Docker Compose#

Minimal docker-compose.yml#

services:
  infraguard:
    image: ghcr.io/whispergate/infraguard:latest
    restart: unless-stopped
    ports:
      - "443:443"
    volumes:
      - ./config:/config:ro
      - ./certs:/certs:ro
      - infraguard-data:/data
    env_file: .env
    environment:
      INFRAGUARD_CONFIG: /config/config.yaml

volumes:
  infraguard-data:

.env File#

INFRAGUARD_TLS_CERT=/certs/fullchain.pem
INFRAGUARD_TLS_KEY=/certs/privkey.pem
INFRAGUARD_DB_PATH=/data/infraguard.db

# C2 upstreams
CS_UPSTREAM=https://10.0.0.1:443
MYTHIC_IP=10.0.0.2

# Phishing
GOPHISH_UPSTREAM=https://127.0.0.1:3333

# Alerting
DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/...

Multi-Service Stack (C2 + Phishing)#

services:
  infraguard-c2:
    image: ghcr.io/whispergate/infraguard:latest
    ports: ["443:443"]
    volumes:
      - ./config/c2-config.yaml:/config/config.yaml:ro
      - ./certs:/certs:ro
      - ig-data:/data
    env_file: .env

  infraguard-phish:
    image: ghcr.io/whispergate/infraguard:latest
    ports: ["8443:443"]
    volumes:
      - ./config/phish-config.yaml:/config/config.yaml:ro
      - ./certs:/certs:ro
      - ig-phish-data:/data
    env_file: .env

  gophish:
    image: gophish/gophish
    expose: ["3333"]

volumes:
  ig-data:
  ig-phish-data:

Hot Reload#

Edit config/config.yaml while running, then send SIGHUP:

docker compose kill -s HUP infraguard

InfraGuard reloads config without dropping existing connections. The database and in-memory whitelist are preserved across reloads.

API Port#

The management API binds to 127.0.0.1:8080 inside the container. Expose it via a separate port mapping if needed (only on trusted networks):

ports:
  - "443:443"
  - "127.0.0.1:8080:8080"   # management API — do NOT expose publicly
Backward Quickstart Configuration Forward