Deployment Options
Three paths, from a single docker compose up to a production-shaped AWS
deployment. The Compose and single-EC2 paths are verified end-to-end.
Docker Compose — single box
verified
Everything in one docker compose up. deploy/docker-compose.yml
runs the control server + Postgres; deploy/sandbox/ adds the sink and a
Samba AD DC for LDAP. deploy/e2e/run.sh is a one-command end-to-end test.
AWS single-EC2 sandbox
verified
deploy/terraform/sandbox/ puts the whole stack on one EC2 behind an
ALB+ACM, pulling the private images. Deployed and verified end-to-end — HTTPS admin
UI, honeypot → trip, and AD/LDAP login. The closest thing to a real client install today.
AWS via Terraform — production modules
Terraform modules
deploy/terraform/ is the turnkey, production-shaped deployment: VPC (or
bring-your-own), RDS Postgres, an ALB+ACM control server, and a sink fleet, driven by
point-pick variables.
Quick start: the verified single-EC2 path
cd deploy/terraform/sandbox
# 1. Provide the private-registry pull credential (gitignored):
cat > secret.auto.tfvars <<EOF
ghcr_username = "<github-username>"
ghcr_token = "<read:packages PAT>"
EOF
# 2. Apply (~5-10 min: ACM DNS-validation, ALB, EC2 boot, AD provision)
terraform init
terraform apply
# 3. Read the outputs
terraform output admin_url # https://selfhost-sandbox.gettripwires.com
terraform output honeypot_host # EC2 public IP (point honeypot triggers here)
terraform output -raw admin_password # bootstrap admin password
# 4. Tear down when done
terraform destroy
The EC2 userdata installs Docker, logs in to GHCR, renders .env + config.toml
from SSM, and runs the compose stack. A real client deploy needs: a domain + Route53 zone, ACM + ALB,
a VPC (or bring-your-own), a GHCR read token, and — for SSO — your AD/LDAP details.