version: '3.8'

networks:
  ics-untrusted:
    driver: bridge
    ipam:
      config:
        - subnet: 192.168.96.0/24
          gateway: 192.168.96.254

  ics-protected:
    driver: bridge
    ipam:
      config:
        - subnet: 192.168.95.0/24
          gateway: 192.168.95.254

services:
  gateway:
    build: ./gateway
    image: ics-gateway
    container_name: ics-gateway
    hostname: gateway
    privileged: true
    cap_add:
      - NET_ADMIN
      - NET_RAW
    devices:
      - /dev/net/tun:/dev/net/tun
      - /dev/kvm:/dev/kvm  # For x86 KVM acceleration
    networks:
      ics-untrusted:
        ipv4_address: 192.168.96.10
      ics-protected:
        ipv4_address: 192.168.95.10
    ports:
      - "502:502"
    volumes:
      - ./logs:/logs
    environment:
      - GATEWAY_ARCH=arm  # Change to 'x86' for x86 gateway with KVM
    depends_on:
      - plc
    stdin_open: true
    tty: true

  plc:
    build:
      context: ./plc
      target: asan
    image: frosty-goop-poc:asan
    container_name: ics-plc
    hostname: plc
    networks:
      ics-protected:
        ipv4_address: 192.168.95.2
    ports:
      - "5020:502"
    volumes:
      - ./logs:/logs
    environment:
      - LOG_FILE=/logs/plc.log
      - ASAN_OPTIONS=detect_leaks=0:abort_on_error=0:print_legend=0:color=always
      - TERM=xterm-256color
    stdin_open: true
    tty: true

  plc-14462:
    build:
      context: ./plc
      target: normal
    image: frosty-goop-poc:normal
    container_name: ics-plc-14462
    hostname: plc-14462
    ports:
      - "5022:502"
    volumes:
      - ./logs:/logs
    environment:
      - LOG_FILE=/logs/plc-14462.log
      - TERM=xterm-256color
    stdin_open: true
    tty: true
    profiles:
      - cve14462

  # =============================================================================
  # Snort IDS Profiles (VULNERABLE to CVE-2022-20685)
  # =============================================================================
  # Uses NFQUEUE inline mode - true IPS that blocks traffic when it hangs
  # Demonstrates packet-forwarding architecture vs seL4's protocol-break
  #
  # Traffic flow:
  #   Host:503 → Container:502 → iptables DNAT → NFQUEUE → Snort → PLC:502
  #
  # Default (used by demo scripts):
  #   docker compose up snort
  #
  # Profiles for benchmarking:
  #   docker compose --profile snort-quickdraw up
  #   docker compose --profile snort-talos up
  #   docker compose --profile snort-modbus up
  #   docker compose --profile snort-combined up
  # =============================================================================

  # Default Snort service - uses Quickdraw (industry standard)
  # Used by demo.sh and demo-snort.sh scripts
  snort:
    build: ./snort
    image: ics-snort
    container_name: ics-snort
    hostname: snort
    privileged: true
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      ics-untrusted:
        ipv4_address: 192.168.96.20
      ics-protected:
        ipv4_address: 192.168.95.20
    ports:
      - "503:502"
    volumes:
      - ./logs:/logs
    depends_on:
      - plc
    environment:
      - SNORT_PROFILE=quickdraw
      - TERM=xterm-256color
    stdin_open: true
    tty: true

  # Snort with Quickdraw rules (Digital Bond industry standard)
  snort-quickdraw:
    build: ./snort
    image: ics-snort
    container_name: ics-snort-quickdraw
    hostname: snort-quickdraw
    privileged: true
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      ics-untrusted:
        ipv4_address: 192.168.96.20
      ics-protected:
        ipv4_address: 192.168.95.20
    ports:
      - "503:502"
    volumes:
      - ./logs:/logs
    depends_on:
      - plc
    environment:
      - SNORT_PROFILE=quickdraw
      - TERM=xterm-256color
    stdin_open: true
    tty: true
    profiles:
      - snort-quickdraw

  # Snort with Talos-style rules (native modbus_func keywords)
  snort-talos:
    build: ./snort
    image: ics-snort
    container_name: ics-snort-talos
    hostname: snort-talos
    privileged: true
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      ics-untrusted:
        ipv4_address: 192.168.96.20
      ics-protected:
        ipv4_address: 192.168.95.20
    ports:
      - "503:502"
    volumes:
      - ./logs:/logs
    depends_on:
      - plc
    environment:
      - SNORT_PROFILE=talos
      - TERM=xterm-256color
    stdin_open: true
    tty: true
    profiles:
      - snort-talos

  # Snort with our custom modbus rules only (CVE detection)
  snort-modbus:
    build: ./snort
    image: ics-snort
    container_name: ics-snort-modbus
    hostname: snort-modbus
    privileged: true
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      ics-untrusted:
        ipv4_address: 192.168.96.20
      ics-protected:
        ipv4_address: 192.168.95.20
    ports:
      - "503:502"
    volumes:
      - ./logs:/logs
    depends_on:
      - plc
    environment:
      - SNORT_PROFILE=modbus
      - TERM=xterm-256color
    stdin_open: true
    tty: true
    profiles:
      - snort-modbus

  # Snort with combined rules (Quickdraw + Modbus + Talos)
  snort-combined:
    build: ./snort
    image: ics-snort
    container_name: ics-snort-combined
    hostname: snort-combined
    privileged: true
    cap_add:
      - NET_ADMIN
      - NET_RAW
    networks:
      ics-untrusted:
        ipv4_address: 192.168.96.20
      ics-protected:
        ipv4_address: 192.168.95.20
    ports:
      - "503:502"
    volumes:
      - ./logs:/logs
    depends_on:
      - plc
    environment:
      - SNORT_PROFILE=combined
      - TERM=xterm-256color
    stdin_open: true
    tty: true
    profiles:
      - snort-combined