Merge pull request #250 from mieweb/cmyers_wazuh-int

Add Default Container Environment Variables + Wazuh Agent Installation

Author: runleveldev

create-a-container/bin/create-container.js

@@ -28,7 +28,7 @@ const path = require('path');
 
 // Load models from parent directory
 const db = require(path.join(__dirname, '..', 'models'));
-const { Container, Node, Site, Service, HTTPService, ExternalDomain } = db;
+const { Container, Node, Site, Service, HTTPService, ExternalDomain, Setting } = db;
 
 // Load utilities
 const { parseArgs } = require(path.join(__dirname, '..', 'utils', 'cli'));
@@ -330,7 +330,23 @@ async function main() {
 
     // Merge user-specified env vars (user values override defaults)
     const userEnvVars = container.environmentVars ? JSON.parse(container.environmentVars) : {};
-    mergedEnvVars = { ...mergedEnvVars, ...userEnvVars };
+
+    // Load system-wide default env vars from Settings.
+    // Descriptions are metadata only and are not passed into the container.
+    let systemDefaultEnvVars = {};
+    try {
+      const entries = await Setting.getDefaultContainerEnvVars();
+      for (const entry of entries) {
+        if (entry.key && entry.key.trim()) {
+          systemDefaultEnvVars[entry.key.trim()] = entry.value || '';
+        }
+      }
+    } catch (_) {
+      console.warn('Could not load default_container_env_vars from settings, skipping');
+    }
+
+    // Merge priority: image defaults < system defaults < per-container user values
+    mergedEnvVars = { ...mergedEnvVars, ...systemDefaultEnvVars, ...userEnvVars };
 
     // Use user entrypoint if specified, otherwise keep default
     const finalEntrypoint = container.entrypoint || defaultEntrypoint;
@@ -359,8 +375,9 @@ async function main() {
     if (Object.keys(envConfig).length > 0) {
       console.log('Applying environment variables and entrypoint...');
       if (defaultEntrypoint) console.log(`Default entrypoint: ${defaultEntrypoint}`);
-      if (defaultEnvStr) console.log(`Default env vars: ${Object.keys(mergedEnvVars).length - Object.keys(userEnvVars).length} from image`);
-      if (Object.keys(userEnvVars).length > 0) console.log(`User env vars: ${Object.keys(userEnvVars).length} overrides`);
+      if (defaultEnvStr) console.log(`Image default env vars: ${Object.keys(mergedEnvVars).length - Object.keys(userEnvVars).length - Object.keys(systemDefaultEnvVars).length}`);
+      if (Object.keys(systemDefaultEnvVars).length > 0) console.log(`System default env vars: ${Object.keys(systemDefaultEnvVars).length} from settings`);
+      if (Object.keys(userEnvVars).length > 0) console.log(`Per-container env vars: ${Object.keys(userEnvVars).length}`);
       await client.updateLxcConfig(node.name, vmid, envConfig);
       console.log('Environment/entrypoint configuration applied');
     }

create-a-container/migrations/20260320000000-change-settings-value-to-text.js

@@ -0,0 +1,18 @@
+'use strict';
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+  async up(queryInterface, Sequelize) {
+    await queryInterface.changeColumn('Settings', 'value', {
+      type: Sequelize.TEXT,
+      allowNull: false
+    });
+  },
+
+  async down(queryInterface, Sequelize) {
+    await queryInterface.changeColumn('Settings', 'value', {
+      type: Sequelize.STRING,
+      allowNull: false
+    });
+  }
+};

create-a-container/models/setting.js

@@ -51,6 +51,23 @@ module.exports = (sequelize, DataTypes) => {
         return acc;
       }, {});
     }
+
+    /**
+     * Returns the default_container_env_vars setting as an array of
+     * {key, value, description} objects. Handles both the current array
+     * format and the legacy flat-object format {KEY: value}.
+     * @returns {Promise<Array<{key: string, value: string, description: string}>>}
+     */
+    static async getDefaultContainerEnvVars() {
+      const json = await Setting.get('default_container_env_vars');
+      if (!json) return [];
+      const parsed = JSON.parse(json);
+      if (Array.isArray(parsed)) return parsed;
+      if (typeof parsed === 'object' && parsed !== null) {
+        return Object.entries(parsed).map(([key, value]) => ({ key, value, description: '' }));
+      }
+      return [];
+    }
   }
 
   Setting.init({
@@ -61,7 +78,7 @@ module.exports = (sequelize, DataTypes) => {
       unique: true
     },
     value: {
-      type: DataTypes.STRING,
+      type: DataTypes.TEXT,
       allowNull: false
     }
   }, {

create-a-container/routers/settings.js

@@ -12,15 +12,24 @@ router.get('/', async (req, res) => {
     'push_notification_enabled',
     'push_notification_api_key',
     'smtp_url',
-    'smtp_noreply_address'
+    'smtp_noreply_address',
+    'default_container_env_vars'
   ]);
+
+  let defaultContainerEnvVars = [];
+  try {
+    defaultContainerEnvVars = await Setting.getDefaultContainerEnvVars();
+  } catch (_) {
+    // ignore malformed JSON — treat as empty
+  }
 
   res.render('settings/index', {
     pushNotificationUrl: settings.push_notification_url || '',
     pushNotificationEnabled: settings.push_notification_enabled === 'true',
     pushNotificationApiKey: settings.push_notification_api_key || '',
     smtpUrl: settings.smtp_url || '',
     smtpNoreplyAddress: settings.smtp_noreply_address || '',
+    defaultContainerEnvVars,
     req
   });
 });
@@ -31,7 +40,8 @@ router.post('/', async (req, res) => {
     push_notification_enabled,
     push_notification_api_key,
     smtp_url,
-    smtp_noreply_address
+    smtp_noreply_address,
+    defaultEnvVars
   } = req.body;
 
   const enabled = push_notification_enabled === 'on';
@@ -40,12 +50,28 @@ router.post('/', async (req, res) => {
     await req.flash('error', 'Push notification URL is required when push notifications are enabled');
     return res.redirect('/settings');
   }
+
+  // Build default container env vars as an array of {key, value, description} objects.
+  // Descriptions are metadata only — they are never passed to containers.
+  const envVarsArray = [];
+  if (Array.isArray(defaultEnvVars)) {
+    for (const entry of defaultEnvVars) {
+      if (entry && entry.key && entry.key.trim()) {
+        envVarsArray.push({
+          key: entry.key.trim(),
+          value: entry.value || '',
+          description: entry.description || ''
+        });
+      }
+    }
+  }
 
   await Setting.set('push_notification_url', push_notification_url || '');
   await Setting.set('push_notification_enabled', enabled ? 'true' : 'false');
   await Setting.set('push_notification_api_key', push_notification_api_key || '');
   await Setting.set('smtp_url', smtp_url || '');
   await Setting.set('smtp_noreply_address', smtp_noreply_address || '');
+  await Setting.set('default_container_env_vars', JSON.stringify(envVarsArray));
 
   await req.flash('success', 'Settings saved successfully');
   return res.redirect('/settings');

create-a-container/seeders/20260311000000-seed-wazuh-env-vars.js

@@ -0,0 +1,85 @@
+'use strict';
+
+// Variables seeded into the default_container_env_vars setting.
+// Add future cross-container variables here and create a new seeder
+// that calls the same merge logic.
+const WAZUH_DEFAULTS = [
+  {
+    key: 'WAZUH_MANAGER',
+    value: '',
+    description: 'Hostname of the Wazuh manager for agent enrollment (e.g. wazuh.example.com)'
+  },
+  {
+    key: 'WAZUH_REGISTRATION_PASSWORD',
+    value: '',
+    description: 'Enrollment password for Wazuh agent registration — deleted from /etc/environment inside the container immediately after first-boot enrollment completes'
+  }
+];
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+  async up(queryInterface) {
+    const [rows] = await queryInterface.sequelize.query(
+      `SELECT value FROM "Settings" WHERE key = 'default_container_env_vars'`
+    );
+
+    let existing = [];
+    if (rows.length > 0) {
+      try {
+        const parsed = JSON.parse(rows[0].value);
+        if (Array.isArray(parsed)) {
+          existing = parsed;
+        } else if (typeof parsed === 'object' && parsed !== null) {
+          // Migrate from old flat-object format {KEY: value} to array format
+          existing = Object.entries(parsed).map(([key, value]) => ({ key, value, description: '' }));
+        }
+      } catch (_) {
+        existing = [];
+      }
+    }
+
+    const existingKeys = new Set(existing.map(e => e.key));
+    const toAdd = WAZUH_DEFAULTS.filter(e => !existingKeys.has(e.key));
+    if (toAdd.length === 0) return; // all keys already present
+
+    const merged = [...existing, ...toAdd];
+    const now = new Date();
+
+    if (rows.length > 0) {
+      await queryInterface.sequelize.query(
+        `UPDATE "Settings" SET value = :value, "updatedAt" = :now WHERE key = 'default_container_env_vars'`,
+        { replacements: { value: JSON.stringify(merged), now } }
+      );
+    } else {
+      await queryInterface.bulkInsert('Settings', [{
+        key: 'default_container_env_vars',
+        value: JSON.stringify(merged),
+        createdAt: now,
+        updatedAt: now
+      }]);
+    }
+  },
+
+  async down(queryInterface) {
+    const [rows] = await queryInterface.sequelize.query(
+      `SELECT value FROM "Settings" WHERE key = 'default_container_env_vars'`
+    );
+    if (rows.length === 0) return;
+
+    let existing = [];
+    try {
+      const parsed = JSON.parse(rows[0].value);
+      existing = Array.isArray(parsed) ? parsed : [];
+    } catch (_) {
+      return;
+    }
+
+    const keysToRemove = new Set(WAZUH_DEFAULTS.map(e => e.key));
+    const reverted = existing.filter(e => !keysToRemove.has(e.key));
+
+    await queryInterface.sequelize.query(
+      `UPDATE "Settings" SET value = :value, "updatedAt" = :now WHERE key = 'default_container_env_vars'`,
+      { replacements: { value: JSON.stringify(reverted), now: new Date() } }
+    );
+  }
+};

create-a-container/views/settings/index.ejs

@@ -110,6 +110,31 @@
         </div>
       </div>
 
+      <div class="mb-4">
+        <h5 class="mb-3">Default Container Environment Variables</h5>
+        <p class="text-muted mb-3" id="default_env_vars_help">
+          These variables are automatically injected into every new container at creation time.
+          Use them for shared configuration such as agent connection details.
+          Per-container values always take precedence over these defaults.
+        </p>
+        <div class="d-flex justify-content-end mb-2">
+          <button type="button" id="addDefaultEnvVarBtn" class="btn btn-sm btn-primary" aria-label="Add default environment variable">
+            Add Variable
+          </button>
+        </div>
+        <table class="table table-sm table-bordered mb-0" aria-describedby="default_env_vars_help">
+          <thead>
+            <tr>
+              <th style="width: 22%;">Name</th>
+              <th style="width: 22%;">Value</th>
+              <th>Description</th>
+              <th style="width: 80px;" class="text-center">Action</th>
+            </tr>
+          </thead>
+          <tbody id="defaultEnvVarsTableBody"></tbody>
+        </table>
+      </div>
+
       <div class="d-flex gap-2">
         <button type="submit" class="btn btn-primary" aria-label="Save settings">
           Save Settings
@@ -123,3 +148,72 @@
 </div>
 
 <%- include('../layouts/footer') %>
+
+<script>
+  let envVarCounter = 0;
+
+  function addDefaultEnvVarRow(key = '', value = '', description = '') {
+    const row = document.createElement('tr');
+    row.id = `default-env-row-${envVarCounter}`;
+
+    const keyCell = document.createElement('td');
+    keyCell.style.cssText = 'border: 1px solid #ddd; padding: 8px;';
+    const keyInput = document.createElement('input');
+    keyInput.type = 'text';
+    keyInput.className = 'form-control form-control-sm font-monospace';
+    keyInput.name = `defaultEnvVars[${envVarCounter}][key]`;
+    keyInput.value = key;
+    keyInput.placeholder = 'VARIABLE_NAME';
+    keyInput.pattern = '[A-Za-z_][A-Za-z0-9_]*';
+    keyInput.setAttribute('aria-label', 'Environment variable name');
+    keyCell.appendChild(keyInput);
+
+    const valueCell = document.createElement('td');
+    valueCell.style.cssText = 'border: 1px solid #ddd; padding: 8px;';
+    const valueInput = document.createElement('input');
+    valueInput.type = 'text';
+    valueInput.className = 'form-control form-control-sm font-monospace';
+    valueInput.name = `defaultEnvVars[${envVarCounter}][value]`;
+    valueInput.value = value;
+    valueInput.placeholder = 'value';
+    valueInput.setAttribute('aria-label', 'Environment variable value');
+    valueCell.appendChild(valueInput);
+
+    const descCell = document.createElement('td');
+    descCell.style.cssText = 'border: 1px solid #ddd; padding: 8px;';
+    const descInput = document.createElement('input');
+    descInput.type = 'text';
+    descInput.className = 'form-control form-control-sm text-muted';
+    descInput.name = `defaultEnvVars[${envVarCounter}][description]`;
+    descInput.value = description;
+    descInput.placeholder = 'optional description (not sent to containers)';
+    descInput.setAttribute('aria-label', 'Environment variable description');
+    descCell.appendChild(descInput);
+
+    const actionCell = document.createElement('td');
+    actionCell.style.cssText = 'border: 1px solid #ddd; padding: 8px; text-align: center;';
+    const removeBtn = document.createElement('button');
+    removeBtn.type = 'button';
+    removeBtn.className = 'btn btn-sm btn-danger';
+    removeBtn.textContent = 'Delete';
+    removeBtn.setAttribute('aria-label', 'Remove environment variable');
+    const idx = envVarCounter;
+    removeBtn.onclick = () => document.getElementById(`default-env-row-${idx}`).remove();
+    actionCell.appendChild(removeBtn);
+
+    row.appendChild(keyCell);
+    row.appendChild(valueCell);
+    row.appendChild(descCell);
+    row.appendChild(actionCell);
+    document.getElementById('defaultEnvVarsTableBody').appendChild(row);
+    envVarCounter++;
+  }
+
+  document.getElementById('addDefaultEnvVarBtn').addEventListener('click', () => addDefaultEnvVarRow());
+
+  // Pre-populate saved values (array of {key, value, description} objects)
+  const savedEnvVars = <%- JSON.stringify(defaultContainerEnvVars) %>;
+  for (const entry of savedEnvVars) {
+    addDefaultEnvVarRow(entry.key, entry.value, entry.description || '');
+  }
+</script>

images/base/Dockerfile

@@ -14,7 +14,7 @@ COPY --from=builder /rootfs /
 
 # Install and setup sssd autoconfiguration
 RUN apt-get update && \
-    apt-get install -y sssd sudo tmux curl git jq unattended-upgrades && \
+    apt-get install -y sssd sudo tmux curl gnupg git jq unattended-upgrades && \
     pam-auth-update --enable mkhomedir && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
@@ -27,6 +27,25 @@ COPY --chmod=0440 ldapusers /etc/sudoers.d/ldapusers
 COPY environment.sh /usr/local/bin/environment.sh
 COPY environment.service /etc/systemd/system/environment.service
 
+# Wazuh agent — pre-installed at build time so containers don't need internet
+# access at first boot to install it. The enrollment service only runs the
+# lightweight config + enrollment step at runtime.
+RUN curl -fsSL https://packages.wazuh.com/key/GPG-KEY-WAZUH \
+      | gpg --dearmor -o /usr/share/keyrings/wazuh.gpg && \
+    printf 'Types: deb\nURIs: https://packages.wazuh.com/4.x/apt/\nSuites: stable\nComponents: main\nSigned-By: /usr/share/keyrings/wazuh.gpg\n' \
+      > /etc/apt/sources.list.d/wazuh.sources && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends wazuh-agent && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Wazuh agent first-boot enrollment service.
+# The script checks for WAZUH_MANAGER at runtime; containers without this
+# variable skip enrollment silently. ConditionFileNotEmpty ensures the service
+# only runs when the agent has never successfully enrolled (client.keys is empty).
+COPY --chmod=0755 wazuh-enroll.sh /usr/local/bin/wazuh-enroll.sh
+COPY wazuh-enroll.service /etc/systemd/system/wazuh-enroll.service
+
 # We have to disable systemd-networkd.service and systemd-networkd.socket to
 # prevent a race condition preventing DHCP-assigned IP addresses from being used
 # when the network is managed via ifupdown2 (which it should be in a Debian LXC)