InfraGuard/docker-compose.yml at main · Whispergate/InfraGuard · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
services:
  # ── Reverse proxy (core redirector) ─────────────────────────────────
  proxy:
    build: .
    container_name: infraguard-proxy
    restart: unless-stopped
    env_file: .env
    ports:
      - "443:443"
      - "80:80"
    volumes:
      - ./config:/app/config:ro
      - ./examples:/app/examples:ro
      - ./rules:/app/rules:ro
      - ./pages:/app/pages:ro
      - ./data:/app/data
      - certs:/app/certs:ro
      - geoip:/app/geoip:ro
    command: ["run", "-c", "/app/config/config.yaml", "--port", "443"]
    healthcheck:
      test: ["CMD", "python3", "-c", "import urllib.request,ssl,os; p=os.environ.get('INFRAGUARD_HEALTH_PATH','health'); urllib.request.urlopen(f'https://127.0.0.1:443/{p}', context=ssl._create_unverified_context())"]
      interval: 30s
      timeout: 10s
      retries: 5
      start_period: 15s
    networks:
      - infraguard

  # ── Web dashboard ───────────────────────────────────────────────────
  dashboard:
    build: .
    container_name: infraguard-dashboard
    restart: unless-stopped
    env_file: .env
    ports:
      - "8080:8080"
    volumes:
      - ./config:/app/config:ro
      - ./examples:/app/examples:ro
      - ./data:/app/data
      - certs:/app/certs:ro
      - geoip:/app/geoip:ro
    command: ["dashboard", "-c", "/app/config/config.yaml", "--tls"]
    depends_on:
      proxy:
        condition: service_healthy
    networks:
      - infraguard

  # ── Let's Encrypt (optional) ────────────────────────────────────────
  # Automatically obtains and renews TLS certificates via certbot.
  # Enable by setting INFRAGUARD_LETSENCRYPT=true in .env.
  #
  # Requirements:
  #   - Port 80 must be reachable from the internet
  #   - INFRAGUARD_DOMAIN must resolve to this host
  #   - INFRAGUARD_DOMAIN_EMAIL must be a valid email
  #
  # Certs are written to the shared "certs" volume at:
  #   /etc/letsencrypt/live/${INFRAGUARD_DOMAIN}/fullchain.pem
  #   /etc/letsencrypt/live/${INFRAGUARD_DOMAIN}/privkey.pem
  #
  # After first run, restart the proxy to pick up the new certs.
  # docker compose --profile letsencrypt up certbot
  certbot:
    image: certbot/certbot:latest
    container_name: infraguard-certbot
    profiles: ["letsencrypt"]
    env_file: .env
    volumes:
      - certs:/etc/letsencrypt
      - certbot-www:/var/www/certbot
    entrypoint: /bin/sh
    command:
      - -c
      - |
        if [ "$${INFRAGUARD_LETSENCRYPT}" = "true" ]; then
          certbot certonly --standalone \
            --non-interactive --agree-tos \
            --email $${INFRAGUARD_DOMAIN_EMAIL} \
            -d $${INFRAGUARD_DOMAIN} \
            --preferred-challenges http \
          && echo "Certificate obtained for $${INFRAGUARD_DOMAIN}"
        else
          echo "Let's Encrypt disabled (INFRAGUARD_LETSENCRYPT != true)"
        fi
    ports:
      - "80:80"
    networks:
      - infraguard

  # Renewal runs on a schedule (every 12 hours)
  certbot-renew:
    image: certbot/certbot:latest
    container_name: infraguard-certbot-renew
    profiles: ["letsencrypt"]
    env_file: .env
    volumes:
      - certs:/etc/letsencrypt
      - certbot-www:/var/www/certbot
    entrypoint: /bin/sh
    command: -c 'trap exit TERM; while :; do certbot renew --quiet; sleep 43200; done'
    depends_on:
      certbot:
        condition: service_completed_successfully
    networks:
      - infraguard

  # ── GeoIP database downloader ────────────────────────────────────────
  # Downloads GeoLite2 databases from GitHub on first run.
  # Run with: docker compose up geoip-update
  # Databases are stored in the "geoip" volume at /geoip/*.mmdb
  geoip-update:
    image: alpine/curl:latest
    container_name: infraguard-geoip-update
    profiles: ["geoip"]
    volumes:
      - geoip:/geoip
    entrypoint: /bin/sh
    command:
      - -c
      - |
        echo "Downloading GeoLite2 databases..."
        curl -sSL -o /geoip/GeoLite2-City.mmdb https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-City.mmdb && echo "  City DB downloaded"
        curl -sSL -o /geoip/GeoLite2-ASN.mmdb https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-ASN.mmdb && echo "  ASN DB downloaded"
        curl -sSL -o /geoip/GeoLite2-Country.mmdb https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb && echo "  Country DB downloaded"
        ls -lh /geoip/*.mmdb
        echo "Done."

  # ── Additional redirector node (scale with --scale proxy-node=N) ────
  # Uncomment to run extra redirector instances behind a load balancer.
  #
  # proxy-node:
  #   build: .
  #   restart: unless-stopped
  #   env_file: .env
  #   ports:
  #     - "443"
  #   volumes:
  #     - ./config:/app/config:ro
  #     - ./examples:/app/examples:ro
  #     - ./data:/app/data
  #     - certs:/app/certs:ro
  #   command: ["run", "-c", "/app/config/config.yaml"]
  #   networks:
  #     - infraguard
  #   deploy:
  #     replicas: 2

  # ── Command Post (multi-instance aggregator) ─────────────────────────
  # Aggregates stats, requests, and live events from multiple InfraGuard
  # instances into a single dashboard.
  # Enable with: docker compose --profile command-post up -d command-post
  # Access at: http://localhost:9090
  command-post:
    build: .
    container_name: infraguard-command-post
    profiles: ["command-post"]
    restart: unless-stopped
    env_file: .env
    ports:
      - "9090:9090"
    volumes:
      - ./config:/app/config:ro
      - certs:/app/certs:ro
    command: ["command-post", "-c", "/app/config/command-post.yaml", "--port", "9090"]
    networks:
      - infraguard

  # ── PwnDrop payload delivery (optional) ──────────────────────────────
  # Self-hosted file hosting for serving payloads via content routes.
  # Enable with: docker compose --profile pwndrop up -d pwndrop
  # Access PwnDrop UI at https://localhost:8443
  # InfraGuard reaches it internally at http://pwndrop:80
  pwndrop:
    build:
      context: ./vendor/pwndrop
      dockerfile: Dockerfile
    container_name: infraguard-pwndrop
    profiles: ["pwndrop"]
    restart: unless-stopped
    env_file: .env
    ports:
      - "8443:443"
    volumes:
      - pwndrop-data:/pwndrop/data
      - certs:/pwndrop/certs:ro
      - ./config/pwndrop.ini:/pwndrop/pwndrop.ini
    networks:
      - infraguard

volumes:
  certs:
  certbot-www:
  geoip:
  pwndrop-data:

networks:
  infraguard:
    driver: bridge