haxunit/docker-compose.yml at master · Bandit-HaxUnit/haxunit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# Docker Compose Version 3.8+ is recommended for modern features.
version: '3.8'

services:
  # The main application service, now more securely configured.
  app:
    # Build from the optimized Dockerfile we created earlier.
    build:
      context: .
      args:
        - NUCLEI_API_KEY=${NUCLEI_API_KEY}
        - HTB_OPENVPN_FILE=${HTB_OPENVPN_FILE}
    container_name: haxunit
    # The 'init' process helps with reaping zombie processes and signal handling.
    init: true
    # Use Docker Compose Profiles to conditionally start services like OpenVPN.
    profiles:
      - default
      - vpn
    # Instead of 'network_mode: host', we use a dedicated bridge network.
    # This provides crucial network isolation between containers and the host.
    networks:
      - haxunit-net
    # For interacting with the host's Docker daemon.
    # This is a high-privilege operation. Use with caution.
    volumes:
      # For development: Mount source code for live-reloading.
      # For production: This line should be removed to use the code baked into the image.
      - .:/app:cached
      # For runtime state that should persist, use a named volume.
      - haxunit-data:/home/haxunit/.local/share
      # Mount the Docker socket if the application needs to interact with the Docker API.
      - /var/run/docker.sock:/var/run/docker.sock
    # --- SECRETS MANAGEMENT ---
    # Secrets are mounted as files in /run/secrets/, not exposed as environment variables.
    # Your application code must be updated to read secrets from these files.
    secrets:
      - wpscan_api_key
      - acunetix_api_key
      - nuclei_api_key
    # Environment variables should be for non-sensitive configuration.
    environment:
      - ACUNETIX_THRESHOLD=${ACUNETIX_THRESHOLD:-'high'} # Example with a default value
      - HTB_OPENVPN_FILE=${HTB_OPENVPN_FILE}
      - WPSCAN_API_KEY=${WPSCAN_API_KEY}
    # --- SECURITY CONTEXT ---
    # Running as a non-root user. The user 'haxunit' (UID 1000) should be created in the Dockerfile.
    user: "1000:1000"
    # Drop all capabilities by default and only add what is absolutely necessary.
    # CAP_NET_ADMIN is still required for OpenVPN.
    cap_drop:
      - ALL
    cap_add:
      - NET_ADMIN
    # Required for OpenVPN.
    devices:
      - /dev/net/tun:/dev/net/tun
    # A more secure alternative to extra_hosts for host communication.
    dns:
      - 1.1.1.1
      - 1.0.0.1
    # --- RESOURCE MANAGEMENT ---
    # Prevent the container from consuming all host resources. Adjust values as needed.
    deploy:
      resources:
        limits:
          cpus: '1.0'
          memory: 2G
        reservations:
          cpus: '0.50'
          memory: 512M
    # --- HEALTHCHECK ---
    # A simple healthcheck to ensure the container is responsive.
    healthcheck:
      test: ["CMD", "tmux", "ls"]
      interval: 30s
      timeout: 10s
      retries: 3
    # A more robust entrypoint that manages the VPN connection.
    entrypoint: /app/docker-entrypoint.sh
    # The default command to run after the entrypoint.
    command: ["tail", "-f", "/dev/null"]
    depends_on:
      wpscan:
        condition: service_healthy
    network_mode: host

  # The wpscan service, also isolated and secured.
  wpscan:
    image: wpscanteam/wpscan
    container_name: wpscan
    init: true
    networks:
      - haxunit-net
    # Secrets should be used here as well for the API key.
    secrets:
      - wpscan_api_key
    # This service likely doesn't need any special capabilities.
    cap_drop:
      - ALL
    # Healthcheck to ensure the service is ready before 'app' starts.
    healthcheck:
      test: ["CMD", "wpscan", "--version"]
      interval: 30s
      timeout: 10s
      retries: 3
    entrypoint: ["tail", "-f", "/dev/null"]
    environment:
      - WPSCAN_API_KEY=${WPSCAN_API_KEY}

# --- NETWORKING ---
# Define a custom bridge network for controlled communication.
networks:
  haxunit-net:
    driver: bridge
    name: haxunit-net

# --- VOLUMES ---
# Define named volumes for persistent data.
volumes:
  haxunit-data:
    driver: local

# --- SECRETS ---
# Define secrets. The content is sourced from local files for better security.
secrets:
  wpscan_api_key:
    file: ./secrets/wpscan_api_key.txt
  acunetix_api_key:
    file: ./secrets/acunetix_api_key.txt
  nuclei_api_key:
    file: ./secrets/nuclei_api_key.txt