[docker] Bundle XTM One in the default stack

.env.sample

@@ -33,15 +33,19 @@ IMAP_STARTTLS_ENABLE=false
 XTM_COMPOSER_ID=8215614c-7139-422e-b825-b20fd2a13a23
 COMPOSE_PROJECT_NAME=xtm
 
+# Shared secret used to register the platforms with XTM One.
+# All platforms sharing an XTM One instance MUST use the same value.
+PLATFORM_REGISTRATION_TOKEN=ChangeMeWithGeneratedRandomString # [MANDATORY] Replace with a long random string (e.g. `openssl rand -hex 32`)
+
 ###########################
 # OPENAEV                 #
 ###########################
 
 OPENAEV_HOST=localhost
 OPENAEV_PORT=8080
 OPENAEV_EXTERNAL_SCHEME=http
-OPENAEV_ADMIN_EMAIL= # ChangeMe@domain.com
-OPENAEV_ADMIN_PASSWORD= # ChangeMe
+OPENAEV_ADMIN_EMAIL=admin@filigran.io
+OPENAEV_ADMIN_PASSWORD=changeme
 OPENAEV_ADMIN_TOKEN=00000000-0000-0000-0000-000000000000 # [MANDATORY] Replace with a valid UUIDv4
 OPENAEV_HEALTHCHECK_KEY=ChangeMe
 OPENAEV_ADMIN_ENCRYPTION_KEY= # ChangeMe
@@ -65,3 +69,26 @@ COLLECTOR_NVD_NIST_CVE_API_KEY= #Optionnal but recommended
 
 INJECTOR_NMAP_ID=76f8f4d6-9f6f-4e61-befc-48f735876a4a
 INJECTOR_NUCLEI_ID=e1bad898-9804-427d-99e4-dc32c5f2898d
+
+###########################
+# XTM ONE                 #
+###########################
+
+XTM_ONE_HOST=localhost
+XTM_ONE_PORT=8090
+XTM_ONE_EXTERNAL_SCHEME=http
+# Must match the admin email of the connected platform(s) so XTM One's JWT
+# email claim resolves to an existing user.
+XTM_ONE_ADMIN_EMAIL=admin@filigran.io
+XTM_ONE_ADMIN_PASSWORD=changeme
+# Long random string (e.g. `openssl rand -hex 32`). Used to sign sessions/tokens.
+XTM_ONE_SECRET_KEY=ChangeMeWithGeneratedRandomString
+# Credentials for the dedicated pgsql-xtm-one Postgres instance.
+XTM_ONE_POSTGRES_USER=xtmone
+XTM_ONE_POSTGRES_PASSWORD=ChangeMe
+# Optional: bucket name in MinIO (auto-created on first boot)
+XTM_ONE_S3_BUCKET=xtm-one-files
+# Optional: enterprise license PEM (leave empty in xtm_one mode)
+XTM_ONE_ENTERPRISE_LICENSE=
+XTM_ONE_LOG_LEVEL=info
+XTM_ONE_LOG_FORMAT=json

docker-compose.yml

@@ -17,6 +17,17 @@ services:
       timeout: 5s
       retries: 3
     restart: always
+  redis:
+    # Used by XTM One.
+    image: redis:8.6.3
+    restart: always
+    volumes:
+      - redisdata:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
   pgsql:
     image: postgres:17-alpine
     environment:
@@ -166,6 +177,9 @@ services:
       - OPENAEV_MAIL_IMAP_SSL_TRUST=*
       - OPENAEV_MAIL_IMAP_STARTTLS_ENABLE=${IMAP_STARTTLS_ENABLE}
       - OPENAEV_WITH-PROXY=${OPENAEV_WITH_PROXY}
+      # XTM One
+      - OPENAEV_XTM_ONE_URL=http://xtm-one:4000
+      - OPENAEV_XTM_ONE_TOKEN=${PLATFORM_REGISTRATION_TOKEN}
     ports:
       - "${OPENAEV_PORT}:8080"
     depends_on:
@@ -266,9 +280,94 @@ services:
       openaev:
         condition: service_healthy
     restart: always
+
+  ###########################
+  # XTM ONE                 #
+  ###########################
+
+  pgsql-xtm-one:
+    # Dedicated pgvector-enabled instance for XTM One.
+    image: pgvector/pgvector:pg17
+    environment:
+      POSTGRES_USER: ${XTM_ONE_POSTGRES_USER}
+      POSTGRES_PASSWORD: ${XTM_ONE_POSTGRES_PASSWORD}
+      POSTGRES_DB: xtm_one
+    volumes:
+      - pgsqlxtmonedata:/var/lib/postgresql/data
+    restart: always
+    healthcheck:
+      test: [ "CMD", "pg_isready", "-U", "${XTM_ONE_POSTGRES_USER}", "-d", "xtm_one" ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  xtm-one:
+    image: xtmone/platform:latest
+    environment:
+      - PLATFORM_MODE=xtm_one
+      - PLATFORM_REGISTRATION_TOKEN=${PLATFORM_REGISTRATION_TOKEN}
+      - BASE_URL=${XTM_ONE_EXTERNAL_SCHEME}://${XTM_ONE_HOST}:${XTM_ONE_PORT}
+      - FRONTEND_URL=${XTM_ONE_EXTERNAL_SCHEME}://${XTM_ONE_HOST}:${XTM_ONE_PORT}
+      - ADMIN_EMAIL=${XTM_ONE_ADMIN_EMAIL}
+      - ADMIN_PASSWORD=${XTM_ONE_ADMIN_PASSWORD}
+      - SECRET_KEY=${XTM_ONE_SECRET_KEY}
+      - DATABASE_URL=postgresql+asyncpg://${XTM_ONE_POSTGRES_USER}:${XTM_ONE_POSTGRES_PASSWORD}@pgsql-xtm-one:5432/xtm_one
+      - REDIS_URL=redis://redis:6379
+      - S3_ENDPOINT=minio:9000
+      - S3_ACCESS_KEY=${MINIO_ROOT_USER}
+      - S3_SECRET_KEY=${MINIO_ROOT_PASSWORD}
+      - S3_BUCKET=${XTM_ONE_S3_BUCKET:-xtm-one-files}
+      - S3_USE_SSL=false
+      - LOG_LEVEL=${XTM_ONE_LOG_LEVEL:-info}
+      - LOG_FORMAT=${XTM_ONE_LOG_FORMAT:-json}
+      - ENTERPRISE_LICENSE=${XTM_ONE_ENTERPRISE_LICENSE:-}
+      # Internal API endpoint for the OpenAEV integration (Docker hostname)
+      - OPENAEV_API_URL=http://openaev:8080
+    ports:
+      - "${XTM_ONE_PORT}:4000"
+    depends_on:
+      pgsql-xtm-one:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+      minio:
+        condition: service_healthy
+    restart: always
+    healthcheck:
+      test: ["CMD-SHELL", "curl -fsS http://localhost:4000/api/health || exit 1"]
+      interval: 15s
+      timeout: 10s
+      retries: 5
+      start_period: 60s
+
+  xtm-one-worker:
+    image: xtmone/worker:latest
+    environment:
+      - PLATFORM_MODE=xtm_one
+      - PLATFORM_REGISTRATION_TOKEN=${PLATFORM_REGISTRATION_TOKEN}
+      - ADMIN_EMAIL=${XTM_ONE_ADMIN_EMAIL}
+      - ADMIN_PASSWORD=${XTM_ONE_ADMIN_PASSWORD}
+      - SECRET_KEY=${XTM_ONE_SECRET_KEY}
+      - DATABASE_URL=postgresql+asyncpg://${XTM_ONE_POSTGRES_USER}:${XTM_ONE_POSTGRES_PASSWORD}@pgsql-xtm-one:5432/xtm_one
+      - REDIS_URL=redis://redis:6379
+      - S3_ENDPOINT=minio:9000
+      - S3_ACCESS_KEY=${MINIO_ROOT_USER}
+      - S3_SECRET_KEY=${MINIO_ROOT_PASSWORD}
+      - S3_BUCKET=${XTM_ONE_S3_BUCKET:-xtm-one-files}
+      - S3_USE_SSL=false
+      - LOG_LEVEL=${XTM_ONE_LOG_LEVEL:-info}
+      - LOG_FORMAT=${XTM_ONE_LOG_FORMAT:-json}
+      - ENTERPRISE_LICENSE=${XTM_ONE_ENTERPRISE_LICENSE:-}
+    depends_on:
+      xtm-one:
+        condition: service_healthy
+    restart: always
+
 volumes:
   pgsqldata:
   s3data:
   amqpdata:
   esdata:
   rsakeys:
+  redisdata:
+  pgsqlxtmonedata: