docker-compose.yml

services:
  attack:
    hostname: attack.lab
    build:
      context: .
      dockerfile: build/kalilinux.Dockerfile
    image: 'csalab/csaf:kalilinux'
    restart: always
    profiles:
      - all
      - attackdefenselab
      - phisinglab
      - breachlab
      - soclab
    ports:
      - ${BIND_ADDR:-0.0.0.0}:6080:8080
    environment:
      - SHELL=/bin/bash
      - VNC_PASSWORD=${ATTACK_PASS:-attackpassword}
    networks:
      attack:
        ipv4_address: 10.0.0.100
      internal:
        ipv4_address: 10.0.5.100

  phising:
    hostname: phising.lab
    image: 'csalab/csaf:phising'
    build:
      context: .
      dockerfile: build/phising.Dockerfile
    restart: always
    profiles:
      - all
      - phisinglab
    environment:
      - WEBSITE=${PHISING_WEB:-https://gmail.com/}
    networks:
      attack:
        ipv4_address: 10.0.0.200

  server.lab:
    hostname: mail.server.lab
    image: 'csalab/iredmail:latest'
    restart: always
    profiles:
      - all
      - phisinglab
    environment:
      - HOSTNAME=mail.server.lab
      - FIRST_MAIL_DOMAIN=server.lab
      - FIRST_MAIL_DOMAIN_ADMIN_PASSWORD=${MAIL_PASS:-mailpassword}
      - MLMMJADMIN_API_TOKEN=CCmMymMpFH35K8Q0H3FQAsSRQzkSjCeazm+t1X27cdE=
      - ROUNDCUBE_DES_KEY=s9lVEEaiA+MmvYZvfi1k0WQNFiFmGOYI
    volumes:
      - iredmail_backup-mysql:/var/vmail/backup/mysql
      - iredmail_mailboxes:/var/vmail/vmail1
      - iredmail_mlmmj:/var/vmail/mlmmj
      - iredmail_mlmmj_archive:/var/vmail/mlmmj-archive
      - iredmail_imapsieve_copy:/var/vmail/imapsieve_copy
      - iredmail_custom:/opt/iredmail/custom
      - iredmail_ssl:/opt/iredmail/ssl
      - iredmail_mysql:/var/lib/mysql
      - iredmail_clamav:/var/lib/clamav
      - iredmail_sa_rules:/var/lib/spamassassin
      - iredmail_postfix_queue:/var/spool/postfix
    networks:
      attack:
        ipv4_address: 10.0.0.201
      defense:
        ipv4_address: 10.0.1.201
      monitor:
        ipv4_address: 10.0.3.201

  gophish:
    image: 'gophish/gophish:latest'
    hostname: gophish.lab
    restart: always
    profiles:
      - all
      - phisinglab
    environment:
      - GOPHISH_INITIAL_ADMIN_PASSWORD=${GOPHISH_PASS:-gophishpassword}
    volumes:
      - ./config/gophish/config.json:/opt/gophish/config.json
    networks:
      attack:
        ipv4_address: 10.0.0.202

  defense:
    hostname: defense.lab
    build:
      context: .
      dockerfile: build/kalilinux-slim.Dockerfile
    image: 'csalab/csaf:kalilinux-slim'
    restart: always
    profiles:
      - all
      - attackdefenselab
      - breachlab
    ports:
      - ${BIND_ADDR:-0.0.0.0}:7080:8080
    environment:
      - SHELL=/bin/bash
      - VNC_PASSWORD=${DEFENSE_PASS:-defensepassword}
    networks:
      defense:
        ipv4_address: 10.0.1.101
      public:
        ipv4_address: 10.0.2.101

  mariadb:
    image: 'mariadb:11.3.2'
    hostname: mariadb.lab
    restart: always
    profiles:
      - all
      - attackdefenselab
      - soclab
    environment:
      - MARIADB_DATABASE=dvwa
      - MARIADB_USER=dvwa
      - MARIADB_PASSWORD=dvwa
      - MARIADB_ROOT_PASSWORD=mariadbpassword
    volumes:
      - dvwa_mariadb:/var/lib/mysql
    networks:
      monitor:
        ipv4_address: 10.0.3.9

  dvwa:
    image: 'csalab/csaf:dvwa'
    hostname: dvwa.lab
    build:
      context: .
      dockerfile: build/dvwa.Dockerfile
    restart: always
    profiles:
      - all
      - attackdefenselab
      - breachlab
      - soclab
    volumes:
      - dvwa_data:/var/www/html
    depends_on:
      - mariadb
    networks:
      defense:
        ipv4_address: 10.0.1.10
      monitor:
        ipv4_address: 10.0.3.10

  dvwa_monitor:
    image: 'csalab/csaf:dvwa-secure'
    hostname: dvwa-monitor.lab
    build:
      context: .
      dockerfile: build/secure-dvwa.Dockerfile
    restart: always
    profiles:
      - all
      - attackdefenselab
      - soclab
    tmpfs:
      - /tmp:noexec,nosuid,nodev
      - /var/tmp:noexec,nosuid,nodev
      - /var/log/audit:noexec,nosuid,nodev
    volumes:
      - dvwa_monitor_data:/var/www/html
    depends_on:
      - mariadb
    networks:
      monitor:
        ipv4_address: 10.0.3.11

  dvwa_modsecurity:
    image: 'owasp/modsecurity-crs:apache'
    hostname: dvwa-modsecurity.lab
    restart: always
    healthcheck:
      disable: true
    profiles:
      - all
      - attackdefenselab
      - soclab
    user: root
    environment:
      - PORT=80
      - SSL_PORT=443
      - BACKEND=http://10.0.3.11:80
      - BACKEND_WS=ws://10.0.3.11:80
    volumes:
      - ./script/modsecurity.startup.sh:/docker-entrypoint.sh
    depends_on:
      - dvwa_monitor
    networks:
      internal:
        ipv4_address: 10.0.5.12
      monitor:
        ipv4_address: 10.0.3.12

  wackopicko:
    image: 'csalab/csaf:wackopicko'
    hostname: wackopicko.lab
    build:
      context: .
      dockerfile: build/wackopicko.Dockerfile
    restart: always
    profiles:
      - all
      - attackdefenselab
      - breachlab
      - soclab
    volumes:
      - wackopicko_web:/app
      - wackopicko_mysql:/var/lib/mysql
      - wackopicko_etc:/etc/mysql
    networks:
      defense:
        ipv4_address: 10.0.1.13
      internal:
        ipv4_address: 10.0.5.13
      public:
        ipv4_address: 10.0.2.13

  juiceshop:
    image: 'bkimminich/juice-shop:latest'
    hostname: juiceshop.lab
    restart: always
    profiles:
      - all
      - attackdefenselab
      - soclab
    environment:
      - PORT=80
    networks:
      defense:
        ipv4_address: 10.0.1.14

  gitea:
    image: 'csalab/csaf:gitea'
    build:
      context: .
      dockerfile: build/gitea.Dockerfile
    hostname: gitea.lab
    restart: always
    profiles:
      - all
      - attackdefenselab
    volumes:
      - gitea_data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    networks:
      defense:
        ipv4_address: 10.0.1.20
    
  appsec-npm:
    hostname: openappsec.lab
    image: 'ghcr.io/openappsec/nginx-proxy-manager-attachment:latest'
    ipc: host
    restart: always
    profiles:
      - all
      - attackdefenselab
      - soclab
    volumes:
      - ./hosts:/etc/hosts
      - npm-data:/data
      - appsec-logs:/ext/appsec-logs
      - appsec-localconfig:/ext/appsec
    networks:
      internal:
        ipv4_address: 10.0.5.21
      defense:
        ipv4_address: 10.0.1.21
      monitor:
        ipv4_address: 10.0.3.21

  appsec-agent:
    image: 'ghcr.io/openappsec/agent:latest'
    ipc: host
    network_mode: service:appsec-npm
    restart: always
    profiles:
      - all
      - attackdefenselab
      - soclab
    environment:
      - user_email=admin@csalab.id
      - nginxproxymanager=true
      - autoPolicyLoad=true
    volumes:
      - ./hosts:/etc/hosts
      - appsec-config:/etc/cp/conf
      - appsec-data:/etc/cp/data
      - appsec-logs:/var/log/nano_agent
      - appsec-localconfig:/ext/appsec
    command: /cp-nano-agent --standalone

  monitor:
    hostname: monitor.lab
    build:
      context: .
      dockerfile: build/kalilinux-slim.Dockerfile
    image: 'csalab/csaf:kalilinux-slim'
    restart: always
    profiles:
      - all
      - soclab
    ports:
      - ${BIND_ADDR:-0.0.0.0}:8080:8080
    environment:
      - SHELL=/bin/bash
      - VNC_PASSWORD=${MONITOR_PASS:-monitorpassword}
    networks:
      monitor:
        ipv4_address: 10.0.3.102
      internet:
        ipv4_address: 10.0.4.102

  wazuh_manager:
    image: 'wazuh/wazuh-manager:4.8.0'
    hostname: wazuh-manager.lab
    restart: always
    profiles:
      - all
      - soclab
    environment:
      - INDEXER_URL=https://wazuh-indexer.lab:9200
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - FILEBEAT_SSL_VERIFICATION_MODE=full
      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
      - SSL_KEY=/etc/ssl/filebeat.key
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
    volumes:
      - wazuh_api_configuration:/var/ossec/api/configuration
      - wazuh_etc:/var/ossec/etc
      - wazuh_logs:/var/ossec/logs
      - wazuh_queue:/var/ossec/queue
      - wazuh_var_multigroups:/var/ossec/var/multigroups
      - wazuh_integrations:/var/ossec/integrations
      - wazuh_active_response:/var/ossec/active-response/bin
      - wazuh_agentless:/var/ossec/agentless
      - wazuh_wodles:/var/ossec/wodles
      - filebeat_etc:/etc/filebeat
      - filebeat_var:/var/lib/filebeat
      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh-manager.lab.pem:/etc/ssl/filebeat.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh-manager.lab-key.pem:/etc/ssl/filebeat.key
      - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
      - ./config/wazuh_cluster/local_rules.xml:/wazuh-config-mount/etc/rules/local_rules.xml
    depends_on:
      - dvwa
      - dvwa_monitor
    networks:
      monitor:
        ipv4_address: 10.0.3.30
      internet:
        ipv4_address: 10.0.4.30

  wazuh_indexer:
    image: 'wazuh/wazuh-indexer:4.8.0'
    hostname: wazuh-indexer.lab
    restart: always
    profiles:
      - all
      - soclab
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - wazuh-indexer-data:/var/lib/wazuh-indexer
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh-indexer.lab-key.pem:/usr/share/wazuh-indexer/certs/wazuh-indexer.lab.key
      - ./config/wazuh_indexer_ssl_certs/wazuh-indexer.lab.pem:/usr/share/wazuh-indexer/certs/wazuh-indexer.lab.pem
      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
      - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
    networks:
      monitor:
        ipv4_address: 10.0.3.31

  wazuh_dashboard:
    image: 'wazuh/wazuh-dashboard:4.8.0'
    hostname: wazuh-dashboard.lab
    restart: always
    profiles:
      - all
      - soclab
    environment:
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - WAZUH_API_URL=https://wazuh-manager.lab
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
    volumes:
      - ./config/wazuh_indexer_ssl_certs/wazuh-dashboard.lab.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh-dashboard.lab-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
      - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
      - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
    depends_on:
      - wazuh_indexer
      - wazuh_manager
    networks:
      monitor:
        ipv4_address: 10.0.3.32
      internet:
        ipv4_address: 10.0.4.32

  splunk:
    hostname: splunk.lab
    image: 'splunk/splunk:9.2.1'
    restart: always
    healthcheck:
      disable: true
    profiles:
      - all
      - soclab
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_PASSWORD=${SPLUNK_PASS:-splunkpassword}
    volumes:
      - ./config/splunk/web.conf:/opt/splunk/etc/system/local/web.conf
      - splunk_etc:/opt/splunk/etc
      - splunk_var:/opt/splunk/var
    depends_on:
      - dvwa
      - dvwa_monitor
    networks:
      monitor:
        ipv4_address: 10.0.3.40
      internet:
        ipv4_address: 10.0.4.40

  infectionmonkey:
    hostname: infectionmonkey.lab
    build:
      context: .
      dockerfile: build/infectionmonkey.Dockerfile
    image: 'csalab/csaf:infectionmonkey'
    restart: always
    profiles:
      - all
      - breachlab
    volumes:
      - infectionmonkey:/opt/infectionmonkey
    depends_on:
      - mongodb
    networks:
      attack:
        ipv4_address: 10.0.0.110
      defense:
        ipv4_address: 10.0.1.110

  mongodb:
    image: 'mongo:7.0.8'
    hostname: mongodb.lab
    restart: always
    profiles:
      - all
      - breachlab
    volumes:
      - mongodb_db:/data/db
      - mongodb_configdb:/data/configdb
    networks:
      attack:
        ipv4_address: 10.0.0.111

  caldera:
    hostname: caldera.lab
    build:
      context: .
      dockerfile: build/caldera.Dockerfile
    image: 'csalab/csaf:caldera'
    restart: always
    profiles:
      - all
      - breachlab
    volumes:
      - ./config/caldera/local.yml:/usr/src/app/conf/local.yml
      - caldera:/usr/src/app
    networks:
      attack:
        ipv4_address: 10.0.0.113
      defense:
        ipv4_address: 10.0.1.113

networks:
  attack:
    driver: bridge
    ipam:
      config:
        - subnet: 10.0.0.0/24
          gateway: 10.0.0.1

  defense:
    driver: bridge
    internal: true
    ipam:
      config:
        - subnet: 10.0.1.0/24
          gateway: 10.0.1.1

  public:
    driver: bridge
    ipam:
      config:
        - subnet: 10.0.2.0/24
          gateway: 10.0.2.1

  monitor:
    driver: bridge
    internal: true
    ipam:
      config:
        - subnet: 10.0.3.0/24
          gateway: 10.0.3.1

  internet:
    driver: bridge
    ipam:
      config:
        - subnet: 10.0.4.0/24
          gateway: 10.0.4.1

  internal:
    driver: bridge
    internal: true
    ipam:
      config:
        - subnet: 10.0.5.0/24
          gateway: 10.0.5.1

volumes:
  filebeat_etc: {}
  filebeat_var: {}
  wazuh_api_configuration: {}
  wazuh_etc: {}
  wazuh_logs: {}
  wazuh_queue: {}
  wazuh_var_multigroups: {}
  wazuh_integrations: {}
  wazuh_active_response: {}
  wazuh_agentless: {}
  wazuh_wodles: {}
  wazuh-indexer-data: {}
  iredmail_backup-mysql: {}
  iredmail_mailboxes: {}
  iredmail_mlmmj: {}
  iredmail_mlmmj_archive: {}
  iredmail_imapsieve_copy: {}
  iredmail_custom: {}
  iredmail_ssl: {}
  iredmail_mysql: {}
  iredmail_clamav: {}
  iredmail_sa_rules: {}
  iredmail_postfix_queue: {}
  splunk_etc: {}
  splunk_var: {}
  gitea_data: {}
  dvwa_data: {}
  dvwa_monitor_data: {}
  dvwa_mariadb: {}
  wackopicko_web: {}
  wackopicko_mysql: {}
  wackopicko_etc: {}
  infectionmonkey: {}
  mongodb_db: {}
  mongodb_configdb: {}
  caldera: {}
  npm-data: {}
  appsec-config: {}
  appsec-data: {}
  appsec-logs: {}
  appsec-localconfig: {}