services: netalertx: network_mode: host # Use host networking for ARP scanning and other services build: context: . # Build context is the current directory dockerfile: Dockerfile # Specify the Dockerfile to use image: netalertx:latest container_name: netalertx # The name when you docker contiainer ls read_only: true # Make the container filesystem read-only # It is most secure to start with user 20211, but then we lose provisioning capabilities. # user: "${NETALERTX_UID:-20211}:${NETALERTX_GID:-20211}" cap_drop: # Drop all capabilities for enhanced security - ALL cap_add: # Add only the necessary capabilities - NET_ADMIN # Required for scanning with arp-scan, nmap, nbtscan, traceroute, and zero-conf - NET_RAW # Required for raw socket operations with arp-scan, nmap, nbtscan, traceroute and zero-conf - NET_BIND_SERVICE # Required to bind to privileged ports with nbtscan - CHOWN # Required for root-entrypoint to chown /data + /tmp before dropping privileges - SETUID # Required for root-entrypoint to switch to non-root user - SETGID # Required for root-entrypoint to switch to non-root group volumes: - type: volume # Persistent Docker-managed Named Volume for storage source: netalertx_data # the default name of the volume is netalertx_data target: /data # consolidated configuration and database storage read_only: false # writable volume # Example custom local folder called /home/user/netalertx_data # - type: bind # source: /home/user/netalertx_data # target: /data # read_only: false # ... or use the alternative format # - /home/user/netalertx_data:/data:rw - type: bind # Bind mount for timezone consistency source: /etc/localtime target: /etc/localtime read_only: true # Use a custom Enterprise-configured nginx config for ldap or other settings # - /custom-enterprise.conf:/tmp/nginx/active-config/netalertx.conf:ro # Test your plugin on the production container # - /path/on/host:/app/front/plugins/custom # Retain logs - comment out tmpfs /tmp/log if you want to retain logs between container restarts # - /path/on/host/log:/tmp/log # tmpfs mounts for writable directories in a read-only container and improve system performance # All writes now live under /tmp/* subdirectories which are created dynamically by entrypoint.d scripts # mode=1700 gives rwx------ permissions; ownership is set by /root-entrypoint.sh tmpfs: - "/tmp:mode=1700,uid=0,gid=0,rw,noexec,nosuid,nodev,async,noatime,nodiratime" environment: PUID: ${NETALERTX_UID:-20211} # Runtime UID after priming (Synology/no-copy-up safe) PGID: ${NETALERTX_GID:-20211} # Runtime GID after priming (Synology/no-copy-up safe) LISTEN_ADDR: ${LISTEN_ADDR:-0.0.0.0} # Listen for connections on all interfaces PORT: ${PORT:-20211} # Application port GRAPHQL_PORT: ${GRAPHQL_PORT:-20212} # GraphQL API port ALWAYS_FRESH_INSTALL: ${ALWAYS_FRESH_INSTALL:-false} # Set to true to reset your config and database on each container start NETALERTX_DEBUG: ${NETALERTX_DEBUG:-0} # 0=kill all services and restart if any dies. 1 keeps running dead services. # Resource limits to prevent resource exhaustion mem_limit: 2048m # Maximum memory usage mem_reservation: 1024m # Soft memory limit cpu_shares: 512 # Relative CPU weight for CPU contention scenarios pids_limit: 512 # Limit the number of processes/threads to prevent fork bombs logging: options: max-size: "10m" # Rotate log files after they reach 10MB max-file: "3" # Keep a maximum of 3 log files # Always restart the container unless explicitly stopped restart: unless-stopped volumes: # Persistent volume for configuration and database storage netalertx_data: