-
Notifications
You must be signed in to change notification settings - Fork 9
/
compose.yaml
159 lines (154 loc) · 7.15 KB
/
compose.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
version: "3"
services:
postfix-tx:
# our latest tags point to the latest release version
image: ghcr.io/scvenus/peekabooav-postfix:edge
environment:
- POSTFIX_MAIN_CF_MAILLOG_FILE=/dev/stdout
- POSTFIX_MAIN_CF_INET_INTERFACES=all
- POSTFIX_MAIN_CF_MYHOSTNAME=postfix-tx
- POSTFIX_MAIN_CF_RELAY_DOMAINS=$$mydestination, postfix-rx, postfix-rx.peekabooav-installer_default
- POSTFIX_MAIN_CF_QUEUE_RUN_DELAY=90s
ports:
- "127.0.0.1:8025:25"
elasticsearch:
image: elasticsearch:7.16.2
environment:
- http.host=0.0.0.0
- discovery.type=single-node
- script.allowed_types=inline
- thread_pool.search.queue_size=100000
- thread_pool.write.queue_size=10000
# 2g is default; 1g seems to be enough in development
- ES_HEAP_SIZE=1g
- xpack.security.enabled=false
- cluster.routing.allocation.disk.watermark.flood_stage=99%
- TAKE_FILE_OWNERSHIP=1
volumes:
- ./pipeline/data/elastic:/usr/share/elasticsearch/data
cortex:
image: thehiveproject/cortex:3.1.4
env_file:
- compose.env
volumes:
- ./cortex/application.conf:/etc/cortex/application.conf
- ./cortex/analyzers.json:/etc/cortex/analyzers.json
- /var/run/docker.sock:/var/run/docker.sock
- ${PWD}/pipeline/data/jobs:${PWD}/pipeline/data/jobs
depends_on:
- elasticsearch
ports:
- "127.0.0.1:9001:9001"
# healthy if job list request, either errors with 520 by not being set up, or with 401 because we are not passing any credentials
healthcheck:
test: |
curl -s -H "Authorization: Bearer $$PEEKABOO_CORTEX_API_TOKEN" \
-o /dev/null -w %{http_code} http://localhost:9001/api/job | \
grep -e '^200$$' -e '^520$$'
interval: 30s
timeout: 30s
retries: 3
start_period: 30s
cortex-setup:
image: ghcr.io/scvenus/peekabooav-cortex-setup:edge
env_file:
- compose.env
depends_on:
cortex:
# this approach is not endorsed by docker since file version 3
# additionally this functionality is not stated on the docker website,
# but this is https://docs.docker.com/compose/startup-order/.
# if you want to use the 'script way' instead of 'half documented options'
# you can e.g. make use of this script https://gist.github.com/Sett17/665a5126e27716863c90ab09d07e7715
condition: service_healthy
restart: on-failure
mariadb:
image: mariadb:10.3
env_file:
- compose.env
volumes:
- ./pipeline/data/mysql:/var/lib/mysql
healthcheck:
test: "/usr/bin/mysql --user=peekaboo --password=peekaboo --execute \"SHOW DATABASES;\""
interval: 20s
timeout: 2s
retries: 5
peekabooav:
image: ghcr.io/scvenus/peekabooav:edge
env_file:
- compose.env
volumes:
- ./pipeline/peekaboo/ruleset.conf.d/10-compose.conf:/opt/peekaboo/etc/ruleset.conf.d/10-compose.conf
depends_on:
cortex-setup:
condition: service_completed_successfully
mariadb:
condition: service_healthy
stop_grace_period: 1m15s
ports:
- "127.0.0.1:8100:8100"
# ordinarily, rspamd uses redis, but this is only needed tofor some functionality
# as we only want/need peekabooav to work redis is not needed
# although if it is present, the peekaboo module does use it to cache data
# for anything more than a showcase, please run a redis alongside rspamd
rspamd:
image: ghcr.io/scvenus/peekabooav-rspamd:edge
environment:
RSPAMD_ENABLED_MODULES: "external_services force_actions"
RSPAMD_CONFIG_options__filters_: ""
RSPAMD_CONFIG_external_services__peekaboo__servers: "peekabooav"
RSPAMD_CONFIG_external_services__peekaboo__min_size: 50
# Timeout call for some delay at main stage
RSPAMD_CONFIG_external_services__dcc__servers: "240.0.0.1"
RSPAMD_CONFIG_external_services__dcc__min_size: 50
RSPAMD_CONFIG_external_services__dcc__timeout: 2
RSPAMD_CONFIG_group__antivirus__symbols__PEEKABOO__weight: "4.0"
RSPAMD_CONFIG_group__antivirus__symbols__PEEKABOO__description_: "The Peekaboo analysis found a threat"
RSPAMD_CONFIG_group__antivirus__symbols__PEEKABOO__01_groups_: "peekaboo"
RSPAMD_CONFIG_group__antivirus__symbols__PEEKABOO__02_groups_: "av_virus_reject"
# booleans need to be strings here in YAML but unquoted in the config
# file (so no trailing underscore to mark it as a string here)
RSPAMD_CONFIG_group__antivirus__symbols__PEEKABOO__one_shot: "true"
RSPAMD_CONFIG_group__antivirus__symbols__PEEKABOO_FAIL__weight: 0
RSPAMD_CONFIG_group__antivirus__symbols__PEEKABOO_FAIL__description_: "The Peekaboo analysis failed"
RSPAMD_CONFIG_group__antivirus__symbols__PEEKABOO_FAIL__01_groups_: "peekaboo"
RSPAMD_CONFIG_group__antivirus__symbols__PEEKABOO_FAIL__02_groups_: "av_scanner_failed"
RSPAMD_CONFIG_group__antivirus__symbols__PEEKABOO_FAIL__one_shot: "true"
RSPAMD_CONFIG_group__antivirus__symbols__PEEKABOO_IN_PROCESS__weight: 0
RSPAMD_CONFIG_group__antivirus__symbols__PEEKABOO_IN_PROCESS__description_: "The Peekaboo analysis was not finished"
RSPAMD_CONFIG_group__antivirus__symbols__PEEKABOO_IN_PROCESS__01_groups_: "peekaboo"
RSPAMD_CONFIG_group__antivirus__symbols__PEEKABOO_IN_PROCESS__one_shot: "true"
RSPAMD_CONFIG_force_actions__rules__PEEKABOO_IN_PROCESS__action_: "soft reject"
# dollar signs are escaped here
RSPAMD_CONFIG_force_actions__rules__PEEKABOO_IN_PROCESS__message_: "SOFT REJECT - try again later #412 (support-id: $${queueid}-$${uid.substring(1, 6)}"
RSPAMD_CONFIG_force_actions__rules__PEEKABOO_IN_PROCESS__expression_: "PEEKABOO_IN_PROCESS"
RSPAMD_CONFIG_force_actions__rules__PEEKABOO_IN_PROCESS__01_honor_action_: "reject"
RSPAMD_CONFIG_force_actions__rules__PEEKABOO__action_: "reject"
RSPAMD_CONFIG_force_actions__rules__PEEKABOO__message_: "REJECT - Peekaboo said it's bad (support-id: $${queueid}-$${uid.substring(1, 6)})"
RSPAMD_CONFIG_force_actions__rules__PEEKABOO__expression_: "PEEKABOO"
RSPAMD_CONFIG_force_actions__rules__PEEKABOO__01_require_action_: "no action"
RSPAMD_CONFIG_force_actions__rules__PEEKABOO__02_require_action_: "greylist"
RSPAMD_CONFIG_force_actions__rules__PEEKABOO__03_require_action_: "reject"
RSPAMD_CONFIG_force_actions__rules__PEEKABOO__04_require_action_: "add header"
RSPAMD_CONFIG_force_actions__rules__PEEKABOO__05_require_action_: "soft reject"
RSPAMD_CONFIG_force_actions__rules__PEEKABOO__06_require_action_: "rewrite subject"
depends_on:
- peekabooav
healthcheck:
test: "/usr/bin/rspamadm control stat || exit 1"
interval: 1m
timeout: 5s
retries: 5
start_period: 10s
postfix-rx:
image: ghcr.io/scvenus/peekabooav-postfix:edge
environment:
- POSTFIX_MAIN_CF_MAILLOG_FILE=/dev/stdout
- POSTFIX_MAIN_CF_INET_INTERFACES=all
- POSTFIX_MAIN_CF_MYHOSTNAME=postfix-rx
- POSTFIX_MAIN_CF_MILTER_PROTOCOL=6
- POSTFIX_MAIN_CF_MILTER_DEFAULT_ACTION=accept
- POSTFIX_MAIN_CF_SMTPD_MILTERS=inet:rspamd:11332
depends_on:
rspamd:
condition: service_healthy