From 12ea1a8bcded59eed7a6a61fe5326a1f1bee73c2 Mon Sep 17 00:00:00 2001
From: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Date: Mon, 23 Mar 2026 09:34:40 -0300
Subject: [PATCH] docs(readme): add healthcheck and openbao-init to override
 example

The previous example lacked:
- healthcheck on the openbao service (required for depends_on condition)
- openbao-init one-shot service to create the 'nfse' KV v2 mount and
  enable AppRole auth automatically on first start
- networks: internal on mailpit service
- env var interpolation form (${VAR:-default}) for the dev token

Without this init step, any module operation that writes or reads PFX
secrets fails because the 'nfse' mount does not exist in OpenBao.

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
---
 README.md | 32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index ad0e2a0..34a68fd 100644
--- a/README.md
+++ b/README.md
@@ -38,14 +38,36 @@ services:
     image: openbao/openbao:latest
     command: server -dev
     environment:
-      BAO_DEV_ROOT_TOKEN_ID: dev-only-root-token
-      BAO_DEV_LISTEN_ADDRESS: 0.0.0.0:8200
+      - BAO_DEV_ROOT_TOKEN_ID=${OPENBAO_DEV_TOKEN:-dev-only-root-token}
+      - BAO_DEV_LISTEN_ADDRESS=0.0.0.0:8200
     cap_add:
       - IPC_LOCK
     ports:
       - 127.0.0.1:8200:8200
-    networks:
-      - internal
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:8200/v1/sys/health"]
+      interval: 5s
+      timeout: 3s
+      retries: 12
+      start_period: 5s
+
+  # One-shot init: creates the 'nfse' KV v2 mount and enables AppRole auth.
+  # Runs once after openbao is healthy; idempotent (|| true) so safe on restart.
+  openbao-init:
+    image: openbao/openbao:latest
+    depends_on:
+      openbao:
+        condition: service_healthy
+    environment:
+      - BAO_ADDR=http://openbao:8200
+      - BAO_TOKEN=${OPENBAO_DEV_TOKEN:-dev-only-root-token}
+    command: >
+      sh -c "
+        bao secrets enable -path=nfse kv-v2 2>/dev/null || true &&
+        bao auth enable approle 2>/dev/null || true &&
+        echo 'OpenBao: mount nfse (kv-v2) e AppRole habilitados.'
+      "
+    restart: on-failure
 
   dufs:
     image: sigoden/dufs:latest
@@ -54,8 +76,6 @@ services:
       - ./volumes/webdav:/data
     ports:
       - 127.0.0.1:5000:5000
-    networks:
-      - internal
 ```
 
 > **PS**: After finish setup you will see two `.env` files: one on root of repository only used to setup Akaunting and other on `volumes/akaunting/.env`