff.hcl

@@ -1,5 +1,5 @@
 vault {
-  address = "https://vault.sendico.io"
+  address = "{{ env `VAULT_ADDR` }}"
 }
 
 auto_auth {
@@ -18,4 +18,3 @@ auto_auth {
     }
   }
 }
-

ci/prod/compose/vault-agent/callbacks.hcl

@@ -1,5 +1,5 @@
 vault {
-  address = "https://vault.sendico.io"
+  address = "{{ env `VAULT_ADDR` }}"
 }
 
 auto_auth {

ci/prod/compose/vault-agent/chain-gateway.hcl

@@ -1,5 +1,5 @@
 vault {
-  address = "https://vault.sendico.io"
+  address = "{{ env `VAULT_ADDR` }}"
 }
 
 auto_auth {

ci/prod/compose/vault-agent/tron-gateway.hcl

@@ -1,5 +1,5 @@
 vault {
-  address = "https://vault.sendico.io"
+  address = "{{ env `VAULT_ADDR` }}"
 }
 
 auto_auth {

ci/prod/compose/vault-server/config.hcl

@@ -0,0 +1,12 @@
+storage "file" {
+  path = "/vault/file"
+}
+
+listener "tcp" {
+  address     = "0.0.0.0:8200"
+  tls_disable = true
+}
+
+api_addr = "http://dev-vault:8200"
+ui = true
+disable_mlock = true

ci/prod/compose/vault.yml

@@ -0,0 +1,37 @@
+# Compose v2 - Dev Vault
+
+x-common-env: &common-env
+  env_file:
+    - ../env/.env.runtime
+
+volumes:
+  dev_vault_data: {}
+
+networks:
+  sendico-net:
+    external: true
+    name: sendico-net
+
+services:
+  dev_vault:
+    <<: *common-env
+    image: hashicorp/vault:latest
+    container_name: dev-vault
+    restart: unless-stopped
+    cap_add: ["IPC_LOCK"]
+    environment:
+      VAULT_ADDR: http://127.0.0.1:8200
+    command: vault server -config=/vault/config/vault.hcl
+    volumes:
+      - dev_vault_data:/vault/file
+      - ./vault-server/config.hcl:/vault/config/vault.hcl:ro
+    ports:
+      - "0.0.0.0:${VAULT_HTTP_PORT}:8200"
+    healthcheck:
+      test: ["CMD-SHELL","export VAULT_ADDR=http://127.0.0.1:8200; vault status >/dev/null 2>&1; rc=$?; [ \"$rc\" -eq 0 ] || [ \"$rc\" -eq 2 ]"]
+      interval: 10s
+      timeout: 5s
+      retries: 12
+      start_period: 10s
+    networks:
+      - sendico-net

ci/prod/compose/vault/agent.dev.hcl

@@ -0,0 +1,29 @@
+# Vault Agent for the dev DB stack. AppRole creds are files on the host.
+pid_file = "/tmp/vault-agent.pid"
+
+auto_auth {
+  method "approle" {
+    mount_path = "auth/approle"
+    config = {
+      role_id_file_path   = "/vault/secrets/role_id"
+      secret_id_file_path = "/vault/secrets/secret_id"
+    }
+  }
+  sink "file" { config = { path = "/vault/token" } }
+}
+
+vault { address = "{{ env `VAULT_ADDR` }}" }
+
+template {
+  source      = "/etc/vault/templates/mongo/user.ctmpl"
+  destination = "/vault/secrets/MONGO_INITDB_ROOT_USERNAME"
+}
+template {
+  source      = "/etc/vault/templates/mongo/pass.ctmpl"
+  destination = "/vault/secrets/MONGO_INITDB_ROOT_PASSWORD"
+}
+template {
+  source      = "/etc/vault/templates/mongo/keyfile.ctmpl"
+  destination = "/vault/secrets/mongo.kf"
+  command     = "sh -lc 'chown 999:999 /vault/secrets/mongo.kf && chmod 0400 /vault/secrets/mongo.kf'"
+}