Add dockge to OVA images (#141)

* add dockge

* upload latest ova

* fix stacks directory

* change stacks

* restore pipelines

* change path, make dockge optional

* remove temporary build

* remove npm

* Set restart to unless-stopped and omit auto secrets

Author: t-aleksander

.github/workflows/build-ova.yml

@@ -63,11 +63,14 @@ jobs:
         env:
           PACKER_LOG: 1
         run: |
+          CORE_TAG="${{ github.event.inputs.core_tag }}"
+          PROXY_TAG="${{ github.event.inputs.proxy_tag }}"
+          GATEWAY_TAG="${{ github.event.inputs.gateway_tag }}"
           packer build \
             -var "iso_url=file://$PWD/ubuntu-24.04.4-live-server-amd64.iso" \
-            -var "core_tag=${{ github.event.inputs.core_tag }}" \
-            -var "proxy_tag=${{ github.event.inputs.proxy_tag }}" \
-            -var "gateway_tag=${{ github.event.inputs.gateway_tag }}" \
+            -var "core_tag=${CORE_TAG}" \
+            -var "proxy_tag=${PROXY_TAG}" \
+            -var "gateway_tag=${GATEWAY_TAG}" \
             defguard.pkr.hcl
 
       - name: Upload OVA to S3
@@ -84,3 +87,5 @@ jobs:
           ls -lh output/defguard/defguard.ova
           aws s3 cp output/defguard/defguard.ova "s3://defguard-downloads/ova/${FILENAME}"
           echo "Uploaded: s3://defguard-downloads/ova/${FILENAME}"
+          aws s3 cp output/defguard/defguard.ova "s3://defguard-downloads/ova/defguard-latest.ova" \
+            --cache-control "no-cache"

ova/defguard.pkr.hcl

@@ -95,21 +95,21 @@ build {
   provisioner "shell" {
     inline = [
       "sudo bash /tmp/docker-setup.sh",
-      "sudo mkdir -p /opt/defguard",
-      "sudo mv /tmp/docker-compose.yaml /opt/defguard/docker-compose.yaml",
-      "sudo mv /tmp/docker-compose.standalone.yaml /opt/defguard/docker-compose.standalone.yaml",
-      "sudo mv /tmp/generate-env.sh /opt/defguard/generate-env.sh",
-      "sudo chmod +x /opt/defguard/generate-env.sh",
-      "sudo mv /tmp/start.sh /opt/defguard/start.sh",
-      "sudo chmod +x /opt/defguard/start.sh",
-      "echo 'DEFGUARD_CORE_TAG=${var.core_tag}' | sudo tee /opt/defguard/.image-tags > /dev/null",
-      "echo 'DEFGUARD_PROXY_TAG=${var.proxy_tag}' | sudo tee -a /opt/defguard/.image-tags > /dev/null",
-      "echo 'DEFGUARD_GATEWAY_TAG=${var.gateway_tag}' | sudo tee -a /opt/defguard/.image-tags > /dev/null",
+      "sudo mkdir -p /opt/stacks/defguard",
+      "sudo mv /tmp/docker-compose.yaml /opt/stacks/defguard/docker-compose.yaml",
+      "sudo mv /tmp/docker-compose.standalone.yaml /opt/stacks/defguard/docker-compose.standalone.yaml",
+      "sudo mv /tmp/generate-env.sh /opt/stacks/defguard/generate-env.sh",
+      "sudo chmod +x /opt/stacks/defguard/generate-env.sh",
+      "sudo mv /tmp/start.sh /opt/stacks/defguard/start.sh",
+      "sudo chmod +x /opt/stacks/defguard/start.sh",
+      "echo 'DEFGUARD_CORE_TAG=${var.core_tag}' | sudo tee /opt/stacks/defguard/.image-tags > /dev/null",
+      "echo 'DEFGUARD_PROXY_TAG=${var.proxy_tag}' | sudo tee -a /opt/stacks/defguard/.image-tags > /dev/null",
+      "echo 'DEFGUARD_GATEWAY_TAG=${var.gateway_tag}' | sudo tee -a /opt/stacks/defguard/.image-tags > /dev/null",
       "sudo mv /tmp/99-defguard.cfg /etc/cloud/cloud.cfg.d/99-defguard.cfg",
       "sudo mv /tmp/defguard-init.service /etc/systemd/system/defguard-init.service",
       "sudo systemctl daemon-reload",
       "sudo systemctl enable docker.service",
-      "sudo chown -R ubuntu:ubuntu /opt/defguard",
+      "sudo chown -R ubuntu:ubuntu /opt/stacks/defguard",
       "sudo rm -f /etc/netplan/00-installer-config.yaml /etc/netplan/50-cloud-init.yaml",
       "sudo cloud-init clean --logs",
       "sudo rm -f /etc/ssh/ssh_host_*",

ova/files/defguard-init.service

@@ -5,8 +5,8 @@ Wants=network-online.target docker.service
 
 [Service]
 Type=oneshot
-WorkingDirectory=/opt/defguard
+WorkingDirectory=/opt/stacks/defguard
 StandardOutput=append:/var/log/defguard-startup.log
 StandardError=append:/var/log/defguard-startup.log
-ExecStart=/bin/bash /opt/defguard/generate-env.sh
-ExecStart=/bin/bash /opt/defguard/start.sh
+ExecStart=/bin/bash /opt/stacks/defguard/generate-env.sh
+ExecStart=/bin/bash /opt/stacks/defguard/start.sh

ova/files/docker-compose.standalone.yaml

@@ -1,6 +1,6 @@
 services:
   core:
-    restart: always
+    restart: unless-stopped
     profiles: [core]
     image: ghcr.io/defguard/defguard:${DEFGUARD_CORE_TAG:?DEFGUARD_CORE_TAG is required}
     env_file: .env
@@ -13,7 +13,7 @@ services:
       - "8000:8000"
 
   edge:
-    restart: always
+    restart: unless-stopped
     profiles: [edge]
     image: ghcr.io/defguard/defguard-proxy:${DEFGUARD_PROXY_TAG:?DEFGUARD_PROXY_TAG is required}
     volumes:
@@ -23,7 +23,7 @@ services:
       - "50051:50051"
 
   gateway:
-    restart: always
+    restart: unless-stopped
     profiles: [gateway]
     image: ghcr.io/defguard/gateway:${DEFGUARD_GATEWAY_TAG:?DEFGUARD_GATEWAY_TAG is required}
     cap_add:
@@ -35,25 +35,21 @@ services:
       DEFGUARD_STATS_PERIOD: 10
       HEALTH_PORT: 55003
 
-  npm:
-    image: "jc21/nginx-proxy-manager:2.14.0"
+  dockge:
+    image: louislam/dockge:1
     restart: unless-stopped
-    profiles: [edge, core]
-
+    profiles: [dockge]
     ports:
-      - "80:80" # HTTP Port
-      - "443:443" # HTTPS Port
-      - "81:81" # Admin Web Port
-
-    environment:
-      TZ: "UTC"
-
+      - "5001:5001"
     volumes:
-      - ./.volumes/npm/data:/data
-      - ./.volumes/npm/letsencrypt:/etc/letsencrypt
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./.volumes/dockge:/app/data
+      - /opt/stacks:/opt/stacks
+    environment:
+      DOCKGE_STACKS_DIR: /opt/stacks
 
   db:
-    restart: always
+    restart: unless-stopped
     profiles: [core]
     image: postgres:18-alpine
     env_file: .env

ova/files/docker-compose.yaml

@@ -1,6 +1,6 @@
 services:
   core:
-    restart: always
+    restart: unless-stopped
     image: ghcr.io/defguard/defguard:${DEFGUARD_CORE_TAG:?DEFGUARD_CORE_TAG is required}
     env_file: .env
     environment:
@@ -18,15 +18,15 @@ services:
       - "8000:8000"
 
   edge:
-    restart: always
+    restart: unless-stopped
     image: ghcr.io/defguard/defguard-proxy:${DEFGUARD_PROXY_TAG:?DEFGUARD_PROXY_TAG is required}
     volumes:
       - ./.volumes/certs/edge:/etc/defguard/certs
     ports:
       - "8080:8080"
 
   gateway:
-    restart: always
+    restart: unless-stopped
     image: ghcr.io/defguard/gateway:${DEFGUARD_GATEWAY_TAG:?DEFGUARD_GATEWAY_TAG is required}
     cap_add:
       - NET_ADMIN
@@ -37,24 +37,21 @@ services:
       HEALTH_PORT: 55003
     network_mode: "host"
 
-  npm:
-    image: "jc21/nginx-proxy-manager:2.14.0"
+  dockge:
+    image: louislam/dockge:1
     restart: unless-stopped
-
+    profiles: [dockge]
     ports:
-      - "80:80" # HTTP Port
-      - "443:443" # HTTPS Port
-      - "81:81" # Admin Web Port
-
-    environment:
-      TZ: "UTC"
-
+      - "5001:5001"
     volumes:
-      - ./.volumes/npm/data:/data
-      - ./.volumes/npm/letsencrypt:/etc/letsencrypt
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./.volumes/dockge:/app/data
+      - /opt/stacks:/opt/stacks
+    environment:
+      DOCKGE_STACKS_DIR: /opt/stacks
 
   db:
-    restart: always
+    restart: unless-stopped
     image: postgres:18-alpine
     env_file: .env
     volumes:

ova/files/generate-env.sh

@@ -1,8 +1,8 @@
 #!/bin/bash
-# Generates /opt/defguard/.env with random secrets on first boot.
+# Generates /opt/stacks/defguard/.env with random secrets on first boot.
 # If .env already exists (e.g. provided via cloud-init), this script does nothing.
 
-ENV_FILE="/opt/defguard/.env"
+ENV_FILE="/opt/stacks/defguard/.env"
 
 if [ -f "$ENV_FILE" ]; then
   echo "DefGuard: .env already exists, skipping generation."
@@ -11,26 +11,19 @@ fi
 
 echo "DefGuard: generating .env with random secrets..."
 
-DEFGUARD_SECRET_KEY=$(openssl rand -hex 32)
-DEFGUARD_AUTH_SECRET=$(openssl rand -hex 32)
-DEFGUARD_GATEWAY_SECRET=$(openssl rand -hex 32)
-DEFGUARD_YUBIBRIDGE_SECRET=$(openssl rand -hex 32)
 DB_PASSWORD=$(openssl rand -hex 16)
 
-if [ -f "/opt/defguard/.image-tags" ]; then
-  source "/opt/defguard/.image-tags"
+if [ -f "/opt/stacks/defguard/.image-tags" ]; then
+  source "/opt/stacks/defguard/.image-tags"
 fi
 
 : "${DEFGUARD_CORE_TAG:?DEFGUARD_CORE_TAG is required}"
 : "${DEFGUARD_PROXY_TAG:?DEFGUARD_PROXY_TAG is required}"
 : "${DEFGUARD_GATEWAY_TAG:?DEFGUARD_GATEWAY_TAG is required}"
 
 cat > "$ENV_FILE" <<EOF
-DEFGUARD_SECRET_KEY=${DEFGUARD_SECRET_KEY}
-DEFGUARD_AUTH_SECRET=${DEFGUARD_AUTH_SECRET}
-DEFGUARD_GATEWAY_SECRET=${DEFGUARD_GATEWAY_SECRET}
-DEFGUARD_YUBIBRIDGE_SECRET=${DEFGUARD_YUBIBRIDGE_SECRET}
 DEFGUARD_COOKIE_INSECURE=false
+
 DEFGUARD_DB_HOST=db
 DEFGUARD_DB_PORT=5432
 DEFGUARD_DB_USER=defguard
@@ -39,6 +32,7 @@ DEFGUARD_DB_NAME=defguard
 POSTGRES_USER=defguard
 POSTGRES_PASSWORD=${DB_PASSWORD}
 POSTGRES_DB=defguard
+
 DEFGUARD_CORE_TAG=${DEFGUARD_CORE_TAG}
 DEFGUARD_PROXY_TAG=${DEFGUARD_PROXY_TAG}
 DEFGUARD_GATEWAY_TAG=${DEFGUARD_GATEWAY_TAG}

ova/files/start.sh

@@ -1,21 +1,53 @@
 #!/bin/bash
 # Starts defguard via docker compose.
 # Default (no active-profiles file): starts the full all-in-one stack.
-# To select specific components, create /opt/defguard/active-profiles with a
+# To select specific components, create /opt/stacks/defguard/active-profiles with a
 # space or newline-separated list of profiles: core, gateway, edge
+#
+# To enable the Dockge docker management UI (port 5001), create the file:
+#   /opt/stacks/defguard/enable-docker-management
+# Example cloud-init:
+#   write_files:
+#     - path: /opt/stacks/defguard/enable-docker-management
+#       content: ""
 
-PROFILES_FILE="/opt/defguard/active-profiles"
+PROFILES_FILE="/opt/stacks/defguard/active-profiles"
+ENABLE_DOCKER_MGMT_FILE="/opt/stacks/defguard/enable-docker-management"
+
+# Append the dockge profile if the opt-in flag file is present
+_maybe_add_dockge() {
+  local profiles="$1"
+  if [ -f "$ENABLE_DOCKER_MGMT_FILE" ]; then
+    if [ -z "$profiles" ]; then
+      echo "dockge"
+    else
+      echo "${profiles},dockge"
+    fi
+  else
+    echo "$profiles"
+  fi
+}
 
 if [ ! -f "$PROFILES_FILE" ]; then
-  docker compose -f /opt/defguard/docker-compose.yaml up -d
+  COMPOSE_PROFILES=$(_maybe_add_dockge "")
+  if [ -n "$COMPOSE_PROFILES" ]; then
+    export COMPOSE_PROFILES
+  fi
+  docker compose -f /opt/stacks/defguard/docker-compose.yaml up -d
 else
   COMPOSE_PROFILES=$(tr '[:space:]' ',' < "$PROFILES_FILE" | tr -s ',' | sed 's/,$//')
   if [ -z "$COMPOSE_PROFILES" ]; then
     echo "Warning: $PROFILES_FILE is empty or contains only whitespace; starting full all-in-one stack."
-    unset COMPOSE_PROFILES
-    docker compose -f /opt/defguard/docker-compose.yaml up -d
+    COMPOSE_PROFILES=$(_maybe_add_dockge "")
+    if [ -n "$COMPOSE_PROFILES" ]; then
+      export COMPOSE_PROFILES
+    else
+      unset COMPOSE_PROFILES
+    fi
+    docker compose -f /opt/stacks/defguard/docker-compose.yaml up -d
   else
+    COMPOSE_PROFILES=$(_maybe_add_dockge "$COMPOSE_PROFILES")
     export COMPOSE_PROFILES
-    docker compose -f /opt/defguard/docker-compose.standalone.yaml up -d
+    docker compose -f /opt/stacks/defguard/docker-compose.standalone.yaml up -d
   fi
 fi