Add initial setup files for sec-mcp stack including environment variables, setup guide, and Docker configuration

This commit is contained in:
John Doe
2026-02-28 18:22:56 -05:00
commit a958c31ecf
5 changed files with 384 additions and 0 deletions
+6
View File
@@ -0,0 +1,6 @@
MCPO_API_KEY=top-secret
MSF_PASSWORD=changeme
ZAP_API_KEY=changeme-zap-api-key
MCP_ZAP_API_KEY=changeme-mcp-zap-api-key
MD_SHARE_DIR=/opt/mcps/shared-markdown
OLLAMA_BASE_URL=http://ollama:11434
+87
View File
@@ -0,0 +1,87 @@
# Open WebUI MCP Setup Guide
This stack exposes MCP servers through `mcpo` as OpenAPI endpoints.
- `mcpo` URL from host: `http://localhost:8000`
- `mcpo` URL from inside Docker network (Open WebUI): `http://mcpo:8000`
## 1) Start the stack
```powershell
docker compose up -d --build
```
For AMD GPU Ollama (Linux ROCm hosts):
```powershell
docker compose -f docker-compose.yml -f docker-compose.ollama-amd.yml up -d --build
```
## 2) Open Open WebUI
- Open: `http://localhost:3000`
- Create/sign in to your admin account.
## 3) Add MCP tools via OpenAPI servers
In Open WebUI, navigate to the OpenAPI server management screen (label can vary by version, typically under Admin/Settings/Tools/Integrations).
Add one OpenAPI server per MCP route from `mcpo`.
Suggested entries:
- Name: `triv3-kali-server`
- OpenAPI URL: `http://mcpo:8000/triv3-kali-server/openapi.json`
- Name: `k3nn3dy-kali-mcp`
- OpenAPI URL: `http://mcpo:8000/k3nn3dy-kali-mcp/openapi.json`
- Name: `metasploit-mcp`
- OpenAPI URL: `http://mcpo:8000/metasploit-mcp/openapi.json`
- Name: `mcp-zap-server`
- OpenAPI URL: `http://mcpo:8000/mcp-zap-server/openapi.json`
- Name: `nvd-cve-mcp-server`
- OpenAPI URL: `http://mcpo:8000/nvd-cve-mcp-server/openapi.json`
- Name: `markdownify-mcp`
- OpenAPI URL: `http://mcpo:8000/markdownify-mcp/openapi.json`
If your Open WebUI is outside Docker, use `http://localhost:8000/.../openapi.json` instead.
## 4) Authentication (if enabled)
`mcpo` is configured with API key auth (`MCPO_API_KEY`).
If Open WebUI asks for headers for an OpenAPI server, add:
- Header: `Authorization`
- Value: `Bearer <MCPO_API_KEY>`
or
- Header: `X-API-Key`
- Value: `<MCPO_API_KEY>`
Use whichever your Open WebUI version expects for OpenAPI auth headers.
## 5) Validate each server
From host browser:
- `http://localhost:8000/docs`
- `http://localhost:8000/triv3-kali-server/docs`
- `http://localhost:8000/k3nn3dy-kali-mcp/docs`
- `http://localhost:8000/metasploit-mcp/docs`
- `http://localhost:8000/mcp-zap-server/docs`
- `http://localhost:8000/nvd-cve-mcp-server/docs`
- `http://localhost:8000/markdownify-mcp/docs`
If these are reachable, Open WebUI can import them.
## Troubleshooting
- OpenAPI URL fails in Open WebUI container:
- Use `http://mcpo:8000/...` (not `localhost`) when Open WebUI runs in Docker.
- Empty tools after import:
- Check `mcpo` logs: `docker compose logs -f mcpo`
- ZAP tools fail auth:
- Verify `.env` values for `MCP_ZAP_API_KEY` and `ZAP_API_KEY`.
- Markdown file retrieval blocked:
- Verify `MD_SHARE_DIR` in `.env` and ensure files are in that directory.
+78
View File
@@ -0,0 +1,78 @@
# sec-mcp Stack
Security-focused MCP stack routed through `mcpo`, with Open WebUI + Ollama included.
## Included MCP servers
- `triv3/mcp-kali-server`
- `k3nn3dy-ai/kali-mcp`
- `GH05TCREW/MetasploitMCP`
- `socteam-ai/nvd-cve-mcp-server`
- `dtkmn/mcp-zap-server`
- `zcaceres/markdownify-mcp`
## Files
- `docker-compose.yml` - AMD ROCm override for Ollama
- `mcpo-config.template.json` - Templated `mcpo` multi-server config
- `.env.example` - Environment variable template
- `OPENWEBUI_MCP_SETUP.md` - Step-by-step MCP setup inside Open WebUI
## Quick start
1. Create env file:
```powershell
Copy-Item .env.example .env
```
2. Start base stack:
```powershell
docker compose up -d --build
```
3. Open services:
- Open WebUI: `http://localhost:3000`
- MCPO docs: `http://localhost:8000/docs`
- Ollama API: `http://localhost:11434`
## AMD GPU (Ollama ROCm)
Use this only on Linux hosts with `/dev/kfd` and `/dev/dri` available:
```powershell
docker compose -f docker-compose.yml -f docker-compose.ollama-amd.yml up -d --build
```
## MCPO routes
Each MCP server is exposed by `mcpo` under its own path:
- `http://localhost:8000/triv3-kali-server/docs`
- `http://localhost:8000/k3nn3dy-kali-mcp/docs`
- `http://localhost:8000/metasploit-mcp/docs`
- `http://localhost:8000/mcp-zap-server/docs`
- `http://localhost:8000/nvd-cve-mcp-server/docs`
- `http://localhost:8000/markdownify-mcp/docs`
## Open WebUI MCP setup
Follow the full guide in:
- `OPENWEBUI_MCP_SETUP.md`
This includes:
- UI steps for adding OpenAPI servers
- Correct internal Docker URL usage (`http://mcpo:8000/...`)
- Auth header guidance for `MCPO_API_KEY`
- Validation and troubleshooting steps
## Notes
- First startup is slower because dependencies are built/installed.
- `markdownify-mcp` is built at `mcpo` container startup.
- `mcp-zap-server` auth values are injected via `.env` into `mcpo-config.template.json` at runtime.
- `MD_SHARE_DIR` controls markdown file access scope for `markdownify-mcp`.
+166
View File
@@ -0,0 +1,166 @@
services:
init-mcps:
image: alpine/git:2.47.0
command: >-
sh -lc "
set -e;
mkdir -p /opt/mcps;
if [ ! -d /opt/mcps/MCP-Kali-Server/.git ]; then
git clone https://github.com/triv3/mcp-kali-server.git /opt/mcps/MCP-Kali-Server;
else
cd /opt/mcps/MCP-Kali-Server && git pull --ff-only;
fi
if [ ! -d /opt/mcps/markdownify-mcp/.git ]; then
git clone https://github.com/zcaceres/markdownify-mcp.git /opt/mcps/markdownify-mcp;
else
cd /opt/mcps/markdownify-mcp && git pull --ff-only;
fi
"
volumes:
- mcp_sources:/opt/mcps
triv3-kali-api:
image: python:3.12-slim
depends_on:
init-mcps:
condition: service_completed_successfully
command: >-
sh -lc "
python -m pip install --no-cache-dir -r /opt/mcps/MCP-Kali-Server/requirements.kali.txt &&
python /opt/mcps/MCP-Kali-Server/kali-server/kali_server.py --port 5000
"
volumes:
- mcp_sources:/opt/mcps
expose:
- "5000"
kali-mcp-sse:
build:
context: https://github.com/k3nn3dy-ai/kali-mcp.git
command: ["python", "-m", "kali_mcp_server.server", "--transport", "sse", "--port", "8000"]
expose:
- "8000"
metasploit-rpc:
image: metasploitframework/metasploit-framework:latest
environment:
- MSF_PASSWORD=${MSF_PASSWORD:-changeme}
command: >-
sh -lc "
msfrpcd -P ${MSF_PASSWORD:-changeme} -S -a 0.0.0.0 -p 55553 -f
"
expose:
- "55553"
metasploit-mcp:
image: python:3.12-slim
depends_on:
- metasploit-rpc
environment:
- MSF_PASSWORD=${MSF_PASSWORD:-changeme}
- MSF_SERVER=metasploit-rpc
- MSF_PORT=55553
- MSF_SSL=false
command: >-
sh -lc "
apt-get update && apt-get install -y --no-install-recommends git &&
rm -rf /var/lib/apt/lists/* &&
git clone https://github.com/GH05TCREW/MetasploitMCP.git /opt/MetasploitMCP &&
python -m pip install --no-cache-dir -r /opt/MetasploitMCP/requirements.txt &&
python /opt/MetasploitMCP/MetasploitMCP.py --transport http --host 0.0.0.0 --port 8085
"
expose:
- "8085"
zap:
image: zaproxy/zap-stable:latest
environment:
- ZAP_API_KEY=${ZAP_API_KEY:-changeme-zap-api-key}
command: >-
sh -lc "
zap.sh -daemon -host 0.0.0.0 -port 8090
-config api.addrs.addr.name=.*
-config api.addrs.addr.regex=true
-config api.key=${ZAP_API_KEY:-changeme-zap-api-key}
"
expose:
- "8090"
mcp-zap-server:
image: ghcr.io/dtkmn/mcp-zap-server:latest
depends_on:
- zap
environment:
- MCP_SECURITY_MODE=api-key
- MCP_API_KEY=${MCP_ZAP_API_KEY:-changeme-mcp-zap-api-key}
- ZAP_SERVER_URL=zap
- ZAP_SERVER_PORT=8090
- ZAP_SERVER_API_KEY=${ZAP_API_KEY:-changeme-zap-api-key}
expose:
- "7456"
ollama:
image: ollama/ollama:rocm
devices:
- /dev/kfd
- /dev/dri
ports:
- "11434:11434"
volumes:
- ollama_data:/root/.ollama
restart: unless-stopped
open-webui:
image: ghcr.io/open-webui/open-webui:main
depends_on:
- ollama
- mcpo
environment:
- OLLAMA_BASE_URL=${OLLAMA_BASE_URL:-http://ollama:11434}
ports:
- "3000:8080"
volumes:
- open_webui_data:/app/backend/data
restart: unless-stopped
mcpo:
image: ghcr.io/open-webui/mcpo:main
depends_on:
init-mcps:
condition: service_completed_successfully
triv3-kali-api:
condition: service_started
kali-mcp-sse:
condition: service_started
metasploit-mcp:
condition: service_started
mcp-zap-server:
condition: service_started
environment:
- MCPO_API_KEY=${MCPO_API_KEY:-top-secret}
- MCP_ZAP_API_KEY=${MCP_ZAP_API_KEY:-changeme-mcp-zap-api-key}
- MD_SHARE_DIR=${MD_SHARE_DIR:-/opt/mcps/shared-markdown}
command: >-
sh -lc "
apt-get update && apt-get install -y --no-install-recommends gettext-base python3 python3-pip curl bash &&
rm -rf /var/lib/apt/lists/* &&
python -m pip install --no-cache-dir -r /opt/mcps/MCP-Kali-Server/requirements.mcp.txt &&
mkdir -p ${MD_SHARE_DIR:-/opt/mcps/shared-markdown} &&
cd /opt/mcps/markdownify-mcp &&
rm -f .python-version &&
corepack enable &&
pnpm install &&
pnpm run build &&
envsubst < /config/mcpo-config.template.json > /tmp/mcpo-config.json &&
mcpo --host 0.0.0.0 --port 8000 --api-key \"${MCPO_API_KEY:-top-secret}\" --config /tmp/mcpo-config.json
"
volumes:
- ./mcpo-config.template.json:/config/mcpo-config.template.json:ro
- mcp_sources:/opt/mcps
ports:
- "8000:8000"
volumes:
mcp_sources:
ollama_data:
open_webui_data:
+47
View File
@@ -0,0 +1,47 @@
{
"mcpServers": {
"triv3-kali-server": {
"command": "python",
"args": [
"/opt/mcps/MCP-Kali-Server/mcp-server/mcp_server.py",
"--server",
"http://triv3-kali-api:5000"
],
"env": {
"KALI_SERVER_URL": "http://triv3-kali-api:5000"
}
},
"k3nn3dy-kali-mcp": {
"type": "sse",
"url": "http://kali-mcp-sse:8000/sse"
},
"metasploit-mcp": {
"type": "sse",
"url": "http://metasploit-mcp:8085/sse"
},
"mcp-zap-server": {
"type": "streamable-http",
"url": "http://mcp-zap-server:7456/mcp",
"headers": {
"X-API-Key": "${MCP_ZAP_API_KEY}"
}
},
"nvd-cve-mcp-server": {
"command": "npx",
"args": [
"-y",
"nvd-cve-mcp-server"
]
},
"markdownify-mcp": {
"command": "node",
"args": [
"/opt/mcps/markdownify-mcp/dist/index.js"
],
"env": {
"UV_PATH": "/bin/uv",
"MD_SHARE_DIR": "${MD_SHARE_DIR}"
}
}
}
}