services:
  vault:
    image: hashicorp/vault:1.17
    container_name: vault
    restart: unless-stopped
    ports:
      # Bound to localhost only — never expose Vault to the internet
      - "127.0.0.1:8200:8200"
    environment:
      VAULT_ADDR: "http://127.0.0.1:8200"
    cap_add:
      - IPC_LOCK
    volumes:
      - vault_data:/vault/data
      - ./config/vault.hcl:/vault/config/vault.hcl:ro
    command: server -config=/vault/config/vault.hcl
    healthcheck:
      test: ["CMD", "vault", "status", "-address=http://127.0.0.1:8200"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s

volumes:
  vault_data:
    name: vault_data