Added Tenable Nessus (#71)

* Added Nessus

* Added reference

README.md

@@ -7,6 +7,7 @@ The provided configurations showcase how to set up Tailscale alongside Docker se
 If you would like to add your own config, you can use the [service-template](templates/service-template/) or simply open an [issue](https://github.com/2Tiny2Scale/tailscale-docker-sidecar-configs/issues).
 
 ## Table of Contents
+
 - [Available Configurations](#available-configurations)
   - [Networking and Security](#networking-and-security) 
   - [Media and Entertainment](#media-and-entertainment) 
@@ -32,6 +33,7 @@ If you would like to add your own config, you can use the [service-template](tem
 | 🌐 **Traefik**             | A modern reverse proxy and load balancer for microservices.              | [Details](services/traefik)             |
 | 🚀 **Tailscale Exit Node** | Configure a device to act as an exit node for your Tailscale network.    | [Details](services/tailscale-exit-node) |
 | 🌐 **DDNS Updater**        | A self-hosted solution to keep DNS A/AAAA records updated automatically. | [Details](services/ddns-updater)        |
+| 🔍 **Nessus**              | A powerful vulnerability scanner to identify and remediate security issues. | [Details](services/nessus)              |
 
 ### Media and Entertainment
 

services/nessus/.env

@@ -0,0 +1,8 @@
+#version=1.0
+#url=https://github.com/2Tiny2Scale/tailscale-docker-sidecar-configs
+#COMPOSE_PROJECT_NAME= // only use in multiple deployments on the same infra
+SERVICE=nessus
+IMAGE_URL=tenable/nessus:latest-ubuntu
+SERVICEPORT=8834
+TS_AUTHKEY=
+DNS_SERVER=1.1.1.1

services/nessus/README.md

@@ -0,0 +1,27 @@
+# Nessus with Tailscale Sidecar Configuration
+
+> ⚠️ **Important:** This container has no ability for persistent storage - your configuration will be lost when restarting the instance.
+
+This Docker Compose configuration sets up **[Nessus](https://www.tenable.com/products/nessus)** with Tailscale as a sidecar container to securely manage and access your vulnerability assessment tool over a private Tailscale network. By integrating Tailscale, you can ensure that your Nessus instance remains private and accessible only to authorized devices on your Tailscale network.
+
+## Nessus
+
+[Nessus](https://www.tenable.com/products/nessus) is one of the most widely used vulnerability assessment tools, designed to help identify and remediate security issues in IT environments. With powerful scanning capabilities, Nessus provides detailed reports on system vulnerabilities, configuration errors, and compliance issues. By pairing Nessus with Tailscale, you can further secure your vulnerability management setup by restricting access to authorized devices within your private network.
+
+### Nessus Essentials: Free for Personal Use
+
+Nessus Essentials offers a free version of the tool for personal and home use, [request your license here](https://www.tenable.com/products/nessus/nessus-essentials). It allows scanning up to **16 IP addresses**, making it an excellent choice for individuals looking to improve the security of their home networks. Despite being a free version, Nessus Essentials provides access to many of the powerful scanning capabilities that Nessus is known for, making it ideal for learning or small-scale vulnerability assessments.
+
+## Key Features
+
+- **Comprehensive Scanning**: Identify vulnerabilities, misconfigurations, and compliance violations across networks.
+- **Detailed Reporting**: Generate in-depth reports to prioritize and remediate security issues effectively.
+- **Self-Hosted**: Maintain full control over your scanning environment with a locally hosted instance.
+- **Customizable Policies**: Tailor scans to meet your organization’s unique security needs.
+- **Free Essentials Model**: Start for free with up to 16 IPs using Nessus Essentials.
+
+## Configuration Overview
+
+In this setup, the `tailscale-nessus` service runs Tailscale, which manages secure networking for the Nessus service. The `nessus` service uses the Tailscale network stack via Docker's `network_mode: service:` configuration. This ensures that Nessus’ web interface and scanning functionalities are only accessible through the Tailscale network (or locally, if preferred), adding an additional layer of security to your vulnerability management infrastructure.
+
+For additional configuration (environment variables) - please refer to the [Tenable documentation](https://docs.tenable.com/nessus/Content/DeployNessusDocker.htm).

services/nessus/config/serve.json

@@ -0,0 +1,16 @@
+{
+  "TCP": {
+    "443": {
+      "HTTPS": true
+    }
+  },
+  "Web": {
+    "${TS_CERT_DOMAIN}:443": {
+      "Handlers": {
+        "/": {
+          "Proxy": "https+insecure://127.0.0.1:8834"
+        }
+      }
+    }
+  }
+}

services/nessus/docker-compose.yml

@@ -0,0 +1,58 @@
+services:
+# Make sure you have updated/checked the .env file with the correct variables. 
+# All the ${ xx } need to be defined there.
+  # Tailscale Sidecar Configuration
+  tailscale:
+    image: tailscale/tailscale:latest # Image to be used
+    container_name: tailscale-${SERVICE} # Name for local container management
+    hostname: ${SERVICE} # Name used within your Tailscale environment
+    environment:
+      - TS_AUTHKEY=${TS_AUTHKEY}
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_SERVE_CONFIG=/config/serve.json # Tailsacale Serve configuration to expose the web interface on your local Tailnet - remove this line if not required
+      - TS_USERSPACE=false
+      - TS_ENABLE_HEALTH_CHECK=true              # Enable healthcheck endpoint: "/healthz"
+      - TS_LOCAL_ADDR_PORT=127.0.0.1:41234       # The <addr>:<port> for the healthz endpoint
+      #- TS_EXTRA_ARGS=--accept-dns=true # Uncomment when using MagicDNS
+    volumes:
+      - ${PWD}/config:/config # Config folder used to store Tailscale files - you may need to change the path
+      - ${PWD}/ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path
+    devices:
+      - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work
+    cap_add:
+      - net_admin # Tailscale requirement
+      - sys_module # Tailscale requirement
+    #ports:
+    #  - 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Binding port ${SERVICE}PORT to the local network - may be removed if only exposure to your Tailnet is required
+    # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below
+    #dns: 
+    #  - ${DNS_SERVER}
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational
+      interval: 1m # How often to perform the check
+      timeout: 10s # Time to wait for the check to succeed
+      retries: 3 # Number of retries before marking as unhealthy
+      start_period: 10s # Time to wait before starting health checks
+    restart: always
+
+  # ${SERVICE}
+  application:
+    image: ${IMAGE_URL} # Image to be used
+    network_mode: service:tailscale # Sidecar configuration to route ${SERVICE} through Tailscale
+    container_name: app-${SERVICE} # Name for local container management
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Europe/Amsterdam
+    # volumes:
+    #   - ${PWD}/${SERVICE}-data/app/config:/config
+    depends_on:
+      tailscale:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "pgrep", "-f", "${SERVICE}"] # Check if ${SERVICE} process is running
+      interval: 1m # How often to perform the check
+      timeout: 10s # Time to wait for the check to succeed
+      retries: 3 # Number of retries before marking as unhealthy
+      start_period: 30s # Time to wait before starting health checks
+    restart: always