Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
124 commits
Select commit Hold shift + click to select a range
eb13c94
Fixed order of authentication methods for timeline filter endpoint.
fatpeppapig May 22, 2026
9c017a1
Merge pull request #1080 from fatpeppapig/timeline-filters
whikernel Jun 8, 2026
df0d245
[ADD] Datastore and my profile support v2
Jun 22, 2026
15620ad
[ADD] Added missing files
Jun 22, 2026
3b645f8
[ADD] Added search on all case elements
Jun 23, 2026
33ed252
[IMP] Improved global search
Jun 23, 2026
127817c
[ADD] v2 activities endpoint with paging, scope and filters
Jun 23, 2026
17fbbcc
[IMP] Deduplicate activities within a one-minute bucket
Jun 23, 2026
d919a62
[ADD] v2 endpoints for Dim (Celery) tasks listing and detail
Jun 23, 2026
650245d
[ADD] v2 endpoints for case close and reopen
Jun 23, 2026
a09128c
[FIX] Detach alert-shared IoCs before deleting a case
Jun 23, 2026
5bea50e
[IMP] Independent open/close date bounds for case filters
Jun 23, 2026
a66ec94
[ADD] v2 endpoints for managing modules and their hooks
Jun 24, 2026
113053d
[ADD] v2 endpoints for customer contacts CRUD and embed contacts in c…
Jun 24, 2026
0581e02
[FIX] Paginated v2 envelope returns the next page number instead of a…
Jun 24, 2026
b018489
[ADD] Search query parameter on the v2 customers listing endpoint
Jun 24, 2026
41a7c53
[ADD] v2 endpoints for the Case Objects taxonomy family backed by a s…
Jun 24, 2026
454855b
[ADD] v2 CRUD endpoints for case templates accepting plain JSON bodies
Jun 24, 2026
68d64af
[ADD] v2 endpoint exposing the introspected case template schema for …
Jun 24, 2026
bfbafd8
[ADD] v2 endpoints for report templates including render-against-case…
Jun 24, 2026
0c8314d
[ADD] v2 endpoint to replace a report template's file in place via mu…
Jun 24, 2026
d560ee6
[ADD] v2 access-control endpoints covering users, groups, members, ca…
Jun 24, 2026
8cbda59
[ADD] v2 read-only endpoints for severities, TLP, alert statuses + re…
Jun 24, 2026
33a98ff
[ADD] v2 server settings endpoints with versions block, partial-updat…
Jun 24, 2026
4f8b626
[UPD] Updated dash and activities
Jun 25, 2026
6bcff7b
[FIX] Fixed GHSA-g588-5gmf-p5cx by excluding MFA secrets and webauthn…
Jun 25, 2026
a749b40
[FIX] Fixed GHSA-w78h-mx7h-qm3h by allowlisting writable fields on us…
Jun 25, 2026
9abd933
[FIX] Fixed GHSA-vjc3-7jwv-j9qf by tightening the post-login next-url…
Jun 25, 2026
30ee619
[FIX] Fixed GHSA-qhqj-8qw6-wp8v by confining datastore file ops to DA…
Jun 25, 2026
7b8cd9f
[FIX] Fixed GHSA-8hwq-v6vm-9grr by blocking alert re-attribution and …
Jun 25, 2026
2a111d3
[FIX] Sanitised HTML custom attributes via bleach and forced unsafe d…
Jun 25, 2026
9c148a3
[FIX] Moved no-cache headers into the server block and added long-liv…
Jun 25, 2026
f83151c
[DEL] Removed GraphQL surface and dependencies — GHSA-3mxh-x92q-9r25
Jun 25, 2026
bf90172
[UPD] Bumped iris-webhooks to 1.0.9 and hardened docker base images w…
Jun 25, 2026
8ef6657
[FIX] Fixed access control ordering so group access overrides custome…
Jun 25, 2026
b73472a
[ADD] Added 'neq' and 'not_like' operators to the filter condition bu…
Jun 25, 2026
200adff
[FIX] Tagged alert comment edits as 'alerts' instead of 'events' so a…
Jun 25, 2026
20dafb4
[FIX] Hardened MFA flow with session-bound user, server-side secret, …
Jun 25, 2026
aeb77ba
[ADD] Added statistics_read and custom_dashboards_{read,write,share} …
Jun 25, 2026
d8b8b04
[UPD] Folded statistics_read into custom_dashboards_read so Statistic…
Jun 25, 2026
b08635b
[ADD] Added /api/v2/dashboard/kpis with the compact KPI block for the…
Jun 25, 2026
9f55272
[ADD] Added CustomDashboard and CustomDashboardWidget models with mig…
Jun 25, 2026
05351e1
[ADD] Added custom dashboard query engine schema and named-aggregatio…
Jun 25, 2026
b1b6fb2
[ADD] Added /api/v2/custom-dashboards endpoints for CRUD render schem…
Jun 25, 2026
fb8c1c0
[ADD] Added pytest suite for custom-dashboards CRUD render system-gua…
Jun 25, 2026
4f7fc62
[FIX] Imported ac_current_user_has_permission from blueprints.access_…
Jun 25, 2026
33e343e
[FIX] Deferred get_user import in business.access_controls to break c…
Jun 25, 2026
db3b4a7
[FIX] Reconciled pre-existing custom_dashboard table by adding missin…
Jun 25, 2026
f5545dc
[FIX] Accept is_system and filters_schema in CustomDashboardSchema an…
Jun 25, 2026
a6c56af
[FIX] Dropped duplicate group-column field from seed Statistics widge…
Jun 25, 2026
1de0da7
[IMP] Returned rendered widgets grouped by section so the view page c…
Jun 25, 2026
02b26d2
[FIX] Skipped duplicate-label projection in the query engine so widge…
Jun 25, 2026
3ab8326
[ADD] Added /api/v2/me/context endpoint returning iris_version demo_m…
Jun 26, 2026
480a2c3
[ADD] Added migration that idempotently creates the saved_filters tab…
Jun 26, 2026
78a5c61
[ADD] Added /api/v2/cases-filters endpoints (list create get update d…
Jun 26, 2026
45874c1
[IMP] Made the cases filter endpoint accept a recursive group tree ({…
Jun 26, 2026
f24377b
[FIX] Enforce ownership on saved-filter PUT and DELETE in both alerts…
Jun 26, 2026
4f836c1
[FIX] Made the alembic helper functions reuse op.get_bind() instead o…
Jun 26, 2026
10c22b8
[ADD] Added avatar_blob avatar_mime and avatar_updated_at columns to …
Jun 26, 2026
9fb8f87
[ADD] Added avatar endpoints (GET users id avatar for anyone authenti…
Jun 26, 2026
096b307
[FIX] Allowed blob: in img-src CSP nginx headers so authenticated ava…
Jun 26, 2026
76e76f5
[ADD] Exposed note revisions on v2 (list get delete restore) and adde…
Jun 26, 2026
9a45f88
[ADD] v2 admin endpoints for the CustomAttribute taxonomy
Jun 26, 2026
4ecb3b1
[ADD] expose has_mini_sidebar in /me/context and a PUT /me/preference…
Jun 26, 2026
181c25a
[ADD] v2 endpoints to list other cases where an IOC or asset was prev…
Jun 26, 2026
d39de57
[ADD] Enforce MFA verification on token-authenticated endpoints with …
Jun 27, 2026
217c179
[ADD] user followed cases + multiple named timelines per case
Jun 27, 2026
7dde6a9
[ADD] war room foundation: models, ACL, REST CRUD + case attachment +…
Jun 27, 2026
68b6e85
[ADD] war room chat/tasks/notes/timelines/graph/sitreps/datastore RES…
Jun 27, 2026
664ba34
[FIX] emit war-room activity events from REST mutations (attach/detac…
Jun 27, 2026
0d0d12a
[ADD] war room chat activity_type column + inference; classify case a…
Jun 27, 2026
f2b07da
[ADD] live-merge UserActivity into war-room stream; drop chat-side ac…
Jun 27, 2026
70bd342
[REM] war room graph board (models, REST, business, migration drop)
Jun 28, 2026
c723b23
[ADD] war room: customer name on case attachments, creator/closer att…
Jun 28, 2026
b9660f6
[ADD] more war-room slash commands (/decision /assign /detach /state …
Jun 28, 2026
d36b2e3
[FIX] war-room stream: explicit error on unknown / failing slash comm…
Jun 28, 2026
5073102
[ADD] war-room cases enrich (owner/dates/state/tasks) + /people endpo…
Jun 28, 2026
ff68fc5
[REM] /whoami slash command (low signal)
Jun 28, 2026
04da4ef
[FIX] add PATCH to CORS Access-Control-Allow-Methods (war-room update…
Jun 28, 2026
ba73209
[ADD] war-room timeline event PATCH + category column + drag-between-…
Jun 28, 2026
5b50a4f
[ADD] war-room Stream threads — parent_message_id + thread_title colu…
Jun 28, 2026
5c5d203
[FIX] war-room threads support probe — use fresh engine connection, d…
Jun 28, 2026
3d8eaef
[ADD] /api/v2/cases/{id}/access/me endpoint + allow read_only access …
Jun 29, 2026
a110918
[IMP] bump postgres image to 18-alpine + add pg12→pg18 migration scri…
Jun 29, 2026
0e94185
[IMP] threads-support probe queries the column directly on a fresh co…
Jun 29, 2026
2192458
[FIX] /me/followed-cases — use CaseSchemaForAPIV2 so dashboard tile g…
Jun 29, 2026
a29703a
[REM] evtx2splunk + iris_evtx module — drop the two wheels, evtxdump_…
Jun 29, 2026
7778e11
[FIX] PG18 PGDATA path — pin to /var/lib/postgresql/data/pgdata in co…
Jun 29, 2026
f0b0d40
[ADD] pass VITE_ALLOWED_HOSTS + make ORIGIN overridable in frontend s…
Jun 29, 2026
5807a91
[FIX] api_auth — return 401 instead of 500 when token/session referen…
Jul 1, 2026
92d7082
[ADD] search — case summaries as a new searchable type in /search
Jul 1, 2026
04a082d
[FIX] cases overview — Tags filter was silently dropped; wire it via …
Jul 1, 2026
a8b0aba
[FIX] post_init — only seed default group permissions on first creati…
Jul 1, 2026
0fa2f58
[FIX] AuthorizationGroupSchema — respect partial PATCH; don't wipe gr…
Jul 1, 2026
c8b441f
[IMP] war-room sitreps — publish is a state marker only; edit and del…
Jul 1, 2026
e440917
[ADD] war-room chat — /decision, /pin, /note as thread replies; trace…
Jul 1, 2026
f0e69a2
[FIX] alembic env — restore context.begin_transaction() so migrations…
Jul 2, 2026
480a2b5
[ADD] war-room archive — archived_at/by columns, list filter, archive…
Jul 2, 2026
8394a7a
[ADD] per-user preferences — user.preferences JSONB + /users/me/prefe…
Jul 2, 2026
2e81d73
[ADD] OIDC session→JWT exchange endpoint + provider discovery fallbac…
Jul 2, 2026
133f46a
[ADD] nginx cert autodetect + reload polling, CA-bundle drop-in dir, …
Jul 2, 2026
f24da09
[ADD] docker-compose.new-ui overlay + frontend Dockerfile for the Sve…
Jul 2, 2026
a13c96d
[ADD] notification core — notification/notification_setting tables + …
Jul 2, 2026
070ca03
[ADD] incidents + investigation flows (self-conditioned, alert/incide…
Jul 2, 2026
6580548
[FIX] enforce customer-scope authorisation on incident-rules + invest…
Jul 2, 2026
b898d8e
[IMP] incidents: comments, audit trail, incident_id alert filter, inc…
Jul 2, 2026
aaf8ca0
[ADD] mail: inbound ingest + outbound send with rules engine and secr…
Jul 2, 2026
ff58138
[FIX] pg12-to-pg18 upgrade: preserve hyphens in compose project name …
Jul 2, 2026
49455df
[IMP] activity log: cover war rooms + case timelines + admin modules,…
Jul 3, 2026
86a0589
[FIX] compose: disable adapter-node BODY_SIZE_LIMIT so multi-MB avata…
Jul 3, 2026
2422741
[FIX] notifications: drop /_diag endpoint and remove UserActivity.war…
Jul 3, 2026
662252f
[ADD] on_postload hooks for war room and incidents
Jul 3, 2026
683c9e4
Merge remote-tracking branch 'upstream/develop' into sync/upstream-20…
Che4ter Jul 7, 2026
3527099
[IMP] incidents: escalate/merge to case, propagate status to alerts, …
Jul 7, 2026
883b790
[ADD] incidents: correlation graph endpoint, unlink alert/incident fr…
Jul 7, 2026
f1d8483
[ADD] collab: server-side Yjs relay, per-doc rooms, socket JWT-in-aut…
Jul 7, 2026
103a296
Fix alembic multi-head merge, WarRoom mapper crash, and CSP worker-sr…
Che4ter Jul 7, 2026
bdcdd63
Merge remote-tracking branch 'upstream/develop' into sync/upstream-20…
Che4ter Jul 7, 2026
222c3c5
Fix war room deletion 500 by setting FK to SET NULL on delete
Che4ter Jul 7, 2026
f5e6ff5
Remove duplicate code blocks left over from the upstream merge
Che4ter Jul 7, 2026
82a1b57
[FIX] nginx: grant CAP_NET_BIND_SERVICE so non-root www-data can bind…
Che4ter Jul 7, 2026
871f920
[FIX] Clean up remaining merge artifacts caught by ruff
Che4ter Jul 7, 2026
cc7f652
[FIX] reports: use f-strings instead of .format() calls
Che4ter Jul 7, 2026
875d0b6
[FIX] nginx: don't crash at startup when the collab upstream is absent
Che4ter Jul 7, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions .env.model
Original file line number Diff line number Diff line change
@@ -1,13 +1,31 @@
# -- COMMON
LOG_LEVEL=info

# -- HOSTNAME (single source of truth)
# When set, IRIS_HOSTNAME provides fallback defaults for SERVER_NAME
# (nginx), PUBLIC_EXTERNAL_API_URL / ORIGIN (SvelteKit), and
# VITE_ALLOWED_HOSTS (Vite dev). Explicit values still take precedence
# for split-hostname deployments (e.g. API on a different host than UI).
# Existing .env files that set the four vars individually keep working.
#IRIS_HOSTNAME=iris.app.dev

# -- NGINX
NGINX_IMAGE_NAME=ghcr.io/dfir-iris/iriswebapp_nginx

SERVER_NAME=iris.app.dev
# When both KEY_FILENAME and CERT_FILENAME are unset AND certbot's
# standard fullchain.pem + privkey.pem pair exist under
# ./certificates/web_certificates/, the nginx entrypoint autodetects
# them — useful for Let's Encrypt setups. See
# scripts/certbot-deploy-hook.sh for zero-copy renewals.
KEY_FILENAME=iris_dev_key.pem
CERT_FILENAME=iris_dev_cert.pem

# Nginx polls the cert file's mtime every N seconds and reloads on
# change so certbot renewals apply without a container restart. Set
# to 0 to disable if your deployment reloads nginx externally.
#IRIS_CERT_RELOAD_INTERVAL=60

# -- DATABASE
DB_IMAGE_NAME=ghcr.io/dfir-iris/iriswebapp_db

Expand Down Expand Up @@ -88,6 +106,23 @@ IRIS_AUTHENTICATION_TYPE=local
# optional mapping for usergroup-names
# OIDC_MAPPING_USERGROUP= "iris-roles" #Group field in OIDC Token
# OIDC_MAPPING_ROLES= '{"iris-admin": "1", "iris-analyst": "2"}'
# -- CUSTOM CA CERTIFICATES (Keycloak, LDAPS, webhooks, ...)
# The recommended way to trust internal CAs is to drop one or more
# *.crt / *.pem files into ./certificates/ca-bundle/ on the host —
# they are mounted at /etc/iris-ca/ inside the app and worker
# containers, and the entrypoint installs them into the OS trust
# store (update-ca-certificates) on every boot. This is ADDITIVE:
# system roots stay trusted, so no manual concatenation is needed.
#
# The legacy single-file bundle at
# ./certificates/ca-bundle/extra-ca.crt is still honoured for
# backward compatibility, as are the REQUESTS_CA_BUNDLE /
# SSL_CERT_FILE / TLS_ROOT_CA env vars (which REPLACE the default
# trust store rather than augmenting it — prefer the drop-in dir
# unless you have a reason to pin the exact bundle).
#REQUESTS_CA_BUNDLE=/etc/iris-ca/extra-ca.crt
#SSL_CERT_FILE=/etc/iris-ca/extra-ca.crt

# -- LISTENING PORT
INTERFACE_HTTPS_PORT=443

37 changes: 0 additions & 37 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -110,43 +110,6 @@ jobs:
name: iriswebapp_app
path: ${{ runner.temp }}/iriswebapp_app.tar

build-graphql-documentation:
name: Generate graphQL documentation
runs-on: ubuntu-22.04
needs:
- build-docker-db
- build-docker-nginx
- build-docker-app
steps:
- name: Download artifacts
uses: actions/download-artifact@v4
with:
pattern: iriswebapp_*
path: ${{ runner.temp }}
merge-multiple: true
- name: Load docker images
run: |
docker load --input ${{ runner.temp }}/iriswebapp_db.tar
docker load --input ${{ runner.temp }}/iriswebapp_nginx.tar
docker load --input ${{ runner.temp }}/iriswebapp_app.tar
- name: Check out iris
uses: actions/checkout@v4
- name: Start development server
run: |
cp .env.tests.model .env
docker compose --file docker-compose.dev.yml up --detach --wait
- name: Generate GraphQL documentation
run: |
npx spectaql@^3.0.2 source/spectaql/config.yml
- name: Stop development server
run: |
docker compose down
- uses: actions/upload-artifact@v4
with:
name: GraphQL DFIR-IRIS documentation
path: public
if-no-files-found: error

test-api:
name: Test API
runs-on: ubuntu-22.04
Expand Down
3 changes: 2 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -32,4 +32,5 @@ certificates/web_certificates/*.pem
certificates/web_certificates/*.key
!certificates/web_certificates/iris_dev_*
local_dev/
.serena/
.serena/
.tokensave
54 changes: 53 additions & 1 deletion docker-compose.base.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,13 @@ services:
- POSTGRES_ADMIN_USER
- POSTGRES_ADMIN_PASSWORD
- POSTGRES_DB
# PG18's Docker image refuses to use a directory mounted directly
# as PGDATA (it expects the version-prefixed layout from
# pg_ctlcluster). Pointing PGDATA at a sub-path inside the
# mounted volume sidesteps that check and keeps the on-disk
# layout the same across the project's bind mounts / named
# volumes regardless of host.
- PGDATA=/var/lib/postgresql/data/pgdata
networks:
- iris_backend
volumes:
Expand All @@ -41,6 +48,25 @@ services:
volumes:
- ./certificates/:/home/iris/certificates/:ro
- ./certificates/ldap/:/iriswebapp/certificates/ldap/:ro
# Operator-supplied CA bundle for outbound TLS from the Python
# processes (Keycloak discovery, OIDC token endpoint, LDAPS,
# webhook integrations, ...).
#
# IMPORTANT: REQUESTS_CA_BUNDLE / SSL_CERT_FILE replace the
# default trust store rather than augmenting it, so the file
# mounted at /etc/iris-ca/extra-ca.crt MUST be a full bundle:
# your internal CA chain CONCATENATED with the system root
# bundle (e.g. /etc/ssl/certs/ca-certificates.crt on the host).
#
# On the host:
# mkdir -p iris-web/certificates/ca-bundle
# cat /etc/ssl/certs/ca-certificates.crt \
# /path/to/internal-ca-chain.pem \
# > iris-web/certificates/ca-bundle/extra-ca.crt
#
# Leave it absent / empty to keep the container's default trust
# store (Python will then refuse certs signed by private CAs).
- ./certificates/ca-bundle/:/etc/iris-ca/:ro
- iris-downloads:/home/iris/downloads
- user_templates:/home/iris/user_templates
- server_data:/home/iris/server_data
Expand All @@ -59,6 +85,18 @@ services:
- POSTGRES_PORT
- IRIS_SECRET_KEY
- IRIS_SECURITY_PASSWORD_SALT
# Point Python's `requests` library AND the stdlib `ssl` module
# at an operator-supplied bundle so it trusts chains for
# internal services (Keycloak, LDAPS, etc.). The bundle must
# include the system roots too — these env vars REPLACE the
# default trust store, not add to it.
#
# Unset by default — only opt in by exporting REQUESTS_CA_BUNDLE
# in iris-web/.env, e.g.:
# REQUESTS_CA_BUNDLE=/etc/iris-ca/extra-ca.crt
# SSL_CERT_FILE=/etc/iris-ca/extra-ca.crt
- REQUESTS_CA_BUNDLE
- SSL_CERT_FILE
networks:
- iris_backend
- iris_frontend
Expand All @@ -75,6 +113,7 @@ services:
volumes:
- ./certificates/:/home/iris/certificates/:ro
- ./certificates/ldap/:/iriswebapp/certificates/ldap/:ro
- ./certificates/ca-bundle/:/etc/iris-ca/:ro
- iris-downloads:/home/iris/downloads
- user_templates:/home/iris/user_templates
- server_data:/home/iris/server_data
Expand All @@ -95,6 +134,10 @@ services:
- IRIS_SECURITY_PASSWORD_SALT
- IRIS_WORKER
- LOG_LEVEL
# See the `app` service: REPLACES the default trust store. Set
# in iris-web/.env to opt in.
- REQUESTS_CA_BUNDLE
- SSL_CERT_FILE
networks:
- iris_backend

Expand All @@ -106,10 +149,19 @@ services:
- IRIS_FRONTEND_SERVER
- IRIS_FRONTEND_PORT
- INTERFACE_HTTPS_PORT
- SERVER_NAME
# SERVER_NAME still takes precedence when set. If unset, the
# entrypoint falls back to IRIS_HOSTNAME so operators only
# declare the hostname once.
- SERVER_NAME=${SERVER_NAME:-${IRIS_HOSTNAME:-}}
# CERT_FILENAME / KEY_FILENAME still take precedence when set.
# When unset, the entrypoint autodetects certbot's standard
# fullchain.pem / privkey.pem pair under /www/certs/.
- CERT_FILENAME
- KEY_FILENAME
- IRIS_AUTHENTICATION_TYPE
# Poll interval (seconds) for the cert-reload watcher. Set to 0
# to disable auto-reload on cert change.
- IRIS_CERT_RELOAD_INTERVAL=${IRIS_CERT_RELOAD_INTERVAL:-60}
networks:
- iris_frontend
ports:
Expand Down
13 changes: 11 additions & 2 deletions docker-compose.dev.yml
Original file line number Diff line number Diff line change
Expand Up @@ -108,13 +108,22 @@ services:
working_dir: /app
environment:
- IRIS_SVELTEKIT_FRONTEND_DIR=${IRIS_SVELTEKIT_FRONTEND_DIR:-../iris-frontend}
- PUBLIC_EXTERNAL_API_URL=${PUBLIC_EXTERNAL_API_URL:-https://127.0.0.1}
# PUBLIC_EXTERNAL_API_URL, ORIGIN, and VITE_ALLOWED_HOSTS all
# fall back to IRIS_HOSTNAME so operators only declare the
# external hostname once (in iris-web/.env). Explicit values
# still take precedence for split-hostname deployments.
- PUBLIC_EXTERNAL_API_URL=${PUBLIC_EXTERNAL_API_URL:-https://${IRIS_HOSTNAME:-127.0.0.1}}
- PUBLIC_INTERNAL_API_URL=http://${IRIS_UPSTREAM_SERVER}:${IRIS_UPSTREAM_PORT}
- PUBLIC_USE_MOCK_API_DATA=false
- ORIGIN=https://127.0.0.1
- ORIGIN=${ORIGIN:-https://${IRIS_HOSTNAME:-127.0.0.1}}
- PROTOCOL_HEADER=x-forwarded-proto
- HOST_HEADER=x-forwarded-host
- NODE_ENV=development
# Whitelist hostnames Vite will serve the dev SPA to. Without
# this, hitting the container behind nginx via a real hostname
# gets blocked by Vite's host-header check. Falls back to
# IRIS_HOSTNAME when unset; use `all` to disable the check.
- VITE_ALLOWED_HOSTS=${VITE_ALLOWED_HOSTS:-${IRIS_HOSTNAME:-}}
volumes:
- ${IRIS_SVELTEKIT_FRONTEND_DIR:-../iris-frontend}:/app # Map the frontend directory dynamically
- /app/node_modules # Ensure `node_modules` is preserved inside the container
Expand Down
155 changes: 155 additions & 0 deletions docker-compose.new-ui.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
# IRIS Source Code
# contact@dfir-iris.org
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 3 of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# Production-style stack for the new SvelteKit UI.
#
# Mirrors docker-compose.dev.yml, but the frontend is a compiled
# SvelteKit Node bundle (no Vite, no HMR, no bind mount). Use this
# when you want the new UI behind nginx without running the Vite dev
# server.
#
# Usage:
# docker compose -f docker-compose.new-ui.yml --profile new-ui up -d --build
#
# Required env (iris-web/.env):
# ORIGIN=https://your.deployment.host # SvelteKit CSRF gate
# IRIS_SVELTEKIT_FRONTEND_DIR=../iris-frontend
# NGINX_CONF_FILE=nginx-newui.conf

services:
rabbitmq:
extends:
file: docker-compose.base.yml
service: rabbitmq
user: rabbitmq
healthcheck:
test: rabbitmq-diagnostics check_port_connectivity || exit 1
start_period: 60s
start_interval: 1s

db:
extends:
file: docker-compose.base.yml
service: db
build:
context: docker/db
image: iriswebapp_db:newui
ports:
- "127.0.0.1:5432:5432"
healthcheck:
test: pg_isready -U postgres -d iris_db || exit 1
start_period: 60s
start_interval: 1s

app:
extends:
file: docker-compose.base.yml
service: app
build:
context: .
dockerfile: docker/webApp/Dockerfile
image: iriswebapp_app:newui
ports:
- "8000:8000"
depends_on:
db:
condition: service_healthy
rabbitmq:
condition: service_healthy
healthcheck:
test: curl --head --fail http://localhost:8000 || exit 1
start_period: 60s
start_interval: 1s

worker:
extends:
file: docker-compose.base.yml
service: worker
build:
context: .
dockerfile: docker/webApp/Dockerfile
image: iriswebapp_app:newui
depends_on:
app:
condition: service_healthy
db:
condition: service_healthy
rabbitmq:
condition: service_healthy
healthcheck:
test: celery -A app.celery inspect ping || exit 1
start_period: 60s
start_interval: 1s

nginx:
extends:
file: docker-compose.base.yml
service: nginx
build:
context: ./docker/nginx
args:
NGINX_CONF_GID: 1234
NGINX_CONF_FILE: ${NGINX_CONF_FILE:-nginx-newui.conf}
image: iriswebapp_nginx:newui
depends_on:
app:
condition: service_healthy
worker:
condition: service_healthy

frontend:
# Compiled SvelteKit Node bundle. No source bind-mount, no `npm
# install` on boot — the image carries everything it needs.
build:
context: ${IRIS_SVELTEKIT_FRONTEND_DIR:-../iris-frontend}
dockerfile: ${IRIS_FRONTEND_DOCKERFILE:-../iris-web/docker/frontend/Dockerfile}
image: iris_frontend:newui
profiles: ["new-ui"]
container_name: iris_sveltekit_frontend
environment:
# Both fall back to IRIS_HOSTNAME so operators only declare the
# external hostname once (in iris-web/.env). Explicit
# PUBLIC_EXTERNAL_API_URL / ORIGIN still take precedence — useful
# when the API is served from a different host than the UI.
- PUBLIC_EXTERNAL_API_URL=${PUBLIC_EXTERNAL_API_URL:-https://${IRIS_HOSTNAME:-127.0.0.1}}
- PUBLIC_INTERNAL_API_URL=http://${IRIS_UPSTREAM_SERVER}:${IRIS_UPSTREAM_PORT}
- PUBLIC_USE_MOCK_API_DATA=false
# ORIGIN gates SvelteKit's CSRF check in production (see
# svelte.config.js → kit.csrf.checkOrigin). Must match the
# external URL the user hits.
- ORIGIN=${ORIGIN:-https://${IRIS_HOSTNAME:-127.0.0.1}}
- PROTOCOL_HEADER=x-forwarded-proto
- HOST_HEADER=x-forwarded-host
- NODE_ENV=production
# Disable adapter-node's 512K default so avatar (multi-MB) and
# datastore (multi-GB) uploads aren't truncated mid-stream — the
# per-endpoint caps live in nginx (client_max_body_size).
- BODY_SIZE_LIMIT=Infinity
ports:
- "5173:5173"
networks:
- iris_backend
- iris_frontend
restart: always

volumes:
iris-downloads:
user_templates:
server_data:
db_data:

networks:
iris_backend:
name: iris_backend
iris_frontend:
name: iris_frontend
2 changes: 1 addition & 1 deletion docker/db/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,6 @@
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.


FROM postgres:12-alpine
FROM postgres:18-alpine

COPY create_user.sh /docker-entrypoint-initdb.d/10-create_user.sh
Loading
Loading