Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sebastianwachter/trapralgra

An easy to deploy router and monitoring stack.
https://github.com/sebastianwachter/trapralgra

alertmanager cadvisor docker grafana node-exporter prometheus pushgateway traefik-v2

Last synced: about 1 month ago
JSON representation

An easy to deploy router and monitoring stack.

Awesome Lists containing this project

README 

        
# TraPrAlGra



A **Tra**efik, **Pr**ometheus, node-exporter, cAdvisor, pushgateway, **Al**ertmanager and **Gra**fana edge router and monitoring stack. The goal of this project is to provide people an easy to set up and deploy stack using modern technologies. It will auto generate A+ rated (according to [SSL-Labs](https://www.ssllabs.com/)) SSL certificates issued by Let's Encrypt. TraPrAlGra also redirects users, trying to access pages using http, to their https counterparts automatically.



## The main components:



### Traefik



> Traefik is an open-source Edge Router that makes publishing your services a fun and easy experience. It receives requests on behalf of your system and finds out which components are responsible for handling them. - [Traefik](https://docs.traefik.io/)



Traefik makes registering new services (including their respective subdomains) a breeze and keeps the configuration lean and readable.



### Prometheus



> Prometheus is a free software application used for event monitoring and alerting. It records real-time metrics in a time series database (allowing for high dimensionality) built using a HTTP pull model, with flexible queries and real-time alerting. - [Wikipedia](https://en.wikipedia.org/wiki/Prometheus_(software))



Prometheus is the center point of the monitoring stack which collets all kinds of metric data generated by its sub-party (node-exporter, cAdvisor, push-gateway and traefik itself). In case of a definable alert it (Alertmanager) will send out a message to configurable receivers.

Since not all services support the Prometheus pull model the push-gateway is included in this stack to allow collecting metrics from these services as well.



### Grafana



> Grafana is an open-source, general purpose dashboard and graph composer, which runs as a web application. - [Arch Wiki](https://wiki.archlinux.org/index.php/Grafana)



Grafana takes the metrics provided by Prometheus and displays them in beautiful graph dashboards. TraPrAlGra includes 4 preconfigured dashboards to serve different use cases:



- **Docker Containers**: Displays graphs about metrics collected from Docker containers that are not part of the monitoring stack.

- **Docker Host**: Displays graphs of the server's hardware usage, and general machine stats such as uptime .

- **Monitor Services**: Displays graphs about the monitoring containers and Prometheus' own generated metrics.

- **Traefik**: Displays graphs generated out of Traefik's metrics such as HTTP status codes and average response times.



## Prerequisites



To use TraPrAlGra you need the following:



- A domain

- A server with installed `docker` and `docker-compose`

- An Alertmanager compatible receiver (this repo already includes a template for Slack)



## Configuration guide



1. Clone this repository to your machine: `git clone [email protected]:sebastianwachter/TraPrAlGra.git`

2. Create a Docker network called "proxy": `docker network create proxy`. This is the network your services use to get proxied by Traefik.

3. Restrict the `acme.json`'s permissions to 600: `chmod 600 acme.json`

4. In the `traefik.yml` file fill in your E-Mail address where it's required (this must be the same address in both cases).

5. Generate a http basic auth user + password pair by using: `htpasswd -nb  ` and copy the output.

6. Open the `.env` file and replace the placeholders (`TRAEFIK_DASHBOARD_USER` and `TRAEFIK_DASHBOARD_PASSWORD`) with the data generated in step 5.

7. Still in `.env` replace `TRAEFIK_DOMAIN` with your domain like: `example.com`

8. Also in the `.env` file decide (`TRAEFIK_LE_RESOLVER`) whether you want to use the `staging` or the usual Let's Encrypt resolver (`leresolver`). The `staging` server generates invalid self-signed certificates used for development purposes while the `leresolver` generates A+ rated SSL certificates but doing this too often in a short period of time will get this domain rate limited ([further read on rate limits here](https://letsencrypt.org/de/docs/rate-limits/)).

9. As a final step in the `.env`: Replace the `GF_SECURITY_ADMIN_PASSWORD` placeholder with a password in plain text. This will be used to log in to Grafana.

10. Create an incoming webhook for your slack workspace using [this guide](https://slack.com/intl/en-de/help/articles/115005265063-Incoming-WebHooks-for-Slack) and paste the generated URL in the `api_url` field in `./alertmanager/config.yml`. If you don't want to use slack as a receiver for monitoring alerts [here](https://github.com/prometheus/alertmanager/blob/master/doc/examples/simple.yml) are some alternative examples.

11. Run `docker-compose up -d`

12. Profit!



## Running a service inside TraPrAlGra



If you want to run any dockerized service inside of TraPrAlGra all you need to do is to set up some labels in your `docker-compose.yml` for that service. For example running a NGINX container that serves static HTML might look like this:



```yaml

version: '3.3'



services:

  my-container:

    image: my-container:latest

    restart: unless-stopped

    container_name: my-container

    security_opt:

      - no-new-privileges:true

    networks:

      - proxy

    labels:

      - "traefik.enable=true"

      - "traefik.http.routers.my-container.rule=Host(`sub.domain.tld`)"

      - "traefik.http.routers.my-container.tls.certresolver=leresolver"

      - "traefik.http.routers.my-container.entrypoints=websecure"

      - "traefik.http.routers.my-container.middlewares=secure-compress@file"

      - "traefik.http.services.my-container.loadbalancer.server.port=80"

      - "traefik.docker.network=proxy"



networks:

  proxy:

    external: true

```



Let's break it down:



- The network block at end end enables the container to connect to the external **proxy** network

- `"traefik.enable=true"`: explicitly tell Traefik to be the router for this container

- `"traefik.http.routers.my-container.rule=Host(```sub.domain.tld```)"`: sets the route to which this container should be available on the internet

- `"traefik.http.routers.my-container.tls.certresolver=leresolver"`: define the Let's Encrypt resolver of this container's SSL certificates (can be either `staging` or `leresolver`)

- `"traefik.http.routers.my-container.entrypoints=websecure"`: set the entrypoint used by the container. Always set this to `websecure` since this is the https entrypoint and all http traffic gets redirect to https anyways

- `"traefik.http.routers.my-container.middlewares=secure-compress@file"`: set some basic http headers and compress the response. You can always use this line whenever you want this behaviour (also check the headers in the `config.yml` file)

- `"traefik.http.services.my-container.loadbalancer.server.port=80"`: set the port that this container uses for its communication. Replace the `80` in this example with the port number.



## Future features



In the future TraPrAlGra should also support multiple domains using wildcard certificates since Traefik basically supports those but I still have to try out how to configure it. Further read [here](https://docs.traefik.io/https/acme/#wildcard-domains).



## Special thanks



- @stefanprodan for [dockprom](https://github.com/stefanprodan/dockprom)

- @containous for [Traefik](https://github.com/containous/traefik)



## License



MIT