lutz/OpenBAO
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
OpenBAO/docker-compose.yml
Lutz Finsterle 14f46e1082 Add unsealer, internal CA/TLS, auto-unseal, and automated cert+backup 
Build out the home-lab OpenBAO deployment beyond the basic node:

- docker-compose: add openbao-unsealer sidecar; main node now transit
  auto-unseals against it (seal config kept in gitignored config/seal.hcl)
- policies/admin.hcl: non-root admin policy; per-engine rules for
  ssh/pki/pki_int/totp/transit
- Internal two-tier CA (pki/ root + pki_int/ intermediate) issues the
  openbao.famfi.home leaf Traefik serves; root CA published under ca/
- scripts/ + systemd/: daily cert renewal and Raft snapshot backups
  (both instances), with scoped tokens stored outside the repo
- README: full runbook (auto-unseal, PKI, renewal, backups, DR/restore)

Secrets (init/unsealer keys, tokens, seal stanza) stay gitignored.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 14:28:49 +02:00

65 lines
2.0 KiB
YAML
Raw Permalink Blame History

services:
openbao:
image: openbao/openbao:2.5.5
container_name: openbao
restart: unless-stopped
# The image entrypoint already runs `bao server -config=/openbao/config`
# (the whole config dir), so we only pass the subcommand here.
command: server
ports:
# Plaintext API bound to loopback only — local CLI/admin use. LAN clients
# reach OpenBAO via Traefik (TLS) at https://openbao.famfi.home instead.
- "127.0.0.1:8200:8200"
environment:
BAO_ADDR: "http://127.0.0.1:8200"
networks:
- default
- traefik_proxy
volumes:
- ./config:/openbao/config:ro
- openbao-data:/openbao/file
healthcheck:
# 200 = unsealed+active. Accept sealed (501) and standby (429) too,
# so the container is "healthy" once the API is responding at all.
test: ["CMD", "bao", "status", "-address=http://127.0.0.1:8200"]
interval: 30s
timeout: 5s
retries: 5
start_period: 10s
depends_on:
- openbao-unsealer
# Minimal sidecar instance that provides transit auto-unseal for the main
# node above. Shamir-sealed itself; only reachable on the internal network.
openbao-unsealer:
image: openbao/openbao:2.5.5
container_name: openbao-unsealer
restart: unless-stopped
command: server
# No host port published — only the main node needs it, over the default net.
environment:
BAO_ADDR: "http://127.0.0.1:8200"
networks:
- default
volumes:
- ./config-unsealer:/openbao/config:ro
- openbao-unsealer-data:/openbao/file
healthcheck:
test: ["CMD", "bao", "status", "-address=http://127.0.0.1:8200"]
interval: 30s
timeout: 5s
retries: 5
start_period: 10s
networks:
# Project-internal network (default).
default:
# Shared with the Traefik stack so Traefik can reach this container by name
# (http://openbao:8200). Created by the Traefik compose project.
traefik_proxy:
external: true
volumes:
openbao-data:
openbao-unsealer-data:
Reference in New Issue View Git Blame Copy Permalink