Deployment changes (#144)

* Move environment variables and defaults to backend

* Remove pre-built certs

* Move everything to a single node instance

* Add dev environment

* Updated README.md

* Add package lock

* Add build step files

* Change to correct path

* Move all data to a single directory

* Correct Dockerfile paths

* Ensure https only engages when files are present

* Split more/less volatile files for faster builds

* Fix permissions on node files

README.md

@@ -63,16 +63,12 @@ systemctl restart docker
 
 ```bash
 #  Clone the CoPilot repository
-git clone https://github.com/socfortress/CoPilot
-cd CoPilot
+wget https://raw.githubusercontent.com/socfortress/CoPilot/v0.0.2/docker-compose.yml
 
-# Copy the environment file
-cp .env.example .env
+# Edit the docker-compose.yml file to set the server name and/or the services you want to use
 
-# Make your changes to the .env file
-
-# Build the copilot-frontend image
-bash build-dockers.sh
+# Create the path for storing your data
+mkdir data
 
 # Run Copilot
 docker compose up -d
@@ -84,6 +80,35 @@ By default, an `admin` account is created. The password is printed in stdout the
 
 🚀 **YouTube Tutorial:** [SOCFortress CoPilot - Getting Started](https://youtu.be/hu1X9MCW7j0)
 
+#### SSL
+By default Copilot uses a self-signed certificate valid for 365 days from install. You can replace the certificate and
+key files with your own.  These files should be mounted in the `copilot-frontend` container and you can set the path to
+your certificate and key files in the `docker-compose.yml` file using the `TLS_CERT_PATH` and `TLS_KEY_PATH`
+respectively.
+
+For Example
+```bash
+# Generate a certificate e.g.
+openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
+```
+
+Then update the `docker-compose.yml` file to mount the certificate and key files and set the `TLS_CERT_PATH` and `TLS_KEY_PATH` environment variables.
+```yaml
+    copilot-frontend:
+      image: ghcr.io/socfortress/copilot-frontend:latest
+      volumes:
+        - PATH_TO_YOUR_CERTS:/etc/letsencrypt
+      environment:
+        - SERVER_HOST=${SERVER_HOST:-localhost} # Set the domain name of your server
+        - TLS_CERT_PATH=/etc/letsencrypt/live/${SERVER_HOST}/fullchain.pem # Set the path to your certificate
+        - TLS_KEY_PATH=/etc/letsencrypt/live/${SERVER_HOST}/privkey.pem # Set the path to your key
+      ports:
+        - "80:80"
+        - "443:443"
+```
+
+```yaml
+
 ### Upgrading Copilot
 
 🛠 You will likely want to upgrade often as we are frequently pushing new changes.
@@ -92,16 +117,7 @@ To upgrade Copilot, you will need to stop the running container, pull the latest
 
 ```bash
 # Stop the running container. Make sure you are in the CoPilot directory
-docker compose down
-
-# Pull the latest code from the repository
-git pull
-
-# Build the copilot-frontend image
-bash build-dockers.sh
-
-# Pull the latest copilot-backend image
-docker pull ghcr.io/socfortress/copilot-backend:latest
+docker compose pull
 
 # Start the container again
 docker compose up -d

backend/Dockerfile

@@ -50,5 +50,57 @@ RUN mkdir file-store
 # Expose ports
 EXPOSE 5000
 
+ENV SERVER_IP=0.0.0.0
+
+# Connector Credentials
+# ! SETTING UP YOUR CONNECTORS DEMOs https://www.youtube.com/@taylorwalton_socfortress/videos! #
+ENV WAZUH_INDEXER_URL=https://1.1.1.1:9200
+ENV WAZUH_INDEXER_USERNAME=admin
+ENV WAZUH_INDEXER_PASSWORD=admin
+
+ENV WAZUH_MANAGER_URL=https://1.1.1.1
+ENV WAZUH_MANAGER_USERNAME=dummy
+ENV WAZUH_MANAGER_PASSWORD=dummy
+
+ENV GRAYLOG_URL=http://1.1.1.1
+ENV GRAYLOG_USERNAME=dummy
+ENV GRAYLOG_PASSWORD=dummy
+
+ENV SHUFFLE_URL=https://1.1.1.1
+ENV SHUFFLER_API_KEY=dummy
+
+ENV DFIR_IRIS_URL=https://1.1.1.1
+ENV DFIR_IRIS_API_KEY=dummy
+
+ENV VELOCIRAPTOR_URL=https://1.1.1.1
+ENV VELOCIRAPTOR_API_KEY_PATH=dummy
+
+ENV SUBLIME_URL=http://1.1.1.1
+ENV SUBLIME_API_KEY=dummy
+
+ENV INFLUXDB_URL=http://1.1.1.1
+ENV INFLUXDB_API_KEY=dummy
+ENV INFLUXDB_ORG_AND_BUCKET=dummy,dummy
+
+ENV ASKSOCFORTRESS_URL=https://knowledge.socfortress.co
+ENV ASKSOCFORTRESS_API_KEY=dummy
+
+ENV SOCFORTRESSTHREATINTEL_URL=https://intel.socfortress.co/search
+ENV SOCFORTRESSTHREATINTEL_API_KEY=dummy
+
+ENV CORTEX_URL=http://1.1.1.1
+ENV CORTEX_API_KEY=dummy
+
+ENV GRAFANA_URL=http://1.1.1.1
+ENV GRAFANA_USERNAME=dummy
+ENV GRAFANA_PASSWORD=dummy
+
+ENV WAZUH_WORKER_PROVISIONING_URL=http://1.1.1.1
+
+ENV EVENT_SHIPPER_URL=graylog_host
+ENV GELF_INPUT_PORT=gelf_port
+
+ENV ALERT_CREATION_PROVISIONING_URL=http://1.1.1.1
+
 # Run your application
 CMD ["sh", "-c", "ls -la && /opt/venv/bin/python copilot.py"]

data/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

docker-compose.dev.yml

@@ -0,0 +1,28 @@
+version: "2"
+
+services:
+    copilot-backend:
+      build:
+        context: backend
+        dockerfile: Dockerfile
+      volumes:
+          - ./data/copilot-backend-data/logs:/opt/logs
+          # Mount the copilot.db file to persist the database
+          - ./data/data:/opt/copilot/backend/data
+
+    copilot-frontend:
+      build:
+        context: frontend
+        dockerfile: Dockerfile
+        target: dev
+      volumes:
+        - ./frontend:/app
+      environment:
+          - SERVER_HOST=${SERVER_HOST:-localhost} # Set the domain name of your server
+      ports:
+        - "80:80"
+        - "5173:5173"
+
+networks:
+    default:
+        driver: bridge

docker-compose.yml

@@ -2,66 +2,19 @@ version: "2"
 
 services:
     copilot-backend:
-        container_name: copilot-backend
-        image: ghcr.io/socfortress/copilot-backend:latest
-        ports:
-            - 5000:5000
-        volumes:
-            - ./docker-env/copilot-backend-data/logs:/opt/logs
-            # Mount the copilot.db file to persist the database
-            - ./backend/data:/opt/copilot/backend/data
-        env_file: .env
-        environment:
-            SERVER_IP: ${SERVER_IP}
-            WAZUH_INDEXER_URL: ${WAZUH_INDEXER_URL}
-            WAZUH_INDEXER_USERNAME: ${WAZUH_INDEXER_USERNAME}
-            WAZUH_INDEXER_PASSWORD: ${WAZUH_INDEXER_PASSWORD}
-            WAZUH_MANAGER_URL: ${WAZUH_MANAGER_URL}
-            WAZUH_MANAGER_USERNAME: ${WAZUH_MANAGER_USERNAME}
-            WAZUH_MANAGER_PASSWORD: ${WAZUH_MANAGER_PASSWORD}
-            GRAYLOG_URL: ${GRAYLOG_URL}
-            GRAYLOG_USERNAME: ${GRAYLOG_USERNAME}
-            GRAYLOG_PASSWORD: ${GRAYLOG_PASSWORD}
-            SHUFFLE_URL: ${SHUFFLE_URL}
-            SHUFFLER_API_KEY: ${SHUFFLER_API_KEY}
-            DFIR_IRIS_URL: ${DFIR_IRIS_URL}
-            DFIR_IRIS_API_KEY: ${DFIR_IRIS_API_KEY}
-            VELOCIRAPTOR_URL: ${VELOCIRAPTOR_URL}
-            VELOCIRAPTOR_API_KEY_PATH: ${VELOCIRAPTOR_API_KEY_PATH}
-            SUBLIME_URL: ${SUBLIME_URL}
-            SUBLIME_API_KEY: ${SUBLIME_API_KEY}
-            INFLUXDB_URL: ${INFLUXDB_URL}
-            INFLUXDB_API_KEY: ${INFLUXDB_API_KEY}
-            INFLUXDB_ORG_AND_BUCKET: ${INFLUXDB_ORG_AND_BUCKET}
-            ASKSOCFORTRESS_URL: ${ASKSOCFORTRESS_URL}
-            ASKSOCFORTRESS_API_KEY: ${ASKSOCFORTRESS_API_KEY}
-            SOCFORTRESSTHREATINTEL_URL: ${SOCFORTRESSTHREATINTEL_URL}
-            SOCFORTRESSTHREATINTEL_API_KEY: ${SOCFORTRESSTHREATINTEL_API_KEY}
-            CORTEX_URL: ${CORTEX_URL}
-            CORTEX_API_KEY: ${CORTEX_API_KEY}
-            GRAFANA_URL: ${GRAFANA_URL}
-            GRAFANA_USERNAME: ${GRAFANA_USERNAME}
-            GRAFANA_PASSWORD: ${GRAFANA_PASSWORD}
-            WAZUH_WORKER_PROVISIONING_URL: ${WAZUH_WORKER_PROVISIONING_URL}
+      image: ghcr.io/socfortress/copilot-backend:latest
+      volumes:
+          - ./data/copilot-backend-data/logs:/opt/logs
+          # Mount the copilot.db file to persist the database
+          - ./data/data:/opt/copilot/backend/data
 
     copilot-frontend:
-        container_name: copilot-frontend
-        image: socfortress/copilot-frontend:latest
-
-    copilot-nginx:
-        image: nginx
-        container_name: copilot-nginx
-        ports:
-            - 80:80
-            - 443:443
-        volumes:
-            - ./nginx/nginx.conf:/etc/nginx/nginx.conf
-            - ./nginx/server.key:/etc/nginx/certs.d/server.key
-            - ./nginx/server.crt:/etc/nginx/certs.d/server.crt
-        restart: always
-        depends_on:
-            - copilot-backend
-            - copilot-frontend
+      image: ghcr.io/socfortress/copilot-frontend:latest
+      environment:
+        - SERVER_HOST=${SERVER_HOST:-localhost} # Set the domain name of your server
+      ports:
+        - "80:80"
+        - "443:443"
 
 networks:
     default:

frontend/.dockerignore

@@ -1 +1,2 @@
 node_modules
+dist

frontend/Dockerfile

@@ -1,26 +1,58 @@
 # Use a node.js base image
 FROM node:21 as builder
 
-# Set the working directory
-WORKDIR /
+# Drop root
+USER node
 
-# Copy project files into the working directory
-COPY . .
+# Set the working directory
+WORKDIR /app
 
+# Copy the package.json and package-lock.json files into the working directory
+COPY package.json package-lock.json ./
 # Install project dependencies
-RUN npm install
+RUN npm ci
+
+# Copy project files into the working directory
+COPY --chown=node . .
 
 # Run the Vue.js project build
 RUN npm run build-only
 
+FROM node:21 as dev
+
+RUN apt-get update && apt-get install -y openssl
+
+RUN mkdir -p /certs &  \
+        openssl req -x509 -subj "/CN=localhost" -nodes -newkey rsa:4096 -keyout /certs/key.pem -out /certs/cert.pem -days 365 && \
+        chown -R node:node /certs
+
+# Drop root
+USER node
+
+# Set the working directory
+WORKDIR /app
+
+CMD npm i && npm run start-vue
+
 FROM nginx:1.24.0-alpine
 
-# Copy custom Nginx configuration
-COPY nginx.conf /etc/nginx/nginx.conf
+# Added to create self-signed cert on run time if needed
+RUN apk add openssl
 
-# Copy built static files from the builder stage
-COPY --from=builder dist /usr/share/nginx/html
+# Set environment variables
+ENV SERVER_HOST=localhost
+ENV TLS_CERT_PATH=/etc/nginx/certs.d/server.crt
+ENV TLS_KEY_PATH=/etc/nginx/certs.d/server.key
+
+# Copy entrypoint
+COPY build/docker-entrypoint.d/90-copilot-ssl.sh /docker-entrypoint.d/90-copilot-ssl.sh
+RUN chmod +x /docker-entrypoint.d/90-copilot-ssl.sh
 
-EXPOSE 2000
+# Setup template
+RUN mkdir /etc/nginx/templates
+COPY build/etc/nginx/sites-enabled/default.conf /etc/nginx/templates/default.conf.template
+
+# Copy built static files from the builder stage
+COPY --from=builder /app/dist /var/www/copilot
 
 CMD ["nginx", "-g", "daemon off;"]

frontend/build/docker-entrypoint.d/90-copilot-ssl.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+if [[ -z "${SERVER_HOST}" ]]; then
+    echo "No SERVER_HOST set!"
+    echo "Please set the SERVER_HOST environment variable to use CoPilot"
+    exit 1;
+else
+    echo "Host is now https://${SERVER_HOST}:${SERVER_PORT}"
+fi
+
+if [[ ! -f "${TLS_CERT_PATH}" || ! -f "${TLS_KEY_PATH}" ]]; then
+    echo "No TLS certs found. Generating...."
+    mkdir -p $(dirname "${TLS_CERT_PATH}")
+    openssl req -x509 -subj "/CN=${SERVER_HOST}" -nodes -newkey rsa:4096 -keyout "${TLS_KEY_PATH}" -out "${TLS_CERT_PATH}" -days 365
+else
+    echo "TLS certificates found"
+fi
+
+if [[ ! -f /etc/nginx/certs/dhparams.pem ]]; then
+    echo "Generating new DH parameters - this may take a while..."
+    mkdir -p /etc/nginx/certs/
+    openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
+else
+    echo "... DH parameters found"
+fi