services:
  thunderstorm:
    image: ghcr.io/nextronsystems/thunderstorm-deployment:latest
    ports:
      - "${PORT:-8080}:8080"
    environment:
      # Required on initial startup: your non-host-based Thunderstorm contract token
      CONTRACT_TOKEN: "${CONTRACT_TOKEN}"
      # Optional: upgrade to THOR techpreview channel
      # TECHPREVIEW: "true"
      # Optional: hours between signature updates (default: 0)
      # SIGNATURE_UPDATE_INTERVAL: "0"
      # Optional: result cache size (default: 250000)
      # RESULT_CACHE_SIZE: "250000"
      # Optional: enforce maximum file size for all file types including registry hives and log files
      # FORCE_MAX_FILE_SIZE: "true"
      # Optional: write log to the logs volume (uncomment volume below)
      # LOG_ENABLED: "true"
      # Optional: TLS certificate and private key paths (mounted via secrets)
      # TLS_CERT: "/run/secrets/tls_cert"
      # TLS_KEY: "/run/secrets/tls_key"
      # Optional: only scan using YARA signatures, disables programmatic checks, STIX, Sigma and IOCs
      # PURE_YARA: "true"
      # Optional: download YARA Forge community signatures on startup - ruleset: core, extended, full (not quality-assured by Nextron)
      # YARA_FORGE: "full"
      # Optional: additional Thunderstorm arguments
      # THUNDERSTORM_ARGS: ""
      # Optional: additional THOR arguments
      # THOR_ARGS: ""
      #
      # --- THOR 10 only ---
      # Optional: sample persistence - "all", "malicious", or "none" (default: none)
      # STORE_SAMPLES: "none"
      # Optional: reserve THOR threads for synchronous requests only
      # SYNC_ONLY_THREADS: ""
      #
      # --- THOR 11 only ---
      # Optional: minimum score for storing samples (default: 200, which disables storage since the max score is 100)
      # STORE_SAMPLES_SCORE: "200"
      # Optional: upload queue size warning threshold (default: 50000)
      # QUEUE_WARN_SIZE: "50000"
      # Optional: enable VFS directory mirroring uploaded files per host (also uncomment volume below)
      # VFS_ENABLED: "true"
    volumes:
      # Persist Thor binaries and other artifacts across restarts
      - thunderstorm:/opt/nextron/thunderstorm
      # Optional: mount TLS certificate and private key (uncomment TLS_CERT/TLS_KEY above as well)
      # - ./tls_cert:/run/secrets/tls_cert:ro
      # - ./tls_key:/run/secrets/tls_key:ro
    restart: on-failure
    # THOR 10: periodically restart the container by signaling PID 1 once uptime exceeds
    # SIGNATURE_UPDATE_INTERVAL hours; restart policy brings it back up. Skipped when
    # SIGNATURE_UPDATE_INTERVAL is 0 (disabled, default) or TECHPREVIEW is set (THOR 11
    # updates signatures in-process).
    healthcheck:
      test: ["CMD-SHELL", "[ -n \"$$TECHPREVIEW\" ] || [ \"$${SIGNATURE_UPDATE_INTERVAL:-0}\" = \"0\" ] || [ $$(($$(date +%s) - $$(stat -c %Y /proc/1))) -lt $$(( $${SIGNATURE_UPDATE_INTERVAL} * 3600 )) ] || kill 1"]
      interval: 5m
      timeout: 10s
      start_period: 10m

volumes:
  thunderstorm: