version: '3.9'

x-release-labels: &release-labels
  com.stellaops.profile: 'sealed-ci'
  com.stellaops.airgap.mode: 'sealed'

networks:
  sealed-ci:
    driver: bridge

volumes:
  sealed-mongo-data:

services:
  mongo:
    image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49
    command: ['mongod', '--bind_ip_all']
    restart: unless-stopped
    environment:
      MONGO_INITDB_ROOT_USERNAME: sealedci
      MONGO_INITDB_ROOT_PASSWORD: sealedci-secret
    volumes:
      - sealed-mongo-data:/data/db
    networks:
      - sealed-ci
    labels: *release-labels

  authority:
    image: registry.stella-ops.org/stellaops/authority@sha256:a8e8faec44a579aa5714e58be835f25575710430b1ad2ccd1282a018cd9ffcdd
    depends_on:
      - mongo
    restart: unless-stopped
    environment:
      ASPNETCORE_URLS: http://+:5088
      STELLAOPS_AUTHORITY__ISSUER: http://authority.sealed-ci.local
      STELLAOPS_AUTHORITY__MONGO__CONNECTIONSTRING: mongodb://sealedci:sealedci-secret@mongo:27017/authority?authSource=admin
      STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: /app/plugins
      STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: /app/plugins
      STELLAOPS_AUTHORITY__SECURITY__SENDERCONSTRAINTS__DPOP__ENABLED: 'true'
      STELLAOPS_AUTHORITY__SECURITY__SENDERCONSTRAINTS__MTLS__ENABLED: 'true'
      STELLAOPS_AUTHORITY__AIRGAP__EGRESS__MODE: Sealed
    volumes:
      - ./authority.harness.yaml:/etc/authority.yaml:ro
      - ./plugins:/app/plugins:ro
      - ../../../certificates:/certificates:ro
    ports:
      - '5088:5088'
    networks:
      - sealed-ci
    labels: *release-labels

  signer:
    image: registry.stella-ops.org/stellaops/signer@sha256:8bfef9a75783883d49fc18e3566553934e970b00ee090abee9cb110d2d5c3298
    depends_on:
      - authority
    restart: unless-stopped
    environment:
      ASPNETCORE_URLS: http://+:6088
      SIGNER__AUTHORITY__BASEURL: http://authority:5088
      SIGNER__POE__INTROSPECTURL: http://authority:5088/device-code
      SIGNER__STORAGE__MONGO__CONNECTIONSTRING: mongodb://sealedci:sealedci-secret@mongo:27017/signer?authSource=admin
      SIGNER__SEALED__MODE: Enabled
    ports:
      - '6088:6088'
    networks:
      - sealed-ci
    labels: *release-labels

  attestor:
    image: registry.stella-ops.org/stellaops/attestor@sha256:5cc417948c029da01dccf36e4645d961a3f6d8de7e62fe98d845f07cd2282114
    depends_on:
      - signer
    restart: unless-stopped
    environment:
      ASPNETCORE_URLS: http://+:7088
      ATTESTOR__SIGNER__BASEURL: http://signer:6088
      ATTESTOR__MONGO__CONNECTIONSTRING: mongodb://sealedci:sealedci-secret@mongo:27017/attestor?authSource=admin
      ATTESTOR__SEALED__MODE: Enabled
    ports:
      - '7088:7088'
    networks:
      - sealed-ci
    labels: *release-labels