Several changes and updated formatting

* Update ElasticSearch and Kibana version * Remove nginx config and cert generation for use of reverse proxy on host * Replace geoip updater with crazymax image * Update formatting to have unix line endings * Rename docker-compose.yml to compose.yml * Add explicit network to compose.yml for use with ipv6 (optional)
2021-10-17 20:33:59 +02:00 · 2021-10-17 20:33:59 +02:00 · dd4bbc4b22
parent af71a46479
commit dd4bbc4b22
6 changed files with 126 additions and 168 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,110 +1,110 @@
-version: '2.4'
+services:
-
+  parsedmarc-init:
-services:
+    image: patschi/parsedmarc:init
-  parsedmarc-init:
+    container_name: parsedmarc-init
-    image: patschi/parsedmarc:init
+    build:
-    restart: always
+      context: ./data/Dockerfiles/parsedmarc-init
-    volumes:
+      dockerfile: Dockerfile
-      - ./data/conf/parsedmarc/:/etc/parsedmarc/:rw
+    restart: unless-stopped
-      - ./data/conf/nginx/ssl/:/etc/nginx/ssl/:rw
+    volumes:
-      - ./data/data/elasticsearch:/usr/share/elasticsearch/data/:rw
+      - ./data/conf/parsedmarc/:/etc/parsedmarc/:rw
-    networks:
+      - ./data/data/elasticsearch:/usr/share/elasticsearch/data/:rw
-      - parsedmarc-network
+    networks:
-    healthcheck:
+      - parsedmarc
-      test: [ "CMD", "test", "-f", "/ready" ]
+    healthcheck:
-      interval: 10s
+      test: [ "CMD", "test", "-f", "/ready" ]
-      timeout: 5s
+      interval: 10s
-      retries: 9999
+      timeout: 5s
-      start_period: 10s
+      retries: 9999
-
+      start_period: 10s
-  parsedmarc:
+  parsedmarc:
-    image: patschi/parsedmarc:latest
+    image: patschi/parsedmarc:latest
-    volumes:
+    container_name: parsedmarc
-      - ./data/conf/parsedmarc/:/etc/parsedmarc/
+    build:
-      - ./data/data/geoipupdate/:/usr/share/GeoIP:z,ro
+      context: ./data/Dockerfiles/parsedmarc
-    restart: always
+      dockerfile: Dockerfile
-    networks:
+    volumes:
-      - parsedmarc-network
+      - ./data/conf/parsedmarc/:/etc/parsedmarc/
-    depends_on:
+      - ./data/data/geoipupdate:/usr/share/GeoIP:z,ro
-      elasticsearch:
+    restart: unless-stopped
-        condition: service_healthy
+    networks:
-
+      - parsedmarc
-  elasticsearch:
+    depends_on:
-    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.8.1
+      elasticsearch:
-    environment:
+        condition: service_healthy
-      - cluster.name=parsedmarc
+
-      - discovery.type=single-node
+  elasticsearch:
-      - bootstrap.memory_lock=true
+    image: docker.elastic.co/elasticsearch/elasticsearch:7.15.0
-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+    container_name: parsedmarc-elasticsearch
-    ulimits:
+    environment:
-      memlock:
+      - xpack.security.enabled=false
-        soft: -1
+      - cluster.name=parsedmarc
-        hard: -1
+      - discovery.type=single-node
-    volumes:
+      - bootstrap.memory_lock=true
-      - ./data/data/elasticsearch:/usr/share/elasticsearch/data/
+      - "ES_JAVA_OPTS=-Xms256m -Xmx256m"
-    restart: always
+    ulimits:
-    networks:
+      memlock:
-      - parsedmarc-network
+        soft: -1
-    expose: # only expose docker-internally
+        hard: -1
-      - 9200
+    volumes:
-    healthcheck:
+      - ./data/data/elasticsearch:/usr/share/elasticsearch/data/
-      test: [ "CMD", "curl","-s" ,"-f", "http://localhost:9200/_cat/health" ]
+    restart: unless-stopped
-      interval: 1m
+    networks:
-      timeout: 10s
+      - parsedmarc
-      retries: 3
+    expose: # only expose docker-internally
-      start_period: 30s
+      - 9200
-    depends_on:
+    healthcheck:
-      parsedmarc-init:
+      test: [ "CMD", "curl","-s" ,"-f", "http://localhost:9200/_cat/health" ]
-        condition: service_started
+      interval: 1m
-
+      timeout: 10s
-  kibana:
+      retries: 3
-    image: docker.elastic.co/kibana/kibana-oss:7.8.1
+      start_period: 30s
-    environment:
+    depends_on:
-      - elasticsearch.hosts=http://elasticsearch:9200
+      parsedmarc-init:
-      - telemetry.enabled=false
+        condition: service_started
-      - telemetry.optIn=false
+  kibana:
-    expose: # only expose docker-internally
+    image: docker.elastic.co/kibana/kibana:7.15.0
-      - 5601
+    container_name: parsedmarc-kibana
-    restart: always
+    environment:
-    networks:
+      - elasticsearch.hosts=http://elasticsearch:9200
-      - parsedmarc-network
+      - telemetry.enabled=false
-    depends_on:
+      - telemetry.optIn=false
-      elasticsearch:
+    expose: # only expose docker-internally
-        condition: service_healthy
+      - 5601
-    healthcheck:
+    ports:
-      test: [ "CMD", "curl","-s" ,"-f", "http://localhost:5601/" ]
+      - "127.0.0.1:5601:5601"
-      interval: 1m
+      - "[::1]:5601:5601"
-      timeout: 10s
+    restart: unless-stopped
-      retries: 3
+    networks:
-      start_period: 30s
+      - parsedmarc
-
+    depends_on:
-  geoipupdate:
+      elasticsearch:
-    image: maxmindinc/geoipupdate
+        condition: service_healthy
-    env_file:
+    healthcheck:
-      - geoipupdate.env
+      test: [ "CMD", "curl","-s" ,"-f", "http://localhost:5601/" ]
-    environment:
+      interval: 1m
-      - "GEOIPUPDATE_EDITION_IDS=GeoLite2-ASN GeoLite2-City GeoLite2-Country"
+      timeout: 10s
-      - GEOIPUPDATE_PRESERVE_FILE_TIMES=1
+      retries: 3
-    restart: always
+      start_period: 30s
-    volumes:
+  geoipupdate:
-      - ./data/data/geoipupdate/:/usr/share/GeoIP:z,rw
+    image: crazymax/geoip-updater:latest
-
+    container_name: parsedmarc-geoipupdate
-  nginx:
+    volumes:
-    image: nginx:alpine
+      - ./data/data/geoipupdate:/data:z,rw
-    restart: always
+    env_file:
-    ports:
+      - ./data/conf/geoipupdate.env
-      - "9999:443"
+    networks:
-    volumes:
+      - parsedmarc
-      - ./data/conf/nginx/site.conf:/etc/nginx/conf.d/default.conf:ro
+    restart: unless-stopped
-      - ./data/conf/nginx/ssl/:/etc/nginx/ssl/:ro
+
-    networks:
+networks:
-      - parsedmarc-network
+  parsedmarc:
-    depends_on:
+    name: "parsedmarc"
-      kibana:
+    driver: bridge
-        condition: service_healthy
+    driver_opts:
-      parsedmarc-init:
+      com.docker.network.bridge.name: br-parsedmarc
-        condition: service_healthy
+    enable_ipv6: true
-
+    ipam:
-networks:
+      config:
-  parsedmarc-network:
+        - subnet: 172.18.0.0/29
-    driver: bridge
+        - subnet: fd00:1720:180::/64
--- a/data/Dockerfiles/parsedmarc-init/Dockerfile
+++ b/data/Dockerfiles/parsedmarc-init/Dockerfile
@ -1,8 +1,8 @@
-FROM alpine:latest
+FROM alpine:latest
-
+
-ADD start.sh /start.sh
+ADD start.sh /start.sh
-
+
-RUN apk add --no-cache curl openssl jq bash \
+RUN apk add --no-cache curl jq bash \
-    && chmod +x /start.sh
+    && chmod +x /start.sh
-
+
-ENTRYPOINT [ "/start.sh" ]
+ENTRYPOINT [ "/start.sh" ]
--- a/data/Dockerfiles/parsedmarc-init/start.sh
+++ b/data/Dockerfiles/parsedmarc-init/start.sh
@ -8,16 +8,6 @@ echo "Setting permissions..."
 chmod g+rwx -R /usr/share/elasticsearch/data/
 chgrp 0 -R /usr/share/elasticsearch/data/
 echo "## NGINX"
 echo "Checking nginx certs..."
 cd /etc/nginx/ssl/
 if [ ! -f "/etc/nginx/ssl/kibana.crt" ] || [ ! -f "/etc/nginx/ssl/kibana.key" ]; then
 	echo "No certs found. Generating..."
 	openssl req -x509 -nodes -days 365 -newkey rsa:3072 -keyout kibana.key -out kibana.crt \
 		-subj "/CN=parsedmarc" -addext "subjectAltName=DNS:parsedmarc"
 	echo "Certs generated."
 fi
 echo "## KIBANA"
 exportFile="/etc/parsedmarc/kibana_export.ndjson"
 if [ ! -f "${exportFile}" ]; then
--- a/data/conf/geoipupdate.env
+++ b/data/conf/geoipupdate.env
@ -0,0 +1,7 @@
 TZ=Europe/Berlin
 EDITION_IDS="GeoLite2-ASN,GeoLite2-City,GeoLite2-Country"
 LICENSE_KEY=abc1234
 DOWNLOAD_PATH="/data"
 SCHEDULE="0 0 * * 0"
 LOG_LEVEL=warn
 LOG_JSON=false
--- a/data/conf/nginx/site.conf
+++ b/data/conf/nginx/site.conf
@ -1,39 +0,0 @@
 server {
 	listen 443 ssl http2;
 	server_name _ default_server;
 	ssl_certificate /etc/nginx/ssl/kibana.crt;
 	ssl_certificate_key /etc/nginx/ssl/kibana.key;
 	server_tokens off;
 	ssl_session_timeout 1d;
 	ssl_session_cache shared:SSL:15m;
 	ssl_session_tickets off;
 	# modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
 	add_header X-Frame-Options SAMEORIGIN;
 	add_header X-Content-Type-Options nosniff;
 	# Uncomment this next line if you are using a signed, trusted cert
 	#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
 	#auth_basic "Login required";
 	#auth_basic_user_file /etc/nginx/htpasswd;
 	location / {
 		proxy_pass http://kibana:5601;
 		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 	}
 }
 server {
 	listen 80;
 	return 301 https://$host$request_uri;
 }
--- a/data/conf/parsedmarc/config.sample.ini
+++ b/data/conf/parsedmarc/config.sample.ini
@ -15,7 +15,7 @@ ssl = True
 # advanced
 watch = True
-archive_folder = Processed
+#archive_folder = Processed
 delete = False
 # advanced advanced