revised approach

fleetdm/compose.yml

@@ -0,0 +1,56 @@
+services:
+  db:
+    image: mysql
+    restart: unless-stopped
+    platform: linux/x86_64
+    volumes:
+      - ./mysql/data:/var/lib/mysql
+    env_file: mysql/default.env
+    cap_add:
+      - SYS_NICE
+    #    ports:
+    #      - 3306:3306
+    networks:
+      - default
+
+  broker:
+    image: redis
+    restart: unless-stopped
+    #    ports:
+    #      - 6379:6379
+    networks:
+      - default
+
+  service:
+    image: fleetdm/fleet
+    restart: unless-stopped
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.fleet.entrypoints=websecure
+      - traefik.http.routers.fleet.rule=Host(`fleet.rskio.com`)
+      - traefik.http.routers.fleet.middlewares=secureHeaders@file
+      - traefik.http.routers.fleet.tls=true
+      - traefik.http.routers.fleet.tls.options=external@file
+      - traefik.http.routers.fleet.service=fleet@docker
+      - traefik.http.services.fleet.loadbalancer.server.port=8412
+      - traefik.http.routers.fleet.tls.certresolver=rskio_certresolver
+    depends_on:
+      - db
+      - broker
+    platform: linux/x86_64
+    command: sh -c "/usr/bin/fleet prepare db --no-prompt && /usr/bin/fleet serve"
+    env_file: fleet/default.env
+    ports:
+      - 8412:8412
+    volumes:
+      - ./fleet:/fleet/
+      - ./fleet/logs:/logs
+      - ./fleet/vulndb:/vulndb
+    networks:
+      - default
+      - traefik
+
+networks:
+  default: {}
+  traefik:
+    external: true

fleetdm/fleet/default.env

@@ -0,0 +1,38 @@
+# Mysql
+
+FLEET_MYSQL_ADDRESS="mysql:3306"
+FLEET_MYSQL_DATABASE="fleet"
+FLEET_MYSQL_USERNAME="fleet"
+FLEET_MYSQL_PASSWORD="fleet-mysql-pswd"
+
+# Redis
+
+FLEET_REDIS_ADDRESS="redis:6379"
+FLEET_SERVER_ADDRESS="0.0.0.0:8412"
+
+# TLS
+
+FLEET_SERVER_TLS=false #TLS is handled by traefik
+#FLEET_SERVER_CERT="fleet/tmp/server.cert"
+#FLEET_SERVER_KEY="fleet/tmp/server.key"
+
+# Logging
+
+FLEET_LOGGING_JSON="true"
+FLEET_OSQUERY_STATUS_LOG_PLUGIN="filesystem"
+FLEET_FILESYSTEM_STATUS_LOG_FILE="/logs/osqueryd.status.log"
+FLEET_OSQUERY_RESULT_LOG_PLUGIN="filesystem"
+FLEET_FILESYSTEM_RESULT_LOG_FILE="/logs/osqueryd.results.log"
+
+# If you have fleet premium, enter key and uncomment
+
+# FLEET_LICENSE_KEY=
+
+
+FLEET_OSQUERY_LABEL_UPDATE_INTERVAL="1m"
+
+# Vulnerabilities
+
+FLEET_VULNERABILITIES_CURRENT_INSTANCE_CHECKS="yes"
+FLEET_VULNERABILITIES_DATABASES_PATH="/vulndb"
+FLEET_VULNERABILITIES_PERIODICITY="5m"

fleetdm/mysql/default.env

@@ -0,0 +1,4 @@
+MYSQL_ROOT_PASSWORD="toor"
+MYSQL_DATABASE="fleet"
+MYSQL_USER="fleet"
+MYSQL_PASSWORD="fleet-mysql-pswd"