version: "3.9"
services:
  # XSS Hunter Express service
  xsshunterexpress:
    build: .
    environment:
      # [REQUIRED] The hostname/domain pointed to 
      # the IP of the server running this service. 
      # SSL will automatically be set up and
      #  renewed with LetsEncrypt.
      - HOSTNAME=your.host.name
      # THis hostname is where your JS is served out of
      - XSS_HOSTNAME=your.xss.domain
      # [REQUIRED] Email for SSL
      - SSL_CONTACT_EMAIL=YourEmail@gmail.com
      # Maximum XSS callback payload size
      # This includes the webpage screenshot, DOM HTML,
      # page text, and other metadata. Note that if the
      # payload is above this limit, you won't be notified
      # of the XSS firing.
      - MAX_PAYLOAD_UPLOAD_SIZE_MB=50
      # Whether or not to enable the web control panel
      # Set to "false" or remove to disable the web UI.
      # Useful for minimizing attack surface.
      - CONTROL_PANEL_ENABLED=true
      # Whether or not to enable email notifications via
      # SMTP for XSS payload fires.
      - SMTP_EMAIL_NOTIFICATIONS_ENABLED=true
      - SMTP_HOST=smtp.gmail.com
      - SMTP_PORT=465
      - SMTP_USE_TLS=true
      - SMTP_USERNAME=YourEmail@gmail.com
      - SMTP_PASSWORD=YourEmailPassword
      - SMTP_FROM_EMAIL=YourEmail@gmail.com
      - SMTP_RECEIVER_EMAIL=YourEmail@gmail.com
      # CLIENT ID FOR OAUTH LOGIN
      - CLIENT_ID=your_client_id
      - CLIENT_SECRET=your_client_secret
      # GENERATE A RANDOM LONG STRING FOR THIS
      - SESSION_SECRET_KEY=
      # THERE IS NO NEED TO MODIFY BELOW THIS LINE
      # ------------------------------------------
      # FEEL FREE, BUT KNOW WHAT YOU'RE DOING.
      # Where XSS screenshots are stored
      - SCREENSHOTS_DIR=/app/payload-fire-images
      - DATABASE_NAME=xsshunterexpress
      - DATABASE_USER=xsshunterexpress
      - DATABASE_PASSWORD=xsshunterexpress
      - DATABASE_HOST=postgresdb
      - NODE_ENV=production
      - USE_CLOUD_STORAGE=true
      - BUCKET_NAME=YourBucket
    ports:
      - "80:80"
      - "443:443"
    volumes:
      # Stores the SSL/TLS certificates and keys
      # in the "ssldata" directory.
      # Your certificates are automatically renewed
      # via LetsEncrypt, no extra work needed!
      - ./ssldata:/app/greenlock.d
      # Directory where payload fire images are stored.
      - ./payload-fire-images:/app/payload-fire-images
    # Comment out if you're using an external SQL
    # server and have commented out the DB section.
    depends_on:
      - postgresdb
  # Postgres server to store injection data (not including
  # screenshots which are stored separately).
  # NOTE: If you're using an external SQL server, you can comment
  # out this service.
  # WARNING: This database gives the "postgres" user admin priveleges
  # with a default password of "xsshunterexpress". Do not expose it
  # externally. If you do, be sure to change the password.
  postgresdb:
    image: postgres
    restart: always
    environment:
      # This is a volume mounted into the container
      # (see the directory ./postgres-db-data)
      # So the database will be persisted across
      # container deletion.
      PGDATA: /var/lib/postgresql/data/pgdata
      POSTGRES_USER: xsshunterexpress
      POSTGRES_DB: xsshunterexpress
      POSTGRES_PASSWORD: xsshunterexpress
    volumes:
      - ./postgres-db-data:/var/lib/postgresql/data/pgdata