gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Docker Compose configuration for Fleet service with MySQL and Redis

Browse Source
This commit is contained in:
Nikholas Pcenicni
2026-02-13 00:32:19 -05:00
parent 797aa2e514
commit 2eb458a169
2 changed files with 167 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
komodo/automate/fleet/.env.sample Normal file
View File

@@ -0,0 +1,48 @@
# MySQL Configuration
MYSQL_ROOT_PASSWORD=change_this_root_password
MYSQL_DATABASE=fleet
MYSQL_USER=fleet
MYSQL_PASSWORD=change_this_fleet_password
# Fleet Server Configuration
# Generate a random key with: openssl rand -base64 32
FLEET_SERVER_PRIVATE_KEY=change_this_private_key
# Fleet HTTP Listener Configuration
FLEET_SERVER_ADDRESS=0.0.0.0
FLEET_SERVER_PORT=1337
# TLS Configuration
# Set to 'true' if Fleet handles TLS directly (requires certificates in ./certs/)
# Set to 'false' if using a reverse proxy or load balancer for TLS termination
FLEET_SERVER_TLS=false
# TLS Certificate paths (only needed if FLEET_SERVER_TLS=true)
FLEET_SERVER_CERT=/fleet/fleet.crt
FLEET_SERVER_KEY=/fleet/fleet.key
# Fleet License (optional - leave empty for free tier)
FLEET_LICENSE_KEY=
# Fleet Session & Logging
FLEET_SESSION_DURATION=24h
FLEET_LOGGING_JSON=true
# Fleet Osquery Configuration
FLEET_OSQUERY_STATUS_LOG_PLUGIN=filesystem
FLEET_FILESYSTEM_STATUS_LOG_FILE=/logs/osqueryd.status.log
FLEET_FILESYSTEM_RESULT_LOG_FILE=/logs/osqueryd.results.log
FLEET_OSQUERY_LABEL_UPDATE_INTERVAL=1h
# Fleet Vulnerabilities
FLEET_VULNERABILITIES_CURRENT_INSTANCE_CHECKS=yes
FLEET_VULNERABILITIES_DATABASES_PATH=/vulndb
FLEET_VULNERABILITIES_PERIODICITY=1h
# S3 Configuration (optional - leave empty if not using S3)
FLEET_S3_SOFTWARE_INSTALLERS_BUCKET=
FLEET_S3_SOFTWARE_INSTALLERS_ACCESS_KEY_ID=
FLEET_S3_SOFTWARE_INSTALLERS_SECRET_ACCESS_KEY=
FLEET_S3_SOFTWARE_INSTALLERS_FORCE_S3_PATH_STYLE=
FLEET_S3_SOFTWARE_INSTALLERS_ENDPOINT_URL=
FLEET_S3_SOFTWARE_INSTALLERS_REGION=

119
komodo/automate/fleet/compose.yaml Normal file
View File

@@ -0,0 +1,119 @@
volumes:
mysql:
redis:
data:
logs:
vulndb:
services:
mysql:
image: mysql:8
platform: linux/x86_64
environment:
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
- MYSQL_DATABASE=${MYSQL_DATABASE}
- MYSQL_USER=${MYSQL_USER}
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
volumes:
- mysql:/var/lib/mysql
cap_add:
- SYS_NICE
healthcheck:
test:
[
"CMD-SHELL",
"mysqladmin ping -h 127.0.0.1 -u$$MYSQL_USER -p$$MYSQL_PASSWORD --silent || exit 1",
]
interval: 10s
timeout: 5s
retries: 12
ports:
- "3306:3306"
restart: unless-stopped
redis:
image: redis:6
command: ["redis-server", "--appendonly", "yes"]
volumes:
- redis:/data
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 10s
timeout: 5s
retries: 12
ports:
- "6379:6379"
restart: unless-stopped
fleet-init:
image: alpine:latest
volumes:
- logs:/logs
- data:/data
- vulndb:/vulndb
command: sh -c "chown -R 100:101 /logs /data /vulndb"
fleet:
image: fleetdm/fleet
platform: linux/x86_64
depends_on:
mysql:
condition: service_healthy
redis:
condition: service_healthy
fleet-init:
condition: service_completed_successfully
command: sh -c "/usr/bin/fleet prepare db --no-prompt && /usr/bin/fleet serve"
environment:
# In-cluster service addresses (no hostnames/ports on the host)
- FLEET_REDIS_ADDRESS=redis:6379
- FLEET_MYSQL_ADDRESS=mysql:3306
- FLEET_MYSQL_DATABASE=${MYSQL_DATABASE}
- FLEET_MYSQL_USERNAME=${MYSQL_USER}
- FLEET_MYSQL_PASSWORD=${MYSQL_PASSWORD}
# Fleet HTTP listener
- FLEET_SERVER_ADDRESS=${FLEET_SERVER_ADDRESS}:${FLEET_SERVER_PORT}
- FLEET_SERVER_TLS=${FLEET_SERVER_TLS}
# TLS Certificate paths (only needed if FLEET_SERVER_TLS=true)
- FLEET_SERVER_CERT=${FLEET_SERVER_CERT}
- FLEET_SERVER_KEY=${FLEET_SERVER_KEY}
# Secrets
- FLEET_SERVER_PRIVATE_KEY=${FLEET_SERVER_PRIVATE_KEY} # Run 'openssl rand -base64 32' to generate
- FLEET_LICENSE_KEY=${FLEET_LICENSE_KEY}
# System tuning & other options
- FLEET_SESSION_DURATION=${FLEET_SESSION_DURATION}
- FLEET_LOGGING_JSON=${FLEET_LOGGING_JSON}
- FLEET_OSQUERY_STATUS_LOG_PLUGIN=${FLEET_OSQUERY_STATUS_LOG_PLUGIN}
- FLEET_FILESYSTEM_STATUS_LOG_FILE=${FLEET_FILESYSTEM_STATUS_LOG_FILE}
- FLEET_FILESYSTEM_RESULT_LOG_FILE=${FLEET_FILESYSTEM_RESULT_LOG_FILE}
- FLEET_OSQUERY_LABEL_UPDATE_INTERVAL=${FLEET_OSQUERY_LABEL_UPDATE_INTERVAL}
- FLEET_VULNERABILITIES_CURRENT_INSTANCE_CHECKS=${FLEET_VULNERABILITIES_CURRENT_INSTANCE_CHECKS}
- FLEET_VULNERABILITIES_DATABASES_PATH=${FLEET_VULNERABILITIES_DATABASES_PATH}
- FLEET_VULNERABILITIES_PERIODICITY=${FLEET_VULNERABILITIES_PERIODICITY}
# Optional S3 info
- FLEET_S3_SOFTWARE_INSTALLERS_BUCKET=${FLEET_S3_SOFTWARE_INSTALLERS_BUCKET}
- FLEET_S3_SOFTWARE_INSTALLERS_ACCESS_KEY_ID=${FLEET_S3_SOFTWARE_INSTALLERS_ACCESS_KEY_ID}
- FLEET_S3_SOFTWARE_INSTALLERS_SECRET_ACCESS_KEY=${FLEET_S3_SOFTWARE_INSTALLERS_SECRET_ACCESS_KEY}
- FLEET_S3_SOFTWARE_INSTALLERS_FORCE_S3_PATH_STYLE=${FLEET_S3_SOFTWARE_INSTALLERS_FORCE_S3_PATH_STYLE}
# Override FLEET_S3_SOFTWARE_INSTALLERS_ENDPOINT_URL when using a different S3 compatible
# object storage backend (such as RustFS) or running S3 locally with localstack.
# Leave this blank to use the default S3 service endpoint.
- FLEET_S3_SOFTWARE_INSTALLERS_ENDPOINT_URL=${FLEET_S3_SOFTWARE_INSTALLERS_ENDPOINT_URL}
# RustFS users should set FLEET_S3_SOFTWARE_INSTALLERS_REGION to any nonempty value (eg. localhost)
# to short-circuit region discovery
- FLEET_S3_SOFTWARE_INSTALLERS_REGION=${FLEET_S3_SOFTWARE_INSTALLERS_REGION}
ports:
- "${FLEET_SERVER_PORT}:${FLEET_SERVER_PORT}" # UI/API
volumes:
- data:/fleet
- logs:/logs
- vulndb:${FLEET_VULNERABILITIES_DATABASES_PATH}
# - ./certs/fleet.crt:/fleet/fleet.crt:ro
# - ./certs/fleet.key:/fleet/fleet.key:ro
healthcheck:
test:
["CMD", "wget", "-qO-", "http://127.0.0.1:${FLEET_SERVER_PORT}/healthz"]
interval: 10s
timeout: 5s
retries: 12
restart: unless-stopped