{"id":36398101,"url":"https://github.com/nis2shield/infrastructure","last_synced_at":"2026-01-18T09:01:19.677Z","repository":{"id":330805860,"uuid":"1123425419","full_name":"nis2shield/infrastructure","owner":"nis2shield","description":"🐳 Secure Docker infrastructure for NIS2 compliance - Hardened containers, log segregation, automated backups","archived":false,"fork":false,"pushed_at":"2026-01-05T08:57:39.000Z","size":265,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-07T02:26:03.242Z","etag":null,"topics":["backup","compliance","devops","docker","infrastructure","logging","nis2","security"],"latest_commit_sha":null,"homepage":null,"language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nis2shield.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-26T21:05:43.000Z","updated_at":"2026-01-05T11:06:32.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/nis2shield/infrastructure","commit_stats":null,"previous_names":["nis2shield/infrastructure"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/nis2shield/infrastructure","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nis2shield%2Finfrastructure","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nis2shield%2Finfrastructure/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nis2shield%2Finfrastructure/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nis2shield%2Finfrastructure/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nis2shield","download_url":"https://codeload.github.com/nis2shield/infrastructure/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nis2shield%2Finfrastructure/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28534154,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-18T00:39:45.795Z","status":"online","status_checked_at":"2026-01-18T02:00:07.578Z","response_time":98,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["backup","compliance","devops","docker","infrastructure","logging","nis2","security"],"created_at":"2026-01-11T16:00:27.004Z","updated_at":"2026-01-18T09:01:19.643Z","avatar_url":"https://github.com/nis2shield.png","language":"HCL","readme":"# NIS2 Infrastructure Kit\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n[![Docker](https://img.shields.io/badge/Docker-Ready-blue.svg)](https://www.docker.com/)\n[![Helm](https://img.shields.io/badge/Helm-v1.0.0-0f1689.svg)](./charts/nis2shield)\n[![Terraform](https://img.shields.io/badge/Terraform-AWS%20%7C%20GCP%20%7C%20Azure-7b42bc.svg)](./terraform)\n[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/nis2shield/infrastructure)\n\n**Secure-by-Design Infrastructure for NIS2 Compliance.**\n\nThis repository provides the \"last mile\" for NIS2 compliance: **secure infrastructure**. Deploy with Docker Compose, Helm (Kubernetes), or Terraform (Cloud). While [django-nis2-shield](https://github.com/nis2shield/django-nis2-shield), [nis2-spring-shield](https://github.com/nis2shield/nis2-spring-shield), [dotnet-nis2-shield](https://github.com/nis2shield/dotnet-nis2-shield), and [@nis2shield/react-guard](https://github.com/nis2shield/react-guard) protect your code, this kit protects the **execution environment**.\n\n```\n┌─────────────────────────────────────────────────────────────┐\n│                        Frontend                              │\n│  @nis2shield/{react,angular,vue}-guard                      │\n│  ├── SessionWatchdog (idle detection)                       │\n│  ├── AuditBoundary / SecureStorage                         │\n│  └── → POST /api/nis2/telemetry/                           │\n└─────────────────────────────────────────────────────────────┘\n                            │\n                            ▼\n┌─────────────────────────────────────────────────────────────┐\n│                  Backend (NIS2 Adapter)                      │\n│  Supported: Django, Express, Spring Boot, .NET            │\n│  ├── ForensicLogger (HMAC signed logs)                     │\n│  ├── RateLimiter, SessionGuard, TorBlocker                 │\n│  └── → SIEM (Elasticsearch, Splunk, QRadar, etc.)          │\n└─────────────────────────────────────────────────────────────┘\n                            │\n                            ▼\n┌─────────────────────────────────────────────────────────────┐\n│                    Infrastructure                            │\n│  **nis2shield/infrastructure**                              │\n│  ├── Centralized Logging (ELK/Splunk)                       │\n│  ├── Compliance Reporting (Automatic PDF generation)        │\n│  └── Audited Deployment (Terraform/Helm)                    │\n└─────────────────────────────────────────────────────────────┘\n```\n\n\u003e **🎉 Full-Stack Support!** Backend: Django, Spring Boot, Express, .NET. Frontend: React, Angular, Vue. Same JSON log format, same infrastructure.\n\n## ✨ Features\n\n- 🔒 **Hardened Containers**: Non-root execution, read-only filesystem\n- 📊 **Log Segregation**: Logs exported via sidecar (Fluent Bit)\n- 💾 **Automated Backups**: PostgreSQL dumps with retention policy\n- 🔐 **Encrypted Twin**: Zero-trust cloud backup (AES-256 + RSA)\n- 🛡️ **Compliance Engine**: Automated `tfsec` \u0026 `gitleaks` checks in CI/CD\n- 📈 **Dynamic Reporting**: Updates `NIS2_SELF_ASSESSMENT.md` automatically\n- ☸️ **Kubernetes Ready**: Production Helm chart with NetworkPolicies\n- ☁️ **Multi-Cloud**: Terraform modules for AWS, GCP, Azure\n- 🏗️ **NIS2 Compliant**: Addresses Art. 21 infrastructure requirements\n\n## 📋 Architecture\n\n### Base Stack\n\n```mermaid\ngraph TB\n    subgraph Docker[\"Docker Compose Stack\"]\n        webapp[\"🐍/☕/C# webapp\u003cbr/\u003e(Django / Spring / .NET)\"]\n        logs[\"📊 log-collector\u003cbr/\u003e(Fluent Bit)\"]\n        backup[\"💾 db-backup\u003cbr/\u003e(Cron)\"]\n        db[(PostgreSQL)]\n        \n        webapp --\u003e |writes logs| logs\n        webapp --\u003e db\n        backup --\u003e |dumps| db\n    end\n    \n    logs --\u003e |forwards to| SIEM[\"🔒 SIEM/Elasticsearch\"]\n    backup --\u003e |stores| Storage[\"📁 ./backups/\"]\n    \n    style webapp fill:#3b82f6\n    style logs fill:#10b981\n    style backup fill:#f59e0b\n    style db fill:#8b5cf6\n```\n\n\u003e **Note**: The JSON log format is identical for both Django and Spring Boot applications, ensuring seamless interoperability.\n\n### Security Features\n\n| Component | Protection |\n|-----------|------------|\n| webapp | Non-root, read-only filesystem, tmpfs |\n| log-collector | Read-only log access, SIEM forwarding |\n| db-backup | 7-day retention, optional GPG encryption |\n| PostgreSQL | Dedicated volume, health checks |\n\n---\n\n### 🔐 Encrypted Twin (Disaster Recovery)\n\nThe **Crypto-Replicator** provides zero-trust cloud backup:\n\n```mermaid\nsequenceDiagram\n    participant DB as PostgreSQL\n    participant CR as Crypto-Replicator\n    participant Cloud as ☁️ Cloud Storage\n    \n    DB-\u003e\u003eCR: NOTIFY (change event)\n    \n    Note over CR: 1. Generate AES session key\n    Note over CR: 2. Encrypt data with AES-GCM\n    Note over CR: 3. Wrap key with RSA public\n    \n    CR-\u003e\u003eCloud: Encrypted Envelope\n    \n    Note over Cloud: ⚠️ Cannot decrypt!\u003cbr/\u003e(no private key)\n```\n\n**Key Features:**\n- 🔒 **AES-256-GCM** - Authenticated data encryption\n- 🔑 **RSA-OAEP** - Asymmetric key wrapping\n- 🔄 **Forward Secrecy** - Unique session key per message\n- ☁️ **Zero-Trust Cloud** - Cloud cannot read your data\n\n### 🛡️ The Truth vs The Proof\n\nThis infrastructure is designed to support the **NIS2Shield** business model:\n\n1.  **The Truth (Open Source)**:\n    *   **Secure Infrastructure**: All the Docker/Helm/Terraform code in this repo is free and MIT licensed.\n    *   **Static Guardrails**: We provide configs for `tfsec` and `gitleaks` to block insecurity in CI/CD.\n    *   **Self-Assessment**: The manual [docs/NIS2_SELF_ASSESSMENT.md](docs/NIS2_SELF_ASSESSMENT.md) checklist.\n\n2.  **The Proof (Auditor Kit - Commercial)**:\n    *   **Compliance Engine**: The proprietary binary that connects to this infrastructure.\n    *   **Automated Reporting**: It parses the logs generated by these containers to verify operational requirements (e.g., \"Did backups run?\").\n    *   **Legal PDF**: Automatically generates the signed report for your auditor.\n\n\u003e **Note**: This repository contains \"The Truth\" (the secure runtime). To get the automated \"Proof\" (Compliance Engine \u0026 Reports), see cur **[Pro Auditor Kit](https://nis2shield.com/pricing)**.\n\n## 🚀 Quick Start\n\n\n### Prerequisites\n\n- Docker \u0026 Docker Compose v2+\n- A Docker image of your application using:\n  - **Django**: [django-nis2-shield](https://github.com/nis2shield/django-nis2-shield)\n  - **Spring Boot**: [nis2-spring-shield](https://github.com/nis2shield/nis2-spring-shield)\n  - **.NET**: [dotnet-nis2-shield](https://github.com/nis2shield/dotnet-nis2-shield)\n\n### Installation\n\n```bash\n# Clone the repository\ngit clone https://github.com/nis2shield/infrastructure.git\ncd infrastructure\n\n# Copy environment template\ncp .env.example .env\n\n# Edit .env with your values (IMPORTANT: change passwords!)\nnano .env\n\n# Start the stack\ndocker-compose up -d\n\n# Check status\ndocker-compose ps\n```\n\n## ⚙️ Services\n\n### 1. webapp (Application Layer)\n\nYour Django, Spring Boot, or .NET application, hardened with:\n- `user: 1000:1000` - Non-root execution\n- `read_only: true` - Immutable filesystem\n- `tmpfs: /tmp` - RAM-only writable directory\n\n\u003e **Spring Boot**: See `examples/docker-compose.spring.yml` for a Spring-specific example.\n\n### 2. log-collector (Fluent Bit Sidecar)\n\nReads logs from shared volume and forwards to:\n- **Console** (default, for development)\n- **Elasticsearch** (uncomment in config)\n- **HTTP/SIEM** (Intrusa, Splunk HEC, etc.)\n\nEdit `monitoring/fluent-bit.conf` to configure outputs.\n\n### 3. db-backup (Business Continuity)\n\nAutomated PostgreSQL backups:\n- Schedule: `@every 6h00m` (configurable)\n- Retention: 7 days (configurable)\n- Location: `./backups/`\n\n## 🔄 Disaster Recovery Testing\n\nTest that your backups can be restored (NIS2 Art. 21c requirement):\n\n```bash\n# Run the automated restore test\n./scripts/restore-test.sh\n\n# Or specify a backup file\n./scripts/restore-test.sh ./backups/mybackup.sql.gz\n```\n\nThe script will:\n1. Start an empty PostgreSQL container\n2. Restore the latest backup\n3. Validate the data integrity\n4. Generate a compliance report\n\nKeep the generated report for your NIS2 audit documentation.\n\n## 📊 ELK Stack (Elasticsearch + Kibana)\n\nVisualize your NIS2 logs in a beautiful dashboard:\n\n```bash\n# Quick setup (starts ES + Kibana + configures index)\n./scripts/elk-setup.sh\n\n# Or manually\ndocker-compose -f docker-compose.yml -f docker-compose.elk.yml up -d\n```\n\nOnce running:\n- **Kibana**: http://localhost:5601\n- **Elasticsearch**: http://localhost:9200\n\nGo to Kibana → Analytics → Discover → Select \"NIS2 Logs\" to see your logs.\n\n\u003e **Note**: ELK requires ~1.5GB RAM. Use the base stack for low-memory systems.\n\n## 📈 Prometheus + Grafana Monitoring\n\nReal-time metrics and NIS2 compliance dashboard:\n\n```bash\n# Quick setup\n./scripts/monitoring-setup.sh\n\n# Or manually\ndocker-compose -f docker-compose.yml -f docker-compose.monitoring.yml up -d\n```\n\nAccess:\n- **Grafana**: http://localhost:3000 (admin/admin)\n- **Prometheus**: http://localhost:9090\n\nPre-configured NIS2 dashboard includes:\n- Request rate and error percentage\n- Backup age monitoring\n- System resource usage\n\n## ☸️ Kubernetes (Helm Chart)\n\nFor enterprise deployments, use our production-ready Helm chart:\n\n```bash\n# Install from local\nhelm install nis2shield ./charts/nis2shield -n nis2 --create-namespace\n\n# With custom values\nhelm install nis2shield ./charts/nis2shield -f values-prod.yaml\n```\n\nFeatures:\n- 🔒 Security hardening (PSS restricted, runAsNonRoot)\n- 🌐 Ingress with TLS support\n- 🔐 NetworkPolicies for service isolation\n- ⚙️ Toggle modules (replicator, monitoring)\n\n👉 **[Enterprise Deployment Guide](https://nis2shield.com/enterprise/)**\n\n## ☁️ Cloud Deployment (Terraform)\n\nInfrastructure-as-Code for major cloud providers:\n\n| Provider | Resources | Command |\n|----------|-----------|--------|\n| **AWS** | VPC, EKS, RDS, S3, KMS | `cd terraform/aws \u0026\u0026 terraform apply` |\n| **GCP** | VPC, GKE, Cloud SQL, Storage | `cd terraform/gcp \u0026\u0026 terraform apply` |\n| **Azure** | VNet, AKS, PostgreSQL, KeyVault | `cd terraform/azure \u0026\u0026 terraform apply` |\n\nAll modules include:\n- Encrypted databases with managed keys\n- Private networking (no public IPs)\n- Secrets management integration\n- High availability options\n\n## 💎 Enterprise: Disaster Recovery Module\n\nFor organizations requiring **automatic failover** and **business continuity**, we offer a premium add-on:\n\n```\n┌──────────────────────┐         ┌──────────────────────┐\n│   🏠 PRIMARY SERVER  │  sync   │   ☁️ CLOUD STANDBY   │\n│      (ACTIVE)        │────────▶│     (DORMANT)        │\n│                      │         │                      │\n│  App + DB (primary)  │         │  App OFF + DB replica│\n└──────────────────────┘         └──────────────────────┘\n          │                                │\n          └──────── Health Monitor ────────┘\n                   (NIS2 Shield Cloud)\n                         │\n                         ▼\n              🔄 Automatic DNS Failover\n              (RTO \u003c 5min, RPO \u003c 1min)\n```\n\n**Features:**\n- 🔍 Continuous health monitoring (every 30s)\n- 🔄 Automatic DNS failover via Cloudflare/Route53\n- 🔔 Slack/webhook notifications\n- 🔐 AES-256-GCM encrypted replication\n- ✅ Satisfies NIS2 Art. 21.2.c (Business Continuity)\n\n**Pricing:** €499 one-time license\n\n👉 **[Learn More](https://nis2shield.com/disaster-recovery/)** | **[Contact Sales](mailto:sales@nis2shield.com)**\n\n## 📁 Project Structure\n\n```\ninfrastructure/\n├── charts/nis2shield/              # ☸️ Helm Chart (K8s)\n│   ├── Chart.yaml\n│   ├── values.yaml\n│   └── templates/                  # Deployments, Services, etc.\n│\n├── terraform/                      # ☁️ Cloud IaC\n│   ├── aws/                        # VPC, EKS, RDS, S3\n│   ├── gcp/                        # VPC, GKE, Cloud SQL\n│   └── azure/                      # VNet, AKS, PostgreSQL\n│\n├── docker-compose.yml              # Base stack\n├── docker-compose.prod.yml         # Production overrides\n├── docker-compose.elk.yml          # ELK observability\n├── docker-compose.monitoring.yml   # Prometheus + Grafana\n│\n├── crypto-replicator/              # 🔐 Encrypted Twin\n│   ├── crypto_replicator/          # Python modules\n│   ├── docs/                       # OpenAPI spec\n│   └── tests/                      # Unit + integration\n│\n├── monitoring/                     # Fluent Bit, Prometheus\n└── scripts/                        # Setup \u0026 DR testing\n```\n\n## 🔐 NIS2 Compliance Matrix\n\n| NIS2 Article | Requirement | Infrastructure Solution |\n|--------------|-------------|------------------------|\n| Art. 21 (a) | Risk analysis \u0026 system security | Hardened containers, non-root |\n| Art. 21 (b) | Incident management | Centralized, segregated logs |\n| Art. 21 (c) | Business continuity | Automated backups with retention |\n| Art. 21 (d) | Supply chain security | Verified base images |\n| Art. 21 (e) | Security hygiene | Read-only filesystem |\n\n## 🔧 Configuration\n\n### SIEM Integration\n\nEdit `monitoring/fluent-bit.conf`:\n\n```ini\n# Uncomment for Elasticsearch\n[OUTPUT]\n    Name              es\n    Host              ${ELASTICSEARCH_HOST}\n    Port              9200\n    Index             nis2-logs\n```\n\n### Backup Schedule\n\nIn `docker-compose.yml` or `.env`:\n\n```yaml\nSCHEDULE=@every 6h00m   # Every 6 hours\nBACKUP_KEEP_DAYS=7      # Keep 7 days\n```\n\n## 🤝 Related Projects\n\n**Backend Middleware:**\n- [django-nis2-shield](https://github.com/nis2shield/django-nis2-shield) - Django middleware for NIS2 compliance\n- [nis2-spring-shield](https://github.com/nis2shield/nis2-spring-shield) - Spring Boot starter for NIS2 compliance\n- [@nis2shield/express-middleware](https://github.com/nis2shield/express-nis2-middleware) - Express.js middleware\n- [dotnet-nis2-shield](https://github.com/nis2shield/dotnet-nis2-shield) - ASP.NET Core middleware\n\n**Frontend Guards:**\n- [@nis2shield/react-guard](https://www.npmjs.com/package/@nis2shield/react-guard) - React 18+ client-side protection\n- [@nis2shield/angular-guard](https://www.npmjs.com/package/@nis2shield/angular-guard) - Angular 14+ client-side protection\n- [@nis2shield/vue-guard](https://www.npmjs.com/package/@nis2shield/vue-guard) - Vue 3 client-side protection\n\n**Resources:**\n- [nis2shield.com](https://nis2shield.com) - Documentation hub\n\n## 📄 License\n\nMIT License - see [LICENSE](LICENSE) for details.\n\n## 🛡️ Security \u0026 Updates\n\n**Subscribe to our [Security Mailing List](https://buttondown.email/nis2shield)** to receive immediate alerts about:\n- Critical vulnerabilities (CVEs)\n- NIS2/DORA regulatory logic updates\n- Major breaking changes\n\nFor reporting vulnerabilities, see [SECURITY.md](SECURITY.md).\n\n## 🙋 Contributing\n\nContributions welcome! See [CONTRIBUTING.md](CONTRIBUTING.md).\n\n---\n\n**Part of the [NIS2 Shield](https://nis2shield.com) ecosystem** 🛡️","funding_links":[],"categories":["Community Modules"],"sub_categories":["Miscellaneous"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnis2shield%2Finfrastructure","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnis2shield%2Finfrastructure","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnis2shield%2Finfrastructure/lists"}