Edgewatch Bastion Base
Download Debian packages and checksums → — APT source deb [trusted=yes] https://download.edgewatch.com/debian/bastion trixie main, static archive under /debian/bastion/, and GitHub Releases assets for edgewatch-bastion-base.
edgewatch-bastion-base is a reproducible Debian package build for an OpenResty edge stack. It compiles OpenResty with ModSecurity v3, OWASP Core Rule Set, Brotli, GeoIP2 support, AJP support, and a hardened systemd service, then packages the result as an installable .deb for Debian 13 (Trixie) on amd64.
The repository is a build and packaging pipeline, not an application runtime. The produced package installs OpenResty under /usr/local/openresty, runtime configuration under /etc/nginx and /etc/modsecurity, log handling, sysctl tuning, tmpfiles, and Debian maintainer scripts for install, upgrade, remove, and purge behavior.
What the package includes
| Area | Included assets |
|---|---|
| Web server | OpenResty, nginx core modules, HTTP/2, HTTP/3 support compiled but disabled by default |
| Security | ModSecurity v3 from the OWASP-maintained fork and OWASP CRS under /etc/modsecurity/crs/ |
| Edge features | Brotli, GeoIP2 module, headers-more from OpenResty, and AJP module support |
| Operations | openresty.service, tmpfiles, logrotate, sysctl tuning, runtime directories, and default vhosts |
| Packaging | Debian control template, maintainer scripts, conffiles, checksums, and SHA256 release artifact |
Repository responsibilities
The local scripts do four main things:
- Resolve upstream versions and sources into
build/srcandbuild/cache. - Compile libmodsecurity and OpenResty into
build/stage. - Copy configuration, system integration files, and CRS into the stage tree.
- Produce
build/dist/edgewatch-bastion-base_<version>_amd64.debplus a matching.sha256file.
The existing GitLab pipeline remains responsible for .deb validation, smoke testing, and package/release publishing. This Docusaurus site is separate documentation tooling and can be deployed manually to GitHub Pages without changing that pipeline.