docs(readme): add healthcheck and openbao-init to override example

vitormattos · vitormattos · commit ba5c90047029 · 2026-03-23T09:34:40.000-03:00
The previous example lacked:
- healthcheck on the openbao service (required for depends_on condition)
- openbao-init one-shot service to create the 'nfse' KV v2 mount and
  enable AppRole auth automatically on first start
- networks: internal on mailpit service
- env var interpolation form (${VAR:-default}) for the dev token

Without this init step, any module operation that writes or reads PFX
secrets fails because the 'nfse' mount does not exist in OpenBao.

Signed-off-by: Vitor Mattos &lt;1079143+vitormattos@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -33,19 +33,47 @@ services:
     ports:
       - 127.0.0.1:8025:8025
       - 127.0.0.1:1025:1025
+    networks:
+      - internal
 
   openbao:
     image: openbao/openbao:latest
     command: server -dev
     environment:
-      BAO_DEV_ROOT_TOKEN_ID: dev-only-root-token
-      BAO_DEV_LISTEN_ADDRESS: 0.0.0.0:8200
+      - BAO_DEV_ROOT_TOKEN_ID=${OPENBAO_DEV_TOKEN:-dev-only-root-token}
+      - BAO_DEV_LISTEN_ADDRESS=0.0.0.0:8200
     cap_add:
       - IPC_LOCK
     ports:
       - 127.0.0.1:8200:8200
     networks:
       - internal
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:8200/v1/sys/health"]
+      interval: 5s
+      timeout: 3s
+      retries: 12
+      start_period: 5s
+
+  # One-shot init: creates the 'nfse' KV v2 mount and enables AppRole auth.
+  # Runs once after openbao is healthy; idempotent (|| true) so safe on restart.
+  openbao-init:
+    image: openbao/openbao:latest
+    depends_on:
+      openbao:
+        condition: service_healthy
+    environment:
+      - BAO_ADDR=http://openbao:8200
+      - BAO_TOKEN=${OPENBAO_DEV_TOKEN:-dev-only-root-token}
+    command: >
+      sh -c "
+        bao secrets enable -path=nfse kv-v2 2>/dev/null || true &&
+        bao auth enable approle 2>/dev/null || true &&
+        echo 'OpenBao: mount nfse (kv-v2) e AppRole habilitados.'
+      "
+    restart: on-failure
+    networks:
+      - internal
 
   dufs:
     image: sigoden/dufs:latest
