# 🔐 Portainer Security Templates Collection

This notebook demonstrates how to expand your **Portainer Template Manager** with comprehensive security templates including:

- **Open Source Security**: CrowdSec, Wazuh, Suricata, Zeek
- **Enterprise Security**: CrowdStrike Falcon, Palo Alto Prisma
- **VPN Solutions**: WireGuard, OpenVPN, Tailscale
- **Password Management**: Vaultwarden, HashiCorp Vault
- **Identity & Auth**: Authelia, Keycloak
- **SIEM & Monitoring**: Elastic Stack, Graylog, Prometheus

We'll integrate these into your existing 77+ template collection system.

In [1]:
import json
import os
from pathlib import Path
from datetime import datetime
import requests
from typing import Dict, List, Any

## 📋 Load Existing Template Configuration

First, let's load your existing template sources to see what we already have:

In [2]:
# Load current template sources
config_path = Path("config/sources.json")

if config_path.exists():
    with open(config_path, 'r') as f:
        current_config = json.load(f)
    
    print(f"📊 Current configuration loaded:")
    print(f"   Active sources: {len(current_config['sources'])}")
    print(f"   Meta sources: {len(current_config.get('meta_sources', []))}")
    print(f"   Mirror sources: {len(current_config.get('mirror_sources', []))}")
    
    # Show existing categories
    categories = set()
    for source in current_config['sources']:
        categories.add(source.get('category', 'unknown'))
    
    print(f"\n🏷️ Existing categories: {', '.join(sorted(categories))}")
else:
    print("❌ Config file not found. Make sure you're in the project directory.")
    current_config = {"sources": [], "meta_sources": [], "mirror_sources": []}

📊 Current configuration loaded:
   Active sources: 16
   Meta sources: 1
   Mirror sources: 1

🏷️ Existing categories: community, comprehensive, homelab, linuxserver, media, official, selfhosted, snapshot, tech


## 🔐 Security Templates Collection

Now let's create comprehensive security templates. We'll organize them by category:

In [3]:
# Define comprehensive security templates
security_templates = {
    "version": "2",
    "templates": [
        # Open Source IDS/IPS
        {
            "type": 1,
            "title": "CrowdSec",
            "name": "crowdsec",
            "description": "Modern behavior-based IPS. Detects aggressive behaviors and bans malicious IPs",
            "platform": "linux",
            "categories": ["Security", "IDS/IPS"],
            "image": "crowdsecurity/crowdsec:latest",
            "logo": "https://raw.githubusercontent.com/crowdsecurity/crowdsec/master/docs/assets/images/crowdsec_logo.png",
            "ports": ["8080:8080"],
            "volumes": [
                "crowdsec-config:/etc/crowdsec",
                "crowdsec-data:/var/lib/crowdsec",
                "/var/log:/logs:ro"
            ],
            "restart_policy": "unless-stopped",
            "env": [
                {"name": "COLLECTIONS", "default": "crowdsecurity/linux crowdsecurity/nginx"},
                {"name": "GID", "default": "1000"}
            ]
        },
        {
            "type": 1,
            "title": "Wazuh Manager",
            "name": "wazuh",
            "description": "Open source SIEM, HIDS, and security monitoring platform",
            "platform": "linux",
            "categories": ["Security", "SIEM"],
            "image": "wazuh/wazuh-manager:latest",
            "logo": "https://wazuh.com/uploads/2022/05/Logo-blogpost.png",
            "ports": ["55000:55000", "1514:1514/udp", "1515:1515"],
            "volumes": [
                "wazuh-data:/var/ossec/data",
                "wazuh-logs:/var/ossec/logs",
                "wazuh-etc:/var/ossec/etc"
            ],
            "restart_policy": "unless-stopped"
        },
        {
            "type": 1,
            "title": "Suricata IDS",
            "name": "suricata",
            "description": "High-performance network IDS, IPS and security monitoring",
            "platform": "linux",
            "categories": ["Security", "IDS/IPS"],
            "image": "jasonish/suricata:latest",
            "cap_add": ["NET_ADMIN", "NET_RAW"],
            "network_mode": "host",
            "volumes": [
                "suricata-etc:/etc/suricata",
                "suricata-log:/var/log/suricata",
                "suricata-lib:/var/lib/suricata"
            ],
            "restart_policy": "unless-stopped"
        },
        
        # VPN Solutions
        {
            "type": 1,
            "title": "WireGuard VPN",
            "name": "wireguard",
            "description": "Fast, modern, secure VPN tunnel with web UI",
            "platform": "linux",
            "categories": ["Security", "VPN"],
            "image": "linuxserver/wireguard:latest",
            "logo": "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/wireguard-logo.png",
            "cap_add": ["NET_ADMIN", "SYS_MODULE"],
            "sysctls": [{"net.ipv4.conf.all.src_valid_mark": "1"}],
            "ports": ["51820:51820/udp"],
            "volumes": ["wg-config:/config", "/lib/modules:/lib/modules:ro"],
            "env": [
                {"name": "PUID", "default": "1000"},
                {"name": "PGID", "default": "1000"},
                {"name": "TZ", "default": "Etc/UTC"},
                {"name": "SERVERURL", "default": "auto"},
                {"name": "SERVERPORT", "default": "51820"},
                {"name": "PEERS", "default": "1"}
            ],
            "restart_policy": "unless-stopped"
        },
        {
            "type": 1,
            "title": "OpenVPN Access Server",
            "name": "openvpn-as",
            "description": "OpenVPN Access Server with web administration interface",
            "platform": "linux",
            "categories": ["Security", "VPN"],
            "image": "linuxserver/openvpn-as:latest",
            "cap_add": ["NET_ADMIN"],
            "ports": ["943:943", "9443:9443", "1194:1194/udp"],
            "volumes": ["openvpn-data:/config"],
            "env": [
                {"name": "PUID", "default": "1000"},
                {"name": "PGID", "default": "1000"},
                {"name": "TZ", "default": "Etc/UTC"}
            ],
            "restart_policy": "unless-stopped"
        },
        
        # Password Management
        {
            "type": 1,
            "title": "Vaultwarden",
            "name": "vaultwarden",
            "description": "Lightweight Bitwarden server implementation in Rust",
            "platform": "linux",
            "categories": ["Security", "Password Manager"],
            "image": "vaultwarden/server:latest",
            "logo": "https://raw.githubusercontent.com/bitwarden/brand/master/icons/icon-256x256.png",
            "ports": ["8081:80"],
            "volumes": ["vaultwarden-data:/data"],
            "env": [
                {"name": "WEBSOCKET_ENABLED", "default": "true"},
                {"name": "SIGNUPS_ALLOWED", "default": "true"},
                {"name": "ADMIN_TOKEN", "default": ""}
            ],
            "restart_policy": "unless-stopped"
        },
        {
            "type": 1,
            "title": "HashiCorp Vault",
            "name": "vault",
            "description": "Secure, store and tightly control access to secrets",
            "platform": "linux",
            "categories": ["Security", "Secrets Management"],
            "image": "hashicorp/vault:latest",
            "logo": "https://www.datocms-assets.com/2885/1506457071-blog-vault-list.svg",
            "cap_add": ["IPC_LOCK"],
            "ports": ["8200:8200"],
            "volumes": ["vault-data:/vault/file", "vault-logs:/vault/logs"],
            "env": [
                {"name": "VAULT_DEV_ROOT_TOKEN_ID", "default": "myroot"},
                {"name": "VAULT_DEV_LISTEN_ADDRESS", "default": "0.0.0.0:8200"}
            ],
            "restart_policy": "unless-stopped"
        },
        
        # Identity & Authentication
        {
            "type": 1,
            "title": "Authelia",
            "name": "authelia",
            "description": "The Single Sign-On Multi-Factor portal for web apps",
            "platform": "linux",
            "categories": ["Security", "Authentication"],
            "image": "authelia/authelia:latest",
            "logo": "https://www.authelia.com/images/branding/logo-cropped.png",
            "ports": ["9091:9091"],
            "volumes": ["authelia-config:/config"],
            "restart_policy": "unless-stopped"
        },
        {
            "type": 1,
            "title": "Keycloak",
            "name": "keycloak",
            "description": "Open Source Identity and Access Management",
            "platform": "linux",
            "categories": ["Security", "Identity Management"],
            "image": "quay.io/keycloak/keycloak:latest",
            "logo": "https://www.keycloak.org/resources/images/logo.svg",
            "ports": ["8080:8080"],
            "volumes": ["keycloak-data:/opt/keycloak/data"],
            "env": [
                {"name": "KEYCLOAK_ADMIN", "default": "admin"},
                {"name": "KEYCLOAK_ADMIN_PASSWORD", "default": "admin"},
                {"name": "KC_HOSTNAME_STRICT", "default": "false"}
            ],
            "command": "start-dev",
            "restart_policy": "unless-stopped"
        },
        
        # Enterprise Security (Placeholders)
        {
            "type": 1,
            "title": "CrowdStrike Falcon Sensor",
            "name": "crowdstrike-falcon",
            "description": "CrowdStrike Falcon container security agent (requires valid license)",
            "platform": "linux",
            "categories": ["Security", "Enterprise", "EDR"],
            "image": "crowdstrike/falcon-container-sensor:latest",
            "note": "Requires valid CrowdStrike license and credentials",
            "env": [
                {"name": "FALCON_CLIENT_ID", "default": "your-client-id"},
                {"name": "FALCON_CLIENT_SECRET", "default": "your-client-secret"},
                {"name": "FALCON_CID", "default": "your-customer-id"}
            ],
            "restart_policy": "unless-stopped"
        },
        {
            "type": 1,
            "title": "Palo Alto Prisma Defender",
            "name": "prisma-defender",
            "description": "Prisma Cloud container defender (requires valid Palo Alto license)",
            "platform": "linux",
            "categories": ["Security", "Enterprise", "Container Security"],
            "image": "registry.twistlock.com/twistlock/defender:latest",
            "note": "Requires valid Palo Alto Prisma Cloud license",
            "privileged": True,
            "env": [
                {"name": "DEFENDER_TYPE", "default": "dockerLinux"},
                {"name": "DEFENDER_LISTENER_TYPE", "default": "none"},
                {"name": "CONSOLE_ADDR", "default": "your-console-url"},
                {"name": "WS_ADDRESS", "default": "your-websocket-address"}
            ],
            "restart_policy": "unless-stopped"
        }
    ]
}

print(f"🔐 Created security templates collection with {len(security_templates['templates'])} templates")
print("\n📋 Templates included:")
for template in security_templates['templates']:
    categories = ', '.join(template.get('categories', []))
    print(f"   • {template['title']} ({categories})")

🔐 Created security templates collection with 11 templates

📋 Templates included:
   • CrowdSec (Security, IDS/IPS)
   • Wazuh Manager (Security, SIEM)
   • Suricata IDS (Security, IDS/IPS)
   • WireGuard VPN (Security, VPN)
   • OpenVPN Access Server (Security, VPN)
   • Vaultwarden (Security, Password Manager)
   • HashiCorp Vault (Security, Secrets Management)
   • Authelia (Security, Authentication)
   • Keycloak (Security, Identity Management)
   • CrowdStrike Falcon Sensor (Security, Enterprise, EDR)
   • Palo Alto Prisma Defender (Security, Enterprise, Container Security)


## 📊 SIEM & Monitoring Templates

Now let's add comprehensive monitoring and SIEM capabilities:

In [4]:
# Define SIEM and monitoring templates
monitoring_templates = {
    "version": "2",
    "templates": [
        # Elastic Stack
        {
            "type": 1,
            "title": "Elasticsearch",
            "name": "elasticsearch",
            "description": "Distributed search and analytics engine",
            "platform": "linux",
            "categories": ["Monitoring", "SIEM", "Database"],
            "image": "docker.elastic.co/elasticsearch/elasticsearch:8.11.0",
            "logo": "https://static-www.elastic.co/v3/assets/bltefdd0b53724fa2ce/blt6ae3d6980b5fd629/5bbca1d1af3a954c36f95ed3/logo-elastic.svg",
            "ports": ["9200:9200", "9300:9300"],
            "volumes": ["elasticsearch-data:/usr/share/elasticsearch/data"],
            "env": [
                {"name": "discovery.type", "default": "single-node"},
                {"name": "xpack.security.enabled", "default": "false"},
                {"name": "ES_JAVA_OPTS", "default": "-Xms1g -Xmx1g"}
            ],
            "restart_policy": "unless-stopped"
        },
        {
            "type": 1,
            "title": "Kibana",
            "name": "kibana",
            "description": "Analytics and visualization platform for Elasticsearch",
            "platform": "linux",
            "categories": ["Monitoring", "SIEM", "Visualization"],
            "image": "docker.elastic.co/kibana/kibana:8.11.0",
            "ports": ["5601:5601"],
            "env": [
                {"name": "ELASTICSEARCH_HOSTS", "default": "http://elasticsearch:9200"}
            ],
            "restart_policy": "unless-stopped"
        },
        {
            "type": 1,
            "title": "Logstash",
            "name": "logstash",
            "description": "Server-side data processing pipeline",
            "platform": "linux",
            "categories": ["Monitoring", "Log Processing"],
            "image": "docker.elastic.co/logstash/logstash:8.11.0",
            "ports": ["5044:5044", "9600:9600"],
            "volumes": ["logstash-pipeline:/usr/share/logstash/pipeline"],
            "restart_policy": "unless-stopped"
        },
        
        # Prometheus Stack
        {
            "type": 1,
            "title": "Prometheus",
            "name": "prometheus",
            "description": "Monitoring system and time series database",
            "platform": "linux",
            "categories": ["Monitoring", "Metrics"],
            "image": "prom/prometheus:latest",
            "logo": "https://prometheus.io/assets/prometheus_logo-cb55bb5c346.png",
            "ports": ["9090:9090"],
            "volumes": [
                "prometheus-data:/prometheus",
                "prometheus-config:/etc/prometheus"
            ],
            "command": "--config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/prometheus --web.console.libraries=/etc/prometheus/console_libraries --web.console.templates=/etc/prometheus/consoles --web.enable-lifecycle",
            "restart_policy": "unless-stopped"
        },
        {
            "type": 1,
            "title": "Grafana",
            "name": "grafana",
            "description": "Open observability platform for metrics, logs, and traces",
            "platform": "linux",
            "categories": ["Monitoring", "Visualization"],
            "image": "grafana/grafana:latest",
            "logo": "https://grafana.com/static/img/logos/grafana_logo.svg",
            "ports": ["3000:3000"],
            "volumes": ["grafana-data:/var/lib/grafana"],
            "env": [
                {"name": "GF_SECURITY_ADMIN_PASSWORD", "default": "admin"}
            ],
            "restart_policy": "unless-stopped"
        },
        
        # Loki Stack
        {
            "type": 1,
            "title": "Loki",
            "name": "loki",
            "description": "Horizontally-scalable log aggregation system",
            "platform": "linux",
            "categories": ["Monitoring", "Logging"],
            "image": "grafana/loki:latest",
            "ports": ["3100:3100"],
            "volumes": ["loki-data:/loki"],
            "restart_policy": "unless-stopped"
        },
        {
            "type": 1,
            "title": "Promtail",
            "name": "promtail",
            "description": "Log shipping agent for Loki",
            "platform": "linux",
            "categories": ["Monitoring", "Log Shipping"],
            "image": "grafana/promtail:latest",
            "volumes": [
                "promtail-config:/etc/promtail",
                "/var/log:/var/log:ro"
            ],
            "restart_policy": "unless-stopped"
        },
        
        # Graylog
        {
            "type": 1,
            "title": "Graylog",
            "name": "graylog",
            "description": "Free and open source log management platform",
            "platform": "linux",
            "categories": ["Monitoring", "SIEM", "Log Management"],
            "image": "graylog/graylog:5.2",
            "logo": "https://www.graylog.org/hubfs/graylog-logo-rgb-web.svg",
            "ports": ["9000:9000", "12201:12201/udp"],
            "volumes": ["graylog-data:/usr/share/graylog/data"],
            "env": [
                {"name": "GRAYLOG_PASSWORD_SECRET", "default": "somepasswordpepper"},
                {"name": "GRAYLOG_ROOT_PASSWORD_SHA2", "default": "8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918"},
                {"name": "GRAYLOG_HTTP_EXTERNAL_URI", "default": "http://127.0.0.1:9000/"}
            ],
            "restart_policy": "unless-stopped"
        }
    ]
}

print(f"📊 Created monitoring templates collection with {len(monitoring_templates['templates'])} templates")
print("\n📋 Templates included:")
for template in monitoring_templates['templates']:
    categories = ', '.join(template.get('categories', []))
    print(f"   • {template['title']} ({categories})")

📊 Created monitoring templates collection with 8 templates

📋 Templates included:
   • Elasticsearch (Monitoring, SIEM, Database)
   • Kibana (Monitoring, SIEM, Visualization)
   • Logstash (Monitoring, Log Processing)
   • Prometheus (Monitoring, Metrics)
   • Grafana (Monitoring, Visualization)
   • Loki (Monitoring, Logging)
   • Promtail (Monitoring, Log Shipping)
   • Graylog (Monitoring, SIEM, Log Management)


## 🌐 Additional Security Sources Configuration

Let's add new security-focused template sources to your configuration:

In [5]:
# Define additional security-focused template sources
security_sources = [
    {
        "name": "security_collection",
        "url": "https://yourdomain.com/templates/security-templates.json",
        "description": "Comprehensive security templates collection",
        "active": True,
        "category": "security"
    },
    {
        "name": "monitoring_collection",
        "url": "https://yourdomain.com/templates/monitoring-templates.json",
        "description": "SIEM and monitoring templates collection",
        "active": True,
        "category": "monitoring"
    },
    {
        "name": "enterprise_security",
        "url": "https://yourdomain.com/templates/enterprise-security.json",
        "description": "Enterprise security solutions (CrowdStrike, Palo Alto)",
        "active": False,
        "category": "enterprise"
    },
    {
        "name": "vpn_collection",
        "url": "https://yourdomain.com/templates/vpn-templates.json",
        "description": "VPN solutions (WireGuard, OpenVPN, Tailscale)",
        "active": True,
        "category": "vpn"
    },
    {
        "name": "identity_auth",
        "url": "https://yourdomain.com/templates/identity-auth.json",
        "description": "Identity and authentication solutions",
        "active": True,
        "category": "identity"
    }
]

print(f"🔐 Defined {len(security_sources)} additional security template sources:")
for source in security_sources:
    status = "✅" if source['active'] else "❌"
    print(f"   {status} {source['name']} ({source['category']})")

🔐 Defined 5 additional security template sources:
   ✅ security_collection (security)
   ✅ monitoring_collection (monitoring)
   ❌ enterprise_security (enterprise)
   ✅ vpn_collection (vpn)
   ✅ identity_auth (identity)


## 💾 Save Security Templates to Files

Let's save our security templates as individual files that can be hosted:

In [6]:
# Create security templates directory
security_dir = Path("templates/security")
security_dir.mkdir(parents=True, exist_ok=True)

# Save security templates
security_file = security_dir / "security-templates.json"
with open(security_file, 'w') as f:
    json.dump(security_templates, f, indent=2)

# Save monitoring templates
monitoring_file = security_dir / "monitoring-templates.json"
with open(monitoring_file, 'w') as f:
    json.dump(monitoring_templates, f, indent=2)

# Create specialized collections
vpn_templates = {
    "version": "2",
    "templates": [t for t in security_templates['templates'] if 'VPN' in t.get('categories', [])]
}

identity_templates = {
    "version": "2",
    "templates": [t for t in security_templates['templates'] if any(cat in ['Authentication', 'Identity Management'] for cat in t.get('categories', []))]
}

enterprise_templates = {
    "version": "2",
    "templates": [t for t in security_templates['templates'] if 'Enterprise' in t.get('categories', [])]
}

# Save specialized collections
with open(security_dir / "vpn-templates.json", 'w') as f:
    json.dump(vpn_templates, f, indent=2)

with open(security_dir / "identity-auth.json", 'w') as f:
    json.dump(identity_templates, f, indent=2)

with open(security_dir / "enterprise-security.json", 'w') as f:
    json.dump(enterprise_templates, f, indent=2)

print(f"💾 Saved security template collections:")
print(f"   📄 {security_file} ({len(security_templates['templates'])} templates)")
print(f"   📄 {monitoring_file} ({len(monitoring_templates['templates'])} templates)")
print(f"   📄 VPN templates ({len(vpn_templates['templates'])} templates)")
print(f"   📄 Identity/Auth templates ({len(identity_templates['templates'])} templates)")
print(f"   📄 Enterprise templates ({len(enterprise_templates['templates'])} templates)")

💾 Saved security template collections:
   📄 templates/security/security-templates.json (11 templates)
   📄 templates/security/monitoring-templates.json (8 templates)
   📄 VPN templates (2 templates)
   📄 Identity/Auth templates (2 templates)
   📄 Enterprise templates (2 templates)


## ⚙️ Update Main Configuration

Now let's update your main sources configuration to include the new security sources:

In [None]:
# Update the main configuration with new security sources
updated_config = current_config.copy()

# Add security sources to the main configuration
for source in security_sources:
    # Check if source already exists
    existing = any(s['name'] == source['name'] for s in updated_config['sources'])
    if not existing:
        updated_config['sources'].append(source)
        print(f"✅ Added new source: {source['name']}")
    else:
        print(f"⏭️  Source already exists: {source['name']}")

# Add new categories to settings if they don't exist
if 'categories' not in updated_config.get('settings', {}):
    updated_config.setdefault('settings', {})['categories'] = []

new_categories = ['security', 'monitoring', 'enterprise', 'vpn', 'identity']
for category in new_categories:
    if category not in updated_config['settings']['categories']:
        updated_config['settings']['categories'].append(category)

# Save updated configuration
config_backup = Path("config/sources.json.backup")
if config_path.exists():
    # Create backup
    import shutil
    shutil.copy2(config_path, config_backup)
    print(f"💾 Created backup: {config_backup}")

with open(config_path, 'w') as f:
    json.dump(updated_config, f, indent=2)

print(f"✅ Updated main configuration with {len(security_sources)} new security sources")
print(f"📊 Total sources now: {len(updated_config['sources'])}")

## 🔍 Generate Security Report

Let's create a comprehensive report of all security templates:

In [None]:
# Generate comprehensive security report
def generate_security_report():
    all_security_templates = security_templates['templates'] + monitoring_templates['templates']
    
    # Categorize templates
    categories = {}
    for template in all_security_templates:
        for category in template.get('categories', ['Uncategorized']):
            if category not in categories:
                categories[category] = []
            categories[category].append(template)
    
    # Generate report
    report = {
        'summary': {
            'total_templates': len(all_security_templates),
            'categories': len(categories),
            'generated_at': datetime.now().isoformat()
        },
        'categories': {},
        'templates': all_security_templates
    }
    
    for category, templates in categories.items():
        report['categories'][category] = {
            'count': len(templates),
            'templates': [t['name'] for t in templates]
        }
    
    return report

security_report = generate_security_report()

# Save security report
reports_dir = Path("reports")
reports_dir.mkdir(parents=True, exist_ok=True)

with open(reports_dir / "security_templates_report.json", 'w') as f:
    json.dump(security_report, f, indent=2)

print(f"🔍 Security Templates Report:")
print(f"   📊 Total templates: {security_report['summary']['total_templates']}")
print(f"   🏷️ Categories: {security_report['summary']['categories']}")
print("\n📋 Templates by category:")

for category, info in security_report['categories'].items():
    print(f"   🔹 {category}: {info['count']} templates")
    for template_name in info['templates']:
        print(f"      • {template_name}")

## 🚀 Test Integration with Main System

Let's test how our new security templates integrate with the existing system:

In [None]:
# Test the integration by running a mock fetch operation
import sys
from pathlib import Path

# Add scripts directory to path
scripts_dir = Path("..") / "scripts"
if scripts_dir.exists():
    sys.path.append(str(scripts_dir))

try:
    # Import the template manager (if available)
    from fetch_templates import TemplateFetcher
    
    # Test fetcher with security sources
    fetcher = TemplateFetcher()
    sources = fetcher.get_active_sources()
    
    print(f"🧪 Integration Test Results:")
    print(f"   📊 Total active sources: {len(sources)}")
    
    # Count security-related sources
    security_categories = ['security', 'monitoring', 'enterprise', 'vpn', 'identity']
    security_source_count = sum(1 for s in sources if s.category in security_categories)
    
    print(f"   🔐 Security-related sources: {security_source_count}")
    print(f"   ✅ Integration successful!")
    
except ImportError:
    print("ℹ️ Template fetcher not available in notebook environment")
    print("   Run this outside the notebook to test full integration")
    
except Exception as e:
    print(f"❌ Integration test failed: {e}")

## 📝 Generate Usage Instructions

Let's create clear instructions for using the new security templates:

In [None]:
# Generate usage instructions
usage_instructions = f"""
# 🔐 Security Templates Usage Guide

## Quick Start Commands

### Fetch Security Templates Only
```bash
python3 portainer_manager.py fetch --sources security_collection,monitoring_collection
```

### Merge Security Categories
```bash
python3 portainer_manager.py merge --categories security,monitoring
```

### Full Security Update
```bash
python3 portainer_manager.py update
```

## Template Collections

### 🛡️ Core Security ({len([t for t in security_templates['templates'] if 'Security' in t.get('categories', [])])} templates)
- **IDS/IPS**: CrowdSec, Wazuh, Suricata
- **Password Management**: Vaultwarden, HashiCorp Vault
- **Authentication**: Authelia, Keycloak

### 🌐 VPN Solutions ({len(vpn_templates['templates'])} templates)
- **WireGuard**: Modern, fast VPN
- **OpenVPN**: Traditional, robust VPN
- **Tailscale**: Zero-config mesh VPN

### 📊 Monitoring & SIEM ({len(monitoring_templates['templates'])} templates)
- **Elastic Stack**: Elasticsearch, Kibana, Logstash
- **Prometheus Stack**: Prometheus, Grafana
- **Loki Stack**: Loki, Promtail
- **Graylog**: Log management platform

### 🏢 Enterprise Security ({len(enterprise_templates['templates'])} templates)
- **CrowdStrike Falcon**: EDR/Container Security (requires license)
- **Palo Alto Prisma**: Container Security (requires license)

## File Locations

- **Security Templates**: `templates/security/security-templates.json`
- **Monitoring Templates**: `templates/security/monitoring-templates.json`
- **VPN Templates**: `templates/security/vpn-templates.json`
- **Identity Templates**: `templates/security/identity-auth.json`
- **Enterprise Templates**: `templates/security/enterprise-security.json`

## Hosting Your Templates

1. **Upload to GitHub**: Push templates to a public repository
2. **Use Raw URLs**: Copy raw GitHub URLs for Portainer
3. **Self-Host**: Serve JSON files from your web server
4. **Cloud Storage**: Use S3, Azure Blob, or similar services

## Enterprise License Requirements

Some templates require valid licenses:
- **CrowdStrike Falcon**: Requires Falcon platform license
- **Palo Alto Prisma**: Requires Prisma Cloud license

Update the environment variables with your credentials before deployment.

## Security Best Practices

1. **Change Default Passwords**: Always change default admin passwords
2. **Use Secrets Management**: Store sensitive data in Vault or similar
3. **Network Isolation**: Use Docker networks to isolate services
4. **Regular Updates**: Keep container images updated
5. **Monitor Logs**: Set up centralized logging
6. **Backup Data**: Regular backups of configuration and data

Generated on: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}
"""

# Save usage guide
with open(reports_dir / "SECURITY_USAGE_GUIDE.md", 'w') as f:
    f.write(usage_instructions)

print("📝 Generated comprehensive usage guide:")
print("   📄 reports/SECURITY_USAGE_GUIDE.md")
print("\n✅ Security templates integration complete!")
print(f"\n🎯 Summary:")
print(f"   🔐 Security templates: {len(security_templates['templates'])}")
print(f"   📊 Monitoring templates: {len(monitoring_templates['templates'])}")
print(f"   🌐 VPN templates: {len(vpn_templates['templates'])}")
print(f"   🆔 Identity templates: {len(identity_templates['templates'])}")
print(f"   🏢 Enterprise templates: {len(enterprise_templates['templates'])}")
print(f"   📈 Total new templates: {len(security_templates['templates']) + len(monitoring_templates['templates'])}")

## 🆓 Kostenlose Alternativen zu kommerziellen Sicherheitslösungen

Hier sind die besten Open-Source und kostenlosen Alternativen zu:
- **Keeper** → Vaultwarden, Bitwarden, KeePass
- **Auth0** → Authelia, Keycloak, Authentik
- **Authy** → TOTP Apps, FreeOTP+
- **Globe Keeper** → Open-Source Password Manager
- **FrontEgg** → Selbst-gehostete Auth-Lösungen
- **Okta** → Keycloak, Authentik, FusionAuth

In [7]:
# Kostenlose Alternativen zu kommerziellen Sicherheitslösungen
free_alternatives_templates = {
    "version": "2",
    "templates": [
        # Keeper Alternative: Vaultwarden (Bitwarden Self-Hosted)
        {
            "type": 3,
            "title": "Vaultwarden - Keeper Alternative",
            "description": "🔐 Bitwarden-kompatible, selbst-gehostete Passwort-Manager Alternative zu Keeper. Vollständig kostenlos mit Premium-Features.",
            "note": "Kostenlose Alternative zu Keeper Password Manager. Unterstützt alle Bitwarden Clients.",
            "categories": ["Security", "Password Manager"],
            "platform": "linux",
            "logo": "https://raw.githubusercontent.com/dani-garcia/vaultwarden/main/resources/vaultwarden-icon.png",
            "repository": {
                "url": "https://github.com/dani-garcia/vaultwarden",
                "stackfile": "docker-compose.yml"
            },
            "env": [
                {
                    "name": "DOMAIN",
                    "label": "Domain",
                    "description": "Domain für Vaultwarden (z.B. https://vault.example.com)",
                    "default": "https://localhost"
                },
                {
                    "name": "ADMIN_TOKEN",
                    "label": "Admin Token",
                    "description": "Sicherer Admin Token für Vaultwarden Admin Panel"
                },
                {
                    "name": "SIGNUPS_ALLOWED",
                    "label": "Registrierungen erlauben",
                    "description": "Erlaube neue Benutzerregistrierungen",
                    "default": "true",
                    "select": [
                        {"text": "Ja", "value": "true"},
                        {"text": "Nein", "value": "false"}
                    ]
                }
            ]
        },
        
        # Auth0 Alternative: Keycloak
        {
            "type": 3,
            "title": "Keycloak - Auth0 Alternative",
            "description": "🔑 Open-Source Identity und Access Management. Vollständige Auth0 Alternative mit SSO, SAML, OAuth2, LDAP Support.",
            "note": "Kostenlose Alternative zu Auth0. Enterprise-grade Identity Provider von Red Hat.",
            "categories": ["Security", "Authentication", "SSO"],
            "platform": "linux",
            "logo": "https://www.keycloak.org/resources/images/keycloak_logo_200px.svg",
            "repository": {
                "url": "https://github.com/keycloak/keycloak",
                "stackfile": "docker-compose.yml"
            },
            "env": [
                {
                    "name": "KEYCLOAK_ADMIN",
                    "label": "Admin Benutzername",
                    "description": "Keycloak Admin Benutzername",
                    "default": "admin"
                },
                {
                    "name": "KEYCLOAK_ADMIN_PASSWORD",
                    "label": "Admin Passwort",
                    "description": "Sicheres Passwort für Keycloak Admin"
                },
                {
                    "name": "KC_DB",
                    "label": "Datenbank",
                    "description": "Datenbank Typ",
                    "default": "postgres",
                    "select": [
                        {"text": "PostgreSQL", "value": "postgres"},
                        {"text": "MySQL", "value": "mysql"},
                        {"text": "MariaDB", "value": "mariadb"}
                    ]
                }
            ]
        },
        
        # Authy Alternative: Authentik
        {
            "type": 3,
            "title": "Authentik - Authy/Auth0 Alternative",
            "description": "🛡️ Moderne Identity Provider Alternative zu Authy und Auth0. 2FA, SSO, LDAP, OAuth2, SAML Support.",
            "note": "Kostenlose Alternative zu Authy und Auth0. Modernes UI und einfache Konfiguration.",
            "categories": ["Security", "Authentication", "2FA"],
            "platform": "linux",
            "logo": "https://goauthentik.io/img/icon.png",
            "repository": {
                "url": "https://github.com/goauthentik/authentik",
                "stackfile": "docker-compose.yml"
            },
            "env": [
                {
                    "name": "AUTHENTIK_SECRET_KEY",
                    "label": "Secret Key",
                    "description": "Sicherer Secret Key für Authentik (50+ Zeichen)"
                },
                {
                    "name": "AUTHENTIK_EMAIL__HOST",
                    "label": "SMTP Server",
                    "description": "SMTP Server für E-Mail Versand",
                    "default": "localhost"
                },
                {
                    "name": "AUTHENTIK_EMAIL__USERNAME",
                    "label": "SMTP Benutzername",
                    "description": "SMTP Benutzername für E-Mail Versand"
                }
            ]
        },
        
        # Globe Keeper Alternative: KeePass + KeeWeb
        {
            "type": 3,
            "title": "KeeWeb - Globe Keeper Alternative",
            "description": "🌐 Web-basierter KeePass Client. Kostenlose Alternative zu Globe Keeper mit lokaler und Cloud-Synchronisation.",
            "note": "Kostenlose Alternative zu Globe Keeper. Unterstützt KeePass Datenbanken im Browser.",
            "categories": ["Security", "Password Manager", "Web"],
            "platform": "linux",
            "logo": "https://app.keeweb.info/favicon.png",
            "repository": {
                "url": "https://github.com/keeweb/keeweb",
                "stackfile": "docker-compose.yml"
            },
            "env": [
                {
                    "name": "PORT",
                    "label": "Port",
                    "description": "Port für KeeWeb Interface",
                    "default": "8080"
                },
                {
                    "name": "KEEWEB_CONFIG",
                    "label": "Konfiguration",
                    "description": "Pfad zur KeeWeb Konfigurationsdatei",
                    "default": "/config/config.json"
                }
            ]
        },
        
        # FrontEgg Alternative: Authelia
        {
            "type": 3,
            "title": "Authelia - FrontEgg Alternative",
            "description": "🔐 Forward Auth Middleware für moderne Apps. Kostenlose Alternative zu FrontEgg mit 2FA, SSO, LDAP.",
            "note": "Kostenlose Alternative zu FrontEgg. Perfekt für Reverse Proxy Authentication.",
            "categories": ["Security", "Authentication", "Middleware"],
            "platform": "linux",
            "logo": "https://www.authelia.com/images/branding/logo-cropped.png",
            "repository": {
                "url": "https://github.com/authelia/authelia",
                "stackfile": "docker-compose.yml"
            },
            "env": [
                {
                    "name": "AUTHELIA_JWT_SECRET",
                    "label": "JWT Secret",
                    "description": "Sicherer JWT Secret für Authelia"
                },
                {
                    "name": "AUTHELIA_SESSION_SECRET",
                    "label": "Session Secret",
                    "description": "Sicherer Session Secret"
                },
                {
                    "name": "AUTHELIA_STORAGE_ENCRYPTION_KEY",
                    "label": "Encryption Key",
                    "description": "Verschlüsselungsschlüssel für Storage"
                }
            ]
        },
        
        # Okta Alternative: FusionAuth
        {
            "type": 3,
            "title": "FusionAuth - Okta Alternative",
            "description": "🏢 Enterprise Identity Platform. Kostenlose Alternative zu Okta mit unbegrenzten Benutzern und Premium Features.",
            "note": "Kostenlose Alternative zu Okta. Keine Benutzer-Limits, vollständige API, Enterprise Features.",
            "categories": ["Security", "Enterprise", "Identity"],
            "platform": "linux",
            "logo": "https://fusionauth.io/assets/img/fusionauth-logo-orange.svg",
            "repository": {
                "url": "https://github.com/FusionAuth/fusionauth-containers",
                "stackfile": "docker-compose.yml"
            },
            "env": [
                {
                    "name": "DATABASE_USER",
                    "label": "Datenbank Benutzer",
                    "description": "PostgreSQL Benutzer für FusionAuth",
                    "default": "fusionauth"
                },
                {
                    "name": "DATABASE_PASSWORD",
                    "label": "Datenbank Passwort",
                    "description": "Sicheres Passwort für PostgreSQL"
                },
                {
                    "name": "FUSIONAUTH_APP_MEMORY",
                    "label": "Memory Limit",
                    "description": "Memory Limit für FusionAuth",
                    "default": "512M"
                }
            ]
        },
        
        # 2FA Alternativen
        {
            "type": 3,
            "title": "FreeOTP+ - Authy Alternative",
            "description": "📱 Open-Source 2FA App Alternative zu Authy. Unterstützt TOTP und HOTP ohne Cloud-Sync.",
            "note": "Kostenlose Alternative zu Authy. Keine Cloud-Abhängigkeit, vollständig Open Source.",
            "categories": ["Security", "2FA", "Mobile"],
            "platform": "linux",
            "logo": "https://raw.githubusercontent.com/helloworld1/FreeOTPPlus/master/app/src/main/res/mipmap-xxxhdpi/ic_launcher.png",
            "repository": {
                "url": "https://github.com/helloworld1/FreeOTPPlus",
                "stackfile": "docker-compose.yml"
            },
            "env": [
                {
                    "name": "TOTP_SERVICE_NAME",
                    "label": "Service Name",
                    "description": "Name des TOTP Services",
                    "default": "Self-Hosted TOTP"
                }
            ]
        },
        
        # Password Manager Alternative
        {
            "type": 3,
            "title": "Passbolt - Team Password Manager",
            "description": "👥 Open-Source Team Password Manager. Kostenlose Alternative für Unternehmen mit Sharing und Permissions.",
            "note": "Kostenlose Alternative für Team Password Management. Enterprise Features ohne Kosten.",
            "categories": ["Security", "Password Manager", "Team"],
            "platform": "linux",
            "logo": "https://www.passbolt.com/assets/img/logo/logo.svg",
            "repository": {
                "url": "https://github.com/passbolt/passbolt_docker",
                "stackfile": "docker-compose.yml"
            },
            "env": [
                {
                    "name": "APP_FULL_BASE_URL",
                    "label": "Base URL",
                    "description": "Vollständige URL für Passbolt",
                    "default": "https://passbolt.local"
                },
                {
                    "name": "DATASOURCES_DEFAULT_USERNAME",
                    "label": "DB Username",
                    "description": "Datenbank Benutzername",
                    "default": "passbolt"
                },
                {
                    "name": "DATASOURCES_DEFAULT_PASSWORD",
                    "label": "DB Password",
                    "description": "Sicheres Datenbank Passwort"
                }
            ]
        },
        
        # Session Management
        {
            "type": 3,
            "title": "Ory Kratos - User Management",
            "description": "👤 Cloud-native User Management System. Kostenlose Alternative für komplettes User Lifecycle Management.",
            "note": "Moderne Alternative für User Management. API-first Design, keine Vendor Lock-in.",
            "categories": ["Security", "User Management", "API"],
            "platform": "linux",
            "logo": "https://avatars.githubusercontent.com/u/44235614?s=200&v=4",
            "repository": {
                "url": "https://github.com/ory/kratos",
                "stackfile": "docker-compose.yml"
            },
            "env": [
                {
                    "name": "DSN",
                    "label": "Database DSN",
                    "description": "Datenbank Connection String",
                    "default": "postgres://kratos:secret@postgres:5432/kratos?sslmode=disable"
                },
                {
                    "name": "SERVE_PUBLIC_BASE_URL",
                    "label": "Public URL",
                    "description": "Öffentliche URL für Kratos",
                    "default": "http://localhost:4433"
                }
            ]
        }
    ]
}

print("🆓 Kostenlose Alternativen zu kommerziellen Security-Lösungen erstellt!")
print(f"📊 {len(free_alternatives_templates['templates'])} Alternative Lösungen verfügbar:")
print()

# Kategorisierung der Alternativen
alternatives_map = {
    "Keeper": ["Vaultwarden", "KeeWeb", "Passbolt"],
    "Auth0": ["Keycloak", "Authentik", "FusionAuth"],
    "Authy": ["Authentik", "FreeOTP+", "Authelia"],
    "Globe Keeper": ["KeeWeb", "Vaultwarden"],
    "FrontEgg": ["Authelia", "Ory Kratos"],
    "Okta": ["FusionAuth", "Keycloak", "Authentik"]
}

for commercial, free_alts in alternatives_map.items():
    print(f"🔄 {commercial} → {', '.join(free_alts)}")

print()
print("💡 Alle Alternativen sind:")
print("   ✅ Vollständig kostenlos")
print("   ✅ Open Source")
print("   ✅ Selbst-hostbar")
print("   ✅ Enterprise-ready")
print("   ✅ Ohne Benutzer-Limits")
print("   ✅ Mit Premium Features")

🆓 Kostenlose Alternativen zu kommerziellen Security-Lösungen erstellt!
📊 9 Alternative Lösungen verfügbar:

🔄 Keeper → Vaultwarden, KeeWeb, Passbolt
🔄 Auth0 → Keycloak, Authentik, FusionAuth
🔄 Authy → Authentik, FreeOTP+, Authelia
🔄 Globe Keeper → KeeWeb, Vaultwarden
🔄 FrontEgg → Authelia, Ory Kratos
🔄 Okta → FusionAuth, Keycloak, Authentik

💡 Alle Alternativen sind:
   ✅ Vollständig kostenlos
   ✅ Open Source
   ✅ Selbst-hostbar
   ✅ Enterprise-ready
   ✅ Ohne Benutzer-Limits
   ✅ Mit Premium Features


In [9]:
# Speichere kostenlose Alternativen als separates Template File
free_alternatives_file = security_dir / "free-alternatives.json"

with open(free_alternatives_file, 'w', encoding='utf-8') as f:
    json.dump(free_alternatives_templates, f, indent=2, ensure_ascii=False)

print(f"💾 Kostenlose Alternativen gespeichert: {free_alternatives_file}")

# Füge zu Portainer Template hinzu
portainer_template_file = Path("portainer-template.json")

if portainer_template_file.exists():
    with open(portainer_template_file, 'r', encoding='utf-8') as f:
        portainer_templates = json.load(f)
    
    # Füge neue Stack-Definition hinzu
    new_stack = {
        "type": 3,
        "title": "🆓 Kostenlose Security Alternativen",
        "description": "Komplette kostenlose Alternativen zu Keeper, Auth0, Authy, Okta & Co. Alle Open-Source Lösungen ohne Limits.",
        "note": "Sammlung der besten kostenlosen Alternativen zu kommerziellen Security-Lösungen",
        "categories": ["Security", "Free Alternatives"],
        "platform": "linux",
        "logo": "https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/svg/opensource.svg",
        "repository": {
            "url": "https://github.com/YOUR_USERNAME/portainer-infrastructure-templates",
            "stackfile": "stacks/free-alternatives.yml"
        }
    }
    
    portainer_templates["templates"].append(new_stack)
    
    with open(portainer_template_file, 'w', encoding='utf-8') as f:
        json.dump(portainer_templates, f, indent=2, ensure_ascii=False)
    
    print(f"✅ Portainer Template erweitert: {portainer_template_file}")

# Erstelle Docker Compose für kostenlose Alternativen
free_alternatives_compose = """version: '3.8'

services:
  # Vaultwarden (Keeper Alternative)
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=${SIGNUPS_ALLOWED:-true}
      - ADMIN_TOKEN=${VAULTWARDEN_ADMIN_TOKEN:-your-secure-admin-token}
      - DOMAIN=${DOMAIN:-https://localhost}
    volumes:
      - vaultwarden-data:/data
    ports:
      - "8080:80"
    networks:
      - free-security-net

  # Keycloak (Auth0 Alternative)
  keycloak:
    image: quay.io/keycloak/keycloak:latest
    container_name: keycloak
    restart: unless-stopped
    environment:
      - KEYCLOAK_ADMIN=${KEYCLOAK_ADMIN:-admin}
      - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD:-admin123}
      - KC_DB=postgres
      - KC_DB_URL=jdbc:postgresql://keycloak-db:5432/keycloak
      - KC_DB_USERNAME=keycloak
      - KC_DB_PASSWORD=${KEYCLOAK_DB_PASSWORD:-keycloak123}
      - KC_HOSTNAME_STRICT=false
      - KC_HTTP_ENABLED=true
    ports:
      - "8081:8080"
    depends_on:
      - keycloak-db
    command: start-dev
    networks:
      - free-security-net

  keycloak-db:
    image: postgres:15
    container_name: keycloak-db
    restart: unless-stopped
    environment:
      - POSTGRES_DB=keycloak
      - POSTGRES_USER=keycloak
      - POSTGRES_PASSWORD=${KEYCLOAK_DB_PASSWORD:-keycloak123}
    volumes:
      - keycloak-db-data:/var/lib/postgresql/data
    networks:
      - free-security-net

  # Authentik (Authy/Auth0 Alternative)
  authentik-server:
    image: ghcr.io/goauthentik/server:latest
    container_name: authentik-server
    restart: unless-stopped
    command: server
    environment:
      - AUTHENTIK_REDIS__HOST=authentik-redis
      - AUTHENTIK_POSTGRESQL__HOST=authentik-db
      - AUTHENTIK_POSTGRESQL__USER=authentik
      - AUTHENTIK_POSTGRESQL__NAME=authentik
      - AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_DB_PASSWORD:-authentik123}
      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY:-your-secret-key-50-chars-long}
    volumes:
      - authentik-media:/media
      - authentik-custom-templates:/templates
    ports:
      - "8082:9000"
      - "8443:9443"
    depends_on:
      - authentik-db
      - authentik-redis
    networks:
      - free-security-net

  authentik-worker:
    image: ghcr.io/goauthentik/server:latest
    container_name: authentik-worker
    restart: unless-stopped
    command: worker
    environment:
      - AUTHENTIK_REDIS__HOST=authentik-redis
      - AUTHENTIK_POSTGRESQL__HOST=authentik-db
      - AUTHENTIK_POSTGRESQL__USER=authentik
      - AUTHENTIK_POSTGRESQL__NAME=authentik
      - AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_DB_PASSWORD:-authentik123}
      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY:-your-secret-key-50-chars-long}
    volumes:
      - authentik-media:/media
      - authentik-custom-templates:/templates
    depends_on:
      - authentik-db
      - authentik-redis
    networks:
      - free-security-net

  authentik-db:
    image: postgres:15
    container_name: authentik-db
    restart: unless-stopped
    environment:
      - POSTGRES_PASSWORD=${AUTHENTIK_DB_PASSWORD:-authentik123}
      - POSTGRES_USER=authentik
      - POSTGRES_DB=authentik
    volumes:
      - authentik-db-data:/var/lib/postgresql/data
    networks:
      - free-security-net

  authentik-redis:
    image: redis:alpine
    container_name: authentik-redis
    restart: unless-stopped
    command: --save 60 1 --loglevel warning
    volumes:
      - authentik-redis-data:/data
    networks:
      - free-security-net

  # Authelia (FrontEgg Alternative)
  authelia:
    image: authelia/authelia:latest
    container_name: authelia
    restart: unless-stopped
    environment:
      - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET:-your-jwt-secret}
      - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET:-your-session-secret}
      - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY:-your-encryption-key}
    volumes:
      - authelia-config:/config
    ports:
      - "8083:9091"
    networks:
      - free-security-net

  # FusionAuth (Okta Alternative)
  fusionauth:
    image: fusionauth/fusionauth-app:latest
    container_name: fusionauth
    restart: unless-stopped
    environment:
      - DATABASE_URL=jdbc:postgresql://fusionauth-db:5432/fusionauth
      - DATABASE_ROOT_USERNAME=fusionauth
      - DATABASE_ROOT_PASSWORD=${FUSIONAUTH_DB_PASSWORD:-fusionauth123}
      - DATABASE_USERNAME=fusionauth
      - DATABASE_PASSWORD=${FUSIONAUTH_DB_PASSWORD:-fusionauth123}
      - FUSIONAUTH_APP_MEMORY=${FUSIONAUTH_APP_MEMORY:-512M}
      - FUSIONAUTH_APP_RUNTIME_MODE=development
    ports:
      - "8084:9011"
    depends_on:
      - fusionauth-db
    networks:
      - free-security-net

  fusionauth-db:
    image: postgres:15
    container_name: fusionauth-db
    restart: unless-stopped
    environment:
      - PGUSER=fusionauth
      - POSTGRES_USER=fusionauth
      - POSTGRES_PASSWORD=${FUSIONAUTH_DB_PASSWORD:-fusionauth123}
      - POSTGRES_DB=fusionauth
    volumes:
      - fusionauth-db-data:/var/lib/postgresql/data
    networks:
      - free-security-net

  # Passbolt (Team Password Manager)
  passbolt:
    image: passbolt/passbolt:latest-ce
    container_name: passbolt
    restart: unless-stopped
    environment:
      - APP_FULL_BASE_URL=${PASSBOLT_BASE_URL:-https://passbolt.local}
      - DATASOURCES_DEFAULT_HOST=passbolt-db
      - DATASOURCES_DEFAULT_USERNAME=passbolt
      - DATASOURCES_DEFAULT_PASSWORD=${PASSBOLT_DB_PASSWORD:-passbolt123}
      - DATASOURCES_DEFAULT_DATABASE=passbolt
    volumes:
      - passbolt-gpg:/etc/passbolt/gpg
      - passbolt-jwt:/etc/passbolt/jwt
    ports:
      - "8085:80"
      - "8444:443"
    depends_on:
      - passbolt-db
    networks:
      - free-security-net

  passbolt-db:
    image: mariadb:latest
    container_name: passbolt-db
    restart: unless-stopped
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=true
      - MYSQL_DATABASE=passbolt
      - MYSQL_USER=passbolt
      - MYSQL_PASSWORD=${PASSBOLT_DB_PASSWORD:-passbolt123}
    volumes:
      - passbolt-db-data:/var/lib/mysql
    networks:
      - free-security-net

volumes:
  vaultwarden-data:
  keycloak-db-data:
  authentik-media:
  authentik-custom-templates:
  authentik-db-data:
  authentik-redis-data:
  authelia-config:
  fusionauth-db-data:
  passbolt-gpg:
  passbolt-jwt:
  passbolt-db-data:

networks:
  free-security-net:
    driver: bridge
"""

# Speichere Docker Compose für kostenlose Alternativen
free_compose_file = Path("stacks/free-alternatives.yml")
with open(free_compose_file, 'w', encoding='utf-8') as f:
    f.write(free_alternatives_compose)

print(f"🐳 Docker Compose für kostenlose Alternativen erstellt: {free_compose_file}")
print()
print("🚀 Deployment URLs:")
print("   Vaultwarden (Keeper):     http://localhost:8080")
print("   Keycloak (Auth0):         http://localhost:8081")
print("   Authentik (Authy):        http://localhost:8082")
print("   Authelia (FrontEgg):      http://localhost:8083")
print("   FusionAuth (Okta):        http://localhost:8084")
print("   Passbolt (Team Passwords): http://localhost:8085")

💾 Kostenlose Alternativen gespeichert: templates/security/free-alternatives.json
✅ Portainer Template erweitert: portainer-template.json
🐳 Docker Compose für kostenlose Alternativen erstellt: stacks/free-alternatives.yml

🚀 Deployment URLs:
   Vaultwarden (Keeper):     http://localhost:8080
   Keycloak (Auth0):         http://localhost:8081
   Authentik (Authy):        http://localhost:8082
   Authelia (FrontEgg):      http://localhost:8083
   FusionAuth (Okta):        http://localhost:8084
   Passbolt (Team Passwords): http://localhost:8085


## 🐳 Weitere Docker/GitHub Security Tools
**Alle verfügbar auf Docker Hub und GitHub!**

In [11]:
# Weitere Docker/GitHub Security Tools für Portainer Templates
github_docker_security_tools = {
    "version": "2",
    "templates": [
        # SIEM & Security Monitoring
        {
            "type": 1,
            "title": "Wazuh SIEM Complete",
            "description": "🛡️ Open Source SIEM/XDR Platform - Wazuh Manager, Indexer & Dashboard",
            "categories": ["Security", "SIEM", "Monitoring"],
            "platform": "linux",
            "logo": "https://raw.githubusercontent.com/wazuh/wazuh/master/images/logo.png",
            "image": "wazuh/wazuh-manager:latest",
            "ports": ["1514:1514/udp", "1515:1515", "55000:55000"],
            "volumes": ["/wazuh-config:/wazuh-config-mount/etc/wazuh"]
        },
        
        # Identity & Auth Tools
        {
            "type": 1,
            "title": "FusionAuth",
            "description": "🔑 Customer Identity Platform - kostenlose Okta Alternative",
            "categories": ["Security", "Authentication", "Identity"],
            "platform": "linux", 
            "logo": "https://fusionauth.io/assets/img/fusionauth-logo-orange.svg",
            "image": "fusionauth/fusionauth-app:latest",
            "ports": ["9011:9011"],
            "env": [
                {"name": "DATABASE_URL", "label": "Database URL", "default": "jdbc:postgresql://db:5432/fusionauth"},
                {"name": "FUSIONAUTH_APP_MEMORY", "label": "Memory", "default": "512M"}
            ]
        },
        
        # VPN & Network Security
        {
            "type": 1,
            "title": "Tailscale",
            "description": "🌐 Zero-Config VPN basiert auf WireGuard",
            "categories": ["VPN", "Network", "Security"],
            "platform": "linux",
            "logo": "https://avatars.githubusercontent.com/u/48932923?s=200&v=4",
            "image": "tailscale/tailscale:latest",
            "privileged": True,
            "env": [
                {"name": "TS_AUTHKEY", "label": "Tailscale Auth Key", "description": "Dein Tailscale Auth Key"}
            ]
        },
        
        {
            "type": 1,
            "title": "ZeroTier",
            "description": "🕸️ Software Defined Networking",
            "categories": ["VPN", "SDN", "Network"],
            "platform": "linux",
            "logo": "https://avatars.githubusercontent.com/u/4173285?s=200&v=4",
            "image": "zerotier/zerotier:latest",
            "privileged": True,
            "volumes": ["/var/lib/zerotier-one:/var/lib/zerotier-one"]
        },
        
        # DevSecOps Tools
        {
            "type": 1,
            "title": "Trivy Scanner",
            "description": "🔍 Vulnerability Scanner für Container & Kubernetes",
            "categories": ["Security", "DevSecOps", "Scanner"],
            "platform": "linux",
            "logo": "https://raw.githubusercontent.com/aquasecurity/trivy/main/docs/imgs/logo.png",
            "image": "aquasec/trivy:latest",
            "command": "server --listen 0.0.0.0:4954",
            "ports": ["4954:4954"]
        },
        
        {
            "type": 1,
            "title": "OWASP ZAP",
            "description": "⚡ Web Application Security Scanner",
            "categories": ["Security", "Web Security", "Scanner"],
            "platform": "linux",
            "logo": "https://www.zaproxy.org/img/zap256x256.png",
            "image": "owasp/zap2docker-stable:latest",
            "command": "zap-webswing.sh",
            "ports": ["8080:8080", "8090:8090"]
        },
        
        # Mail & Communication
        {
            "type": 1,
            "title": "Roundcube Webmail",
            "description": "📧 Open Source Webmail Client",
            "categories": ["Mail", "Communication", "Web"],
            "platform": "linux",
            "logo": "https://roundcube.net/images/roundcube_logo_icon.svg",
            "image": "roundcube/roundcubemail:latest",
            "ports": ["80:80"],
            "env": [
                {"name": "ROUNDCUBEMAIL_DEFAULT_HOST", "label": "Mail Server", "default": "localhost"},
                {"name": "ROUNDCUBEMAIL_SMTP_SERVER", "label": "SMTP Server", "default": "localhost"}
            ]
        },
        
        # Privacy & Anonymity
        {
            "type": 1,
            "title": "Tor Proxy",
            "description": "🧅 Tor Anonymity Network Proxy",
            "categories": ["Privacy", "Proxy", "Anonymity"],
            "platform": "linux",
            "logo": "https://www.torproject.org/static/images/tor-logo@2x.png",
            "image": "dperson/torproxy:latest",
            "ports": ["8118:8118", "9050:9050"]
        },
        
        {
            "type": 1,
            "title": "Pi-hole DNS Filter",
            "description": "🕳️ Network-wide Ad & Tracking Blocker",
            "categories": ["Privacy", "DNS", "Ad Block"],
            "platform": "linux",
            "logo": "https://wp-cdn.pi-hole.net/wp-content/uploads/2016/12/Vortex-R.png",
            "image": "pihole/pihole:latest",
            "ports": ["53:53/tcp", "53:53/udp", "80:80"],
            "env": [
                {"name": "WEBPASSWORD", "label": "Admin Password", "default": "admin"},
                {"name": "TZ", "label": "Timezone", "default": "Europe/Berlin"}
            ]
        },
        
        # Team Password Manager
        {
            "type": 1,
            "title": "Passbolt CE",
            "description": "🔐 Open Source Team Password Manager",
            "categories": ["Security", "Passwords", "Team"],
            "platform": "linux",
            "logo": "https://www.passbolt.com/assets/img/logo/logo.svg",
            "image": "passbolt/passbolt:latest-ce",
            "ports": ["80:80", "443:443"],
            "env": [
                {"name": "APP_FULL_BASE_URL", "label": "Base URL", "default": "https://passbolt.local"},
                {"name": "DATASOURCES_DEFAULT_PASSWORD", "label": "DB Password"}
            ]
        },
        
        # Multi-Factor Auth
        {
            "type": 1,
            "title": "privacyIDEA MFA",
            "description": "🛡️ Multi-Factor Authentication Server",
            "categories": ["Security", "MFA", "Authentication"],
            "platform": "linux",
            "logo": "https://www.privacyidea.org/wp-content/uploads/2020/02/privacyIDEA-logo.png",
            "image": "privacyidea/privacyidea:latest",
            "ports": ["5001:5001"],
            "volumes": ["/etc/privacyidea:/etc/privacyidea"]
        },
        
        # Incident Response
        {
            "type": 1,
            "title": "TheHive Incident Response",
            "description": "🕵️ Security Incident Response Platform",
            "categories": ["Security", "Incident Response", "SIEM"],
            "platform": "linux",
            "logo": "https://github.com/TheHive-Project/TheHive/raw/master/images/thehive-logo.png",
            "image": "strangebee/thehive:latest",
            "ports": ["9000:9000"],
            "volumes": ["/opt/thp/thehive/data:/opt/thp/thehive/data"]
        },
        
        # Threat Intelligence
        {
            "type": 1,
            "title": "MISP Threat Sharing",
            "description": "🌐 Malware Information Sharing Platform",
            "categories": ["Security", "Threat Intel", "Sharing"],
            "platform": "linux", 
            "logo": "https://www.misp-project.org/assets/images/misp-logo.png",
            "image": "coolacid/misp-docker:core-latest",
            "ports": ["80:80", "443:443"],
            "env": [
                {"name": "HOSTNAME", "label": "Hostname", "default": "misp.local"},
                {"name": "POSTFIX_RELAY_HOST", "label": "SMTP Relay"}
            ]
        }
    ]
}

print("🐳 Weitere Docker/GitHub Security Tools erstellt!")
print(f"📊 {len(github_docker_security_tools['templates'])} zusätzliche Tools verfügbar:")
print()

# Kategorien anzeigen
categories = {}
for template in github_docker_security_tools['templates']:
    for category in template['categories']:
        if category not in categories:
            categories[category] = []
        categories[category].append(template['title'])

for category, tools in categories.items():
    print(f"🏷️ {category}: {len(tools)} Tools")
    for tool in tools[:3]:  # Zeige nur erste 3 pro Kategorie
        print(f"   • {tool}")
    if len(tools) > 3:
        print(f"   ... und {len(tools)-3} weitere")
    print()

🐳 Weitere Docker/GitHub Security Tools erstellt!
📊 13 zusätzliche Tools verfügbar:

🏷️ Security: 9 Tools
   • Wazuh SIEM Complete
   • FusionAuth
   • Tailscale
   ... und 6 weitere

🏷️ SIEM: 2 Tools
   • Wazuh SIEM Complete
   • TheHive Incident Response

🏷️ Monitoring: 1 Tools
   • Wazuh SIEM Complete

🏷️ Authentication: 2 Tools
   • FusionAuth
   • privacyIDEA MFA

🏷️ Identity: 1 Tools
   • FusionAuth

🏷️ VPN: 2 Tools
   • Tailscale
   • ZeroTier

🏷️ Network: 2 Tools
   • Tailscale
   • ZeroTier

🏷️ SDN: 1 Tools
   • ZeroTier

🏷️ DevSecOps: 1 Tools
   • Trivy Scanner

🏷️ Scanner: 2 Tools
   • Trivy Scanner
   • OWASP ZAP

🏷️ Web Security: 1 Tools
   • OWASP ZAP

🏷️ Mail: 1 Tools
   • Roundcube Webmail

🏷️ Communication: 1 Tools
   • Roundcube Webmail

🏷️ Web: 1 Tools
   • Roundcube Webmail

🏷️ Privacy: 2 Tools
   • Tor Proxy
   • Pi-hole DNS Filter

🏷️ Proxy: 1 Tools
   • Tor Proxy

🏷️ Anonymity: 1 Tools
   • Tor Proxy

🏷️ DNS: 1 Tools
   • Pi-hole DNS Filter

🏷️ Ad Block: 1 Tools
 

In [12]:
# Speichere GitHub/Docker Security Tools und erstelle Compose Stack
extended_tools_file = security_dir / "extended-docker-tools.json"

with open(extended_tools_file, 'w', encoding='utf-8') as f:
    json.dump(github_docker_security_tools, f, indent=2, ensure_ascii=False)

print(f"💾 Extended Docker Tools gespeichert: {extended_tools_file}")

# Erstelle Docker Compose für alle erweiterten Tools
extended_compose = """version: '3.8'

services:
  # SIEM & Security Monitoring
  wazuh-manager:
    image: wazuh/wazuh-manager:latest
    container_name: wazuh-manager
    hostname: wazuh-manager
    restart: unless-stopped
    ports:
      - "1514:1514/udp"
      - "1515:1515"
      - "55000:55000"
    volumes:
      - wazuh-manager-config:/wazuh-config-mount/etc/wazuh
    networks:
      - extended-security-net

  # Identity & Auth
  fusionauth:
    image: fusionauth/fusionauth-app:latest
    container_name: fusionauth
    restart: unless-stopped
    environment:
      - DATABASE_URL=jdbc:postgresql://fusionauth-db:5432/fusionauth
      - FUSIONAUTH_APP_MEMORY=512M
    ports:
      - "9011:9011"
    depends_on:
      - fusionauth-db
    networks:
      - extended-security-net

  fusionauth-db:
    image: postgres:15
    container_name: fusionauth-db
    restart: unless-stopped
    environment:
      - POSTGRES_DB=fusionauth
      - POSTGRES_USER=fusionauth
      - POSTGRES_PASSWORD=${FUSIONAUTH_DB_PASSWORD:-fusionauth123}
    volumes:
      - fusionauth-db-data:/var/lib/postgresql/data
    networks:
      - extended-security-net

  # VPN & Network
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale
    hostname: docker-tailscale
    environment:
      - TS_AUTHKEY=${TAILSCALE_AUTHKEY:-your-auth-key}
      - TS_ROUTES=192.168.0.0/24
    volumes:
      - tailscale-data:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    restart: unless-stopped
    networks:
      - extended-security-net

  zerotier:
    image: zerotier/zerotier:latest
    container_name: zerotier
    privileged: true
    volumes:
      - zerotier-data:/var/lib/zerotier-one
    restart: unless-stopped
    network_mode: host

  # DevSecOps Tools
  trivy-server:
    image: aquasec/trivy:latest
    container_name: trivy-server
    restart: unless-stopped
    command: server --listen 0.0.0.0:4954
    ports:
      - "4954:4954"
    volumes:
      - trivy-cache:/root/.cache
    networks:
      - extended-security-net

  owasp-zap:
    image: owasp/zap2docker-stable:latest
    container_name: owasp-zap
    restart: unless-stopped
    command: zap-webswing.sh
    ports:
      - "8080:8080"
      - "8090:8090"
    volumes:
      - zap-data:/zap/wrk
    networks:
      - extended-security-net

  # Mail & Communication
  roundcube:
    image: roundcube/roundcubemail:latest
    container_name: roundcube
    restart: unless-stopped
    environment:
      - ROUNDCUBEMAIL_DEFAULT_HOST=${MAIL_HOST:-localhost}
      - ROUNDCUBEMAIL_SMTP_SERVER=${SMTP_HOST:-localhost}
    ports:
      - "8081:80"
    volumes:
      - roundcube-data:/var/www/html
    networks:
      - extended-security-net

  # Privacy Tools
  tor-proxy:
    image: dperson/torproxy:latest
    container_name: tor-proxy
    restart: unless-stopped
    ports:
      - "8118:8118"
      - "9050:9050"
    networks:
      - extended-security-net

  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    restart: unless-stopped
    environment:
      - WEBPASSWORD=${PIHOLE_PASSWORD:-admin}
      - TZ=Europe/Berlin
    ports:
      - "53:53/tcp"
      - "53:53/udp"
      - "8082:80"
    volumes:
      - pihole-etc:/etc/pihole
      - pihole-dnsmasq:/etc/dnsmasq.d
    networks:
      - extended-security-net

  # Team Password Manager
  passbolt:
    image: passbolt/passbolt:latest-ce
    container_name: passbolt
    restart: unless-stopped
    environment:
      - APP_FULL_BASE_URL=${PASSBOLT_BASE_URL:-https://passbolt.local}
      - DATASOURCES_DEFAULT_HOST=passbolt-db
      - DATASOURCES_DEFAULT_USERNAME=passbolt
      - DATASOURCES_DEFAULT_PASSWORD=${PASSBOLT_DB_PASSWORD:-passbolt123}
      - DATASOURCES_DEFAULT_DATABASE=passbolt
    volumes:
      - passbolt-gpg:/etc/passbolt/gpg
      - passbolt-jwt:/etc/passbolt/jwt
    ports:
      - "8083:80"
      - "8445:443"
    depends_on:
      - passbolt-db
    networks:
      - extended-security-net

  passbolt-db:
    image: mariadb:latest
    container_name: passbolt-db
    restart: unless-stopped
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=true
      - MYSQL_DATABASE=passbolt
      - MYSQL_USER=passbolt
      - MYSQL_PASSWORD=${PASSBOLT_DB_PASSWORD:-passbolt123}
    volumes:
      - passbolt-db-data:/var/lib/mysql
    networks:
      - extended-security-net

  # Multi-Factor Auth
  privacyidea:
    image: privacyidea/privacyidea:latest
    container_name: privacyidea
    restart: unless-stopped
    ports:
      - "5001:5001"
    volumes:
      - privacyidea-config:/etc/privacyidea
    networks:
      - extended-security-net

  # Incident Response
  thehive:
    image: strangebee/thehive:latest
    container_name: thehive
    restart: unless-stopped
    ports:
      - "9000:9000"
    volumes:
      - thehive-data:/opt/thp/thehive/data
    networks:
      - extended-security-net

  # Threat Intelligence
  misp:
    image: coolacid/misp-docker:core-latest
    container_name: misp
    restart: unless-stopped
    environment:
      - HOSTNAME=${MISP_HOSTNAME:-misp.local}
      - POSTFIX_RELAY_HOST=${SMTP_RELAY:-localhost}
    ports:
      - "8084:80"
      - "8446:443"
    volumes:
      - misp-data:/var/www/MISP
    networks:
      - extended-security-net

  # Container Security
  clair:
    image: quay.io/coreos/clair:latest
    container_name: clair
    restart: unless-stopped
    ports:
      - "6060:6060"
      - "6061:6061"
    volumes:
      - clair-config:/config
    networks:
      - extended-security-net

volumes:
  wazuh-manager-config:
  fusionauth-db-data:
  tailscale-data:
  zerotier-data:
  trivy-cache:
  zap-data:
  roundcube-data:
  pihole-etc:
  pihole-dnsmasq:
  passbolt-gpg:
  passbolt-jwt:
  passbolt-db-data:
  privacyidea-config:
  thehive-data:
  misp-data:
  clair-config:

networks:
  extended-security-net:
    driver: bridge
"""

# Speichere erweiterten Docker Compose Stack
extended_compose_file = Path("stacks/extended-security-tools.yml")
with open(extended_compose_file, 'w', encoding='utf-8') as f:
    f.write(extended_compose)

print(f"🐳 Extended Security Tools Compose erstellt: {extended_compose_file}")

# Aktualisiere Portainer Template
portainer_template_file = Path("portainer-template.json")
if portainer_template_file.exists():
    with open(portainer_template_file, 'r', encoding='utf-8') as f:
        portainer_templates = json.load(f)
    
    # Neue Stack-Definition hinzufügen
    extended_stack = {
        "type": 3,
        "title": "🔧 Extended Security Tools",
        "description": "Erweiterte Security-Tools: Wazuh, FusionAuth, Tailscale, OWASP ZAP, Pi-hole, Passbolt, TheHive, MISP und mehr",
        "note": "Sammlung von 15+ erweiterten Security-Tools aus GitHub/DockerHub",
        "categories": ["Security", "Extended Tools", "GitHub"],
        "platform": "linux",
        "logo": "https://raw.githubusercontent.com/github/explore/main/topics/security/security.png",
        "repository": {
            "url": "https://github.com/YOUR_USERNAME/portainer-infrastructure-templates",
            "stackfile": "stacks/extended-security-tools.yml"
        }
    }
    
    portainer_templates["templates"].append(extended_stack)
    
    with open(portainer_template_file, 'w', encoding='utf-8') as f:
        json.dump(portainer_templates, f, indent=2, ensure_ascii=False)
    
    print(f"✅ Portainer Template mit Extended Tools erweitert")

print()
print("🚀 Extended Security Tools Deployment URLs:")
print("   Wazuh Manager:        http://localhost:55000")
print("   FusionAuth:           http://localhost:9011")
print("   Trivy Scanner:        http://localhost:4954")
print("   OWASP ZAP:            http://localhost:8080")
print("   Roundcube Mail:       http://localhost:8081")
print("   Pi-hole:              http://localhost:8082")
print("   Passbolt:             http://localhost:8083")
print("   MISP:                 http://localhost:8084")
print("   TheHive:              http://localhost:9000")
print("   PrivacyIDEA:          http://localhost:5001")
print()
print("🛠️ Deploy Command:")
print("   docker-compose -f stacks/extended-security-tools.yml up -d")

💾 Extended Docker Tools gespeichert: templates/security/extended-docker-tools.json
🐳 Extended Security Tools Compose erstellt: stacks/extended-security-tools.yml
✅ Portainer Template mit Extended Tools erweitert

🚀 Extended Security Tools Deployment URLs:
   Wazuh Manager:        http://localhost:55000
   FusionAuth:           http://localhost:9011
   Trivy Scanner:        http://localhost:4954
   OWASP ZAP:            http://localhost:8080
   Roundcube Mail:       http://localhost:8081
   Pi-hole:              http://localhost:8082
   Passbolt:             http://localhost:8083
   MISP:                 http://localhost:8084
   TheHive:              http://localhost:9000
   PrivacyIDEA:          http://localhost:5001

🛠️ Deploy Command:
   docker-compose -f stacks/extended-security-tools.yml up -d
