refactor: extract Wazuh DockerListener setup into dedicated package

- Moved DockerListener installation logic from cmd/create to pkg/wazuh/dockerlistener for better code organization
- Added sync command support for --wazuh --docker integration to enable container event monitoring
- Fixed Authentik blueprint export to capture stdout directly instead of using non-existent --output flag

Author: CodeMonkeyCybersecurity

cmd/create/wazuh_docker_listener.go

@@ -2,95 +2,28 @@
 package create
 
 import (
-	"os"
-	"strings"
-
+	eos "github.com/CodeMonkeyCybersecurity/eos/pkg/eos_cli"
 	"github.com/CodeMonkeyCybersecurity/eos/pkg/eos_io"
-	"github.com/CodeMonkeyCybersecurity/eos/pkg/execute"
-	"github.com/CodeMonkeyCybersecurity/eos/pkg/shared"
+	"github.com/CodeMonkeyCybersecurity/eos/pkg/wazuh/dockerlistener"
+	"github.com/spf13/cobra"
 	"github.com/uptrace/opentelemetry-go-extra/otelzap"
 	"go.uber.org/zap"
-
-	eos "github.com/CodeMonkeyCybersecurity/eos/pkg/eos_cli"
-	"github.com/spf13/cobra"
 )
 
 var DockerListenerCmd = &cobra.Command{
 	Use:   "docker-listener",
 	Short: "Installs and configures the Wazuh DockerListener for Wazuh",
 	Long:  "Sets up a Python virtual environment and configures Wazuh's DockerListener integration.",
 	RunE: eos.Wrap(func(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string) error {
-		otelzap.Ctx(rc.Ctx).Info(" Setting up Wazuh DockerListener...")
-
-		steps := []struct {
-			desc string
-			fn   func() error
-		}{
-			{" apt update", func() error { return execute.RunSimple(rc.Ctx, "apt", "update") }},
-			{" install python3-venv + pip", func() error {
-				return execute.RunSimple(rc.Ctx, "apt", "install", "-y", "python3-venv", "python3-pip")
-			}},
-			{" create venv dir", func() error {
-				return execute.RunSimple(rc.Ctx, "mkdir", "-p", shared.VenvPath)
-			}},
-			{"🐍 create venv", func() error {
-				return execute.RunSimple(rc.Ctx, "python3", "-m", "venv", shared.VenvPath)
-			}},
-			{" pip install requirements", func() error {
-				return execute.RunSimple(rc.Ctx, shared.VenvPath+"/bin/pip", "install",
-					"docker==7.1.0", "urllib3==1.26.20", "requests==2.32.2")
-			}},
-			{" patch DockerListener", func() error {
-				return patchDockerListener(rc)
-			}},
-			{" restart wazuh-agent", func() error {
-				return execute.RunSimple(rc.Ctx, "systemctl", "restart", "wazuh-agent")
-			}},
-		}
+		logger := otelzap.Ctx(rc.Ctx)
+		logger.Info(" Setting up Wazuh DockerListener...")
 
-		for _, step := range steps {
-			otelzap.Ctx(rc.Ctx).Info(step.desc)
-			if err := step.fn(); err != nil {
-				otelzap.Ctx(rc.Ctx).Error(" Failed: "+step.desc, zap.Error(err))
-				return err
-			}
+		if err := dockerlistener.Setup(rc); err != nil {
+			logger.Error(" DockerListener setup failed", zap.Error(err))
+			return err
 		}
 
-		otelzap.Ctx(rc.Ctx).Info(" DockerListener setup complete.")
+		logger.Info(" DockerListener setup complete.")
 		return nil
 	}),
 }
-
-// TODO move to pkg/ to DRY up this code base but putting it with other similar functions
-func patchDockerListener(rc *eos_io.RuntimeContext) error {
-	path := shared.DockerListener
-	if _, err := os.Stat(path); os.IsNotExist(err) {
-		otelzap.Ctx(rc.Ctx).Warn("DockerListener script not found", zap.String("path", path))
-		return nil
-	}
-
-	backup := path + ".bak"
-	if err := execute.RunSimple(rc.Ctx, "cp", path, backup); err != nil {
-		otelzap.Ctx(rc.Ctx).Warn("Failed to backup DockerListener", zap.Error(err))
-	}
-
-	content, err := os.ReadFile(path)
-	if err != nil {
-		return err
-	}
-
-	lines := strings.Split(string(content), "\n")
-	if len(lines) < 2 {
-		return nil // malformed or empty script
-	}
-
-	shebang := "#!" + shared.VenvPath + "/bin/python3"
-	newContent := shebang + "\n" + strings.Join(lines[1:], "\n")
-
-	if err := os.WriteFile(path, []byte(newContent), shared.DirPermStandard); err != nil {
-		return err
-	}
-
-	otelzap.Ctx(rc.Ctx).Info(" DockerListener script patched", zap.String("path", path))
-	return nil
-}

cmd/sync/sync.go

@@ -28,13 +28,15 @@ var (
 	syncTailscale bool
 	syncAuthentik bool
 	syncWazuh     bool
+	syncDocker    bool
 )
 
 func init() {
 	// Register all available connectors
 	sync.RegisterConnector(connectors.NewConsulVaultConnector())
 	sync.RegisterConnector(connectors.NewConsulTailscaleAutoConnector())
 	sync.RegisterConnector(connectors.NewAuthentikWazuhConnector())
+	sync.RegisterConnector(connectors.NewWazuhDockerConnector())
 }
 
 // SyncCmd is the root command for service synchronization
@@ -52,6 +54,7 @@ Currently supported service pairs:
                       register Vault in Consul service catalog (Pattern 3: Raft + Secrets Engine)
   - --consul --tailscale: Configure local Consul to bind to Tailscale IP
   - --authentik --wazuh: Configure Wazuh SSO integration with Authentik
+  - --wazuh --docker: Configure Wazuh DockerListener for container event monitoring
 
 For joining Consul nodes into a cluster:
   - eos sync consul --nodes vhost7 vhost11    # Join multiple Consul nodes together
@@ -74,6 +77,9 @@ Examples:
   # Configure Wazuh SSO with Authentik
   eos sync --authentik --wazuh
 
+  # Enable Wazuh Docker container monitoring
+  eos sync --wazuh --docker
+
   # Preview changes without applying (dry-run)
   eos sync --consul --vault --dry-run
 
@@ -100,6 +106,8 @@ func init() {
 		"Sync Authentik service")
 	SyncCmd.Flags().BoolVar(&syncWazuh, "wazuh", false,
 		"Sync Wazuh service")
+	SyncCmd.Flags().BoolVar(&syncDocker, "docker", false,
+		"Sync Docker container monitoring with Wazuh")
 
 	// Operation flags
 	SyncCmd.Flags().BoolVar(&syncDryRun, "dry-run", false,
@@ -132,12 +140,15 @@ func runSync(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string) error
 	if syncWazuh {
 		selectedServices = append(selectedServices, "wazuh")
 	}
+	if syncDocker {
+		selectedServices = append(selectedServices, "docker")
+	}
 
 	// Validate exactly 2 services selected
 	if len(selectedServices) == 0 {
 		return eos_err.NewUserError(
 			"No services specified. Please specify exactly 2 services to sync.\n\n" +
-				"Available services: --consul, --vault, --tailscale, --authentik, --wazuh\n\n" +
+				"Available services: --consul, --vault, --tailscale, --authentik, --wazuh, --docker\n\n" +
 				"Examples:\n" +
 				"  eos sync --consul --vault\n" +
 				"  eos sync --authentik --wazuh\n" +
@@ -178,7 +189,8 @@ func runSync(rc *eos_io.RuntimeContext, cmd *cobra.Command, args []string) error
 			"Service pair not supported: %s ↔ %s\n\n"+
 				"Currently supported pairs:\n"+
 				"  - consul ↔ vault\n"+
-				"  - consul ↔ tailscale (auto-discovers and joins Consul nodes)\n\n"+
+				"  - consul ↔ tailscale (auto-discovers and joins Consul nodes)\n"+
+				"  - docker ↔ wazuh (configures Wazuh DockerListener)\n\n"+
 				"For explicit node targeting:\n"+
 				"  - eos sync consul --vhost7 --vhost11\n\n"+
 				"Error: %v",

go.mod

@@ -28,7 +28,7 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-version v1.7.0
 	github.com/hashicorp/hcl/v2 v2.24.0
-	github.com/hashicorp/nomad/api v0.0.0-20251103214437-68b5cfb5c6b9
+	github.com/hashicorp/nomad/api v0.0.0-20251104073108-6235838dbf30
 	github.com/hashicorp/terraform-exec v0.24.0
 	github.com/hashicorp/vault/api v1.22.0
 	github.com/hashicorp/vault/api/auth/approle v0.11.0
@@ -67,6 +67,14 @@ require (
 	tailscale.com v1.90.6
 )
 
+exclude (
+	github.com/armon/go-metrics v0.5.0
+	github.com/armon/go-metrics v0.5.1
+	github.com/armon/go-metrics v0.5.2
+	github.com/armon/go-metrics v0.5.3
+	github.com/armon/go-metrics v0.5.4
+)
+
 require (
 	cuelabs.dev/go/oci/ociregistry v0.0.0-20250722084951-074d06050084 // indirect
 	dario.cat/mergo v1.0.2 // indirect
@@ -109,7 +117,7 @@ require (
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.9.0 // indirect
+	github.com/ebitengine/purego v0.9.1 // indirect
 	github.com/emicklei/proto v1.14.2 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect

go.sum

@@ -163,6 +163,8 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/ebitengine/purego v0.9.0 h1:mh0zpKBIXDceC63hpvPuGLiJ8ZAa3DfrFTudmfi8A4k=
 github.com/ebitengine/purego v0.9.0/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/ebitengine/purego v0.9.1 h1:a/k2f2HQU3Pi399RPW1MOaZyhKJL9w/xFpKAg4q1s0A=
+github.com/ebitengine/purego v0.9.1/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=
 github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
 github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6 h1:oP4q0fw+fOSWn3DfFi4EXdT+B+gTtzx8GC9xsc26Znk=
@@ -349,6 +351,8 @@ github.com/hashicorp/nomad/api v0.0.0-20251029164822-3a20db342673 h1:aq5EIY1F520
 github.com/hashicorp/nomad/api v0.0.0-20251029164822-3a20db342673/go.mod h1:sldFTIgs+FsUeKU3LwVjviAIuksxD8TzDOn02MYwslE=
 github.com/hashicorp/nomad/api v0.0.0-20251103214437-68b5cfb5c6b9 h1:PURgS42XSZh1yIUA5gOzrkSKAGzP72QFZMASZdhdfMY=
 github.com/hashicorp/nomad/api v0.0.0-20251103214437-68b5cfb5c6b9/go.mod h1:sldFTIgs+FsUeKU3LwVjviAIuksxD8TzDOn02MYwslE=
+github.com/hashicorp/nomad/api v0.0.0-20251104073108-6235838dbf30 h1:ZAebOeSxrdDmmaD9dK/4MRe6gTI0Ts25D6eKCMbnNNQ=
+github.com/hashicorp/nomad/api v0.0.0-20251104073108-6235838dbf30/go.mod h1:sldFTIgs+FsUeKU3LwVjviAIuksxD8TzDOn02MYwslE=
 github.com/hashicorp/serf v0.10.2 h1:m5IORhuNSjaxeljg5DeQVDlQyVkhRIjJDimbkCa8aAc=
 github.com/hashicorp/serf v0.10.2/go.mod h1:T1CmSGfSeGfnfNy/w0odXQUR1rfECGd2Qdsp84DjOiY=
 github.com/hashicorp/terraform-exec v0.24.0 h1:mL0xlk9H5g2bn0pPF6JQZk5YlByqSqrO5VoaNtAf8OE=

pkg/authentik/blueprints.go

@@ -20,56 +20,65 @@ import (
 // ExportBlueprint exports Authentik configuration as Blueprint YAML
 // VENDOR APPROACH: Uses `ak export_blueprint` command in worker container
 // BENEFITS: Automatic UUID handling, dependency resolution, official support
+// FIXED: ak export_blueprint outputs to stdout (no --output flag exists)
+// EVIDENCE: https://docs.goauthentik.io/customize/blueprints/export/
 func (c *Client) ExportBlueprint(ctx context.Context, outputPath string) error {
-	// Run ak export_blueprint command in worker container
-	// NOTE: Exports flows, stages, policies, providers as YAML
+	// CORRECTED: ak export_blueprint outputs to stdout, redirect to file
+	// BEFORE (WRONG): "ak", "export_blueprint", "--output", "/tmp/blueprint.yaml"
+	// AFTER (CORRECT): "ak", "export_blueprint" > file
 	cmd := exec.CommandContext(ctx,
 		"docker", "exec",
 		"hecate-server-1", // Authentik server container
 		"ak", "export_blueprint",
-		"--output", "/tmp/blueprint.yaml",
 	)
 
-	output, err := cmd.CombinedOutput()
+	// Capture stdout (blueprint YAML)
+	output, err := cmd.Output()
 	if err != nil {
-		return fmt.Errorf("blueprint export failed: %w (output: %s)", err, string(output))
+		// Include stderr for diagnostics
+		if exitErr, ok := err.(*exec.ExitError); ok {
+			return fmt.Errorf("blueprint export failed: %w\nStderr: %s", err, string(exitErr.Stderr))
+		}
+		return fmt.Errorf("blueprint export failed: %w", err)
 	}
 
-	// Copy blueprint from container to host
-	copyCmd := exec.CommandContext(ctx,
-		"docker", "cp",
-		"hecate-server-1:/tmp/blueprint.yaml",
-		outputPath,
-	)
+	// Write blueprint output directly to host file
+	if err := os.WriteFile(outputPath, output, 0600); err != nil {
+		return fmt.Errorf("failed to write blueprint to %s: %w", outputPath, err)
+	}
 
-	if err := copyCmd.Run(); err != nil {
-		return fmt.Errorf("failed to copy blueprint from container: %w", err)
+	// Verify file has content
+	if len(output) == 0 {
+		return fmt.Errorf("blueprint export produced empty output")
 	}
 
 	return nil
 }
 
 // ExportBlueprintToDirectory exports Blueprint and saves to specified directory
 // CONVENIENCE: Wrapper around ExportBlueprint with timestamped filename
+// FIXED: ak export_blueprint outputs to stdout (no --output flag exists)
+// EVIDENCE: https://docs.goauthentik.io/customize/blueprints/export/
 func ExportBlueprintToDirectory(rc *eos_io.RuntimeContext, outputDir string) (string, error) {
 	logger := otelzap.Ctx(rc.Ctx)
 
 	// Create Blueprint filename
 	blueprintPath := filepath.Join(outputDir, "23_authentik_blueprint.yaml")
 
-	// Use unified client to export
-	// NOTE: For now, use exec directly until Client consolidation complete
+	// CORRECTED: ak export_blueprint outputs to stdout, redirect to file
+	// BEFORE (WRONG): "ak", "export_blueprint", "--output", "/tmp/blueprint.yaml"
+	// AFTER (CORRECT): "ak", "export_blueprint" > file
 	cmd := exec.CommandContext(rc.Ctx,
 		"docker", "exec",
 		"hecate-server-1",
 		"ak", "export_blueprint",
-		"--output", "/tmp/blueprint.yaml",
 	)
 
 	logger.Info("Exporting Authentik Blueprint via ak command",
 		zap.String("container", "hecate-server-1"))
 
-	output, err := cmd.CombinedOutput()
+	// Capture stdout (blueprint YAML)
+	output, err := cmd.Output()
 	if err != nil {
 		// Check if container exists
 		checkCmd := exec.CommandContext(rc.Ctx, "docker", "ps", "-a", "--filter", "name=hecate-server-1", "--format", "{{.Names}}")
@@ -78,18 +87,16 @@ func ExportBlueprintToDirectory(rc *eos_io.RuntimeContext, outputDir string) (st
 			return "", fmt.Errorf("Authentik server container not found (hecate-server-1) - is docker-compose running?")
 		}
 
-		return "", fmt.Errorf("blueprint export failed: %w (output: %s)", err, string(output))
+		// Include stderr for diagnostics
+		if exitErr, ok := err.(*exec.ExitError); ok {
+			return "", fmt.Errorf("blueprint export failed: %w\nStderr: %s", err, string(exitErr.Stderr))
+		}
+		return "", fmt.Errorf("blueprint export failed: %w", err)
 	}
 
-	// Copy blueprint from container to host
-	copyCmd := exec.CommandContext(rc.Ctx,
-		"docker", "cp",
-		"hecate-server-1:/tmp/blueprint.yaml",
-		blueprintPath,
-	)
-
-	if err := copyCmd.Run(); err != nil {
-		return "", fmt.Errorf("failed to copy blueprint from container: %w", err)
+	// Write blueprint output directly to host file
+	if err := os.WriteFile(blueprintPath, output, 0600); err != nil {
+		return "", fmt.Errorf("failed to write blueprint to %s: %w", blueprintPath, err)
 	}
 
 	// Verify file was created and has content
@@ -98,6 +105,10 @@ func ExportBlueprintToDirectory(rc *eos_io.RuntimeContext, outputDir string) (st
 		return "", fmt.Errorf("blueprint file not created: %w", err)
 	}
 
+	if info.Size() == 0 {
+		return "", fmt.Errorf("blueprint file is empty - export may have failed silently")
+	}
+
 	logger.Info("✓ Exported Authentik Blueprint",
 		zap.String("file", "23_authentik_blueprint.yaml"),
 		zap.Int64("size_bytes", info.Size()),

pkg/docker/client.go

@@ -0,0 +1,34 @@
+package docker
+
+import (
+	"context"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/client"
+)
+
+const defaultTimeout = 5 * time.Second
+
+// New establishes a Docker client using environment configuration with API version negotiation enabled.
+func New(ctx context.Context) (*client.Client, error) {
+	return client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
+}
+
+// Ping validates connectivity with the Docker daemon within a short timeout window.
+func Ping(ctx context.Context, cli *client.Client) error {
+	pingCtx, cancel := context.WithTimeout(ctx, defaultTimeout)
+	defer cancel()
+
+	_, err := cli.Ping(pingCtx)
+	return err
+}
+
+// ListContainers performs a lightweight container listing to confirm API access without retrieving the full dataset.
+func ListContainers(ctx context.Context, cli *client.Client, limit int) ([]types.Container, error) {
+	listCtx, cancel := context.WithTimeout(ctx, defaultTimeout)
+	defer cancel()
+
+	return cli.ContainerList(listCtx, container.ListOptions{Limit: limit})
+}