A Traefik, Prometheus, node-exporter, cAdvisor, pushgateway, Alertmanager and Grafana edge router and monitoring stack. The goal of this project is to provide people an easy to set up and deploy stack using modern technologies. It will auto generate A+ rated (according to SSL-Labs) SSL certificates issued by Let's Encrypt. TraPrAlGra also redirects users, trying to access pages using http, to their https counterparts automatically.
Traefik is an open-source Edge Router that makes publishing your services a fun and easy experience. It receives requests on behalf of your system and finds out which components are responsible for handling them. - Traefik
Traefik makes registering new services (including their respective subdomains) a breeze and keeps the configuration lean and readable.
Prometheus is a free software application used for event monitoring and alerting. It records real-time metrics in a time series database (allowing for high dimensionality) built using a HTTP pull model, with flexible queries and real-time alerting. - Wikipedia
Prometheus is the center point of the monitoring stack which collets all kinds of metric data generated by its sub-party (node-exporter, cAdvisor, push-gateway and traefik itself). In case of a definable alert it (Alertmanager) will send out a message to configurable receivers. Since not all services support the Prometheus pull model the push-gateway is included in this stack to allow collecting metrics from these services as well.
Grafana is an open-source, general purpose dashboard and graph composer, which runs as a web application. - Arch Wiki
Grafana takes the metrics provided by Prometheus and displays them in beautiful graph dashboards. TraPrAlGra includes 4 preconfigured dashboards to serve different use cases:
- Docker Containers: Displays graphs about metrics collected from Docker containers that are not part of the monitoring stack.
- Docker Host: Displays graphs of the server's hardware usage, and general machine stats such as uptime .
- Monitor Services: Displays graphs about the monitoring containers and Prometheus' own generated metrics.
- Traefik: Displays graphs generated out of Traefik's metrics such as HTTP status codes and average response times.
To use TraPrAlGra you need the following:
- A domain
- A server with installed
docker
anddocker-compose
- An Alertmanager compatible receiver (this repo already includes a template for Slack)
- Clone this repository to your machine:
git clone git@github.com:sebastianwachter/TraPrAlGra.git
- Create a Docker network called "proxy":
docker network create proxy
. This is the network your services use to get proxied by Traefik. - Restrict the
acme.json
's permissions to 600:chmod 600 acme.json
- In the
traefik.yml
file fill in your E-Mail address where it's required (this must be the same address in both cases). - Generate a http basic auth user + password pair by using:
htpasswd -nb <user> <password>
and copy the output. - Open the
.env
file and replace the placeholders (TRAEFIK_DASHBOARD_USER
andTRAEFIK_DASHBOARD_PASSWORD
) with the data generated in step 5. - Still in
.env
replaceTRAEFIK_DOMAIN
with your domain like:example.com
- Also in the
.env
file decide (TRAEFIK_LE_RESOLVER
) whether you want to use thestaging
or the usual Let's Encrypt resolver (leresolver
). Thestaging
server generates invalid self-signed certificates used for development purposes while theleresolver
generates A+ rated SSL certificates but doing this too often in a short period of time will get this domain rate limited (further read on rate limits here). - As a final step in the
.env
: Replace theGF_SECURITY_ADMIN_PASSWORD
placeholder with a password in plain text. This will be used to log in to Grafana. - Create an incoming webhook for your slack workspace using this guide and paste the generated URL in the
api_url
field in./alertmanager/config.yml
. If you don't want to use slack as a receiver for monitoring alerts here are some alternative examples. - Run
docker-compose up -d
- Profit!
If you want to run any dockerized service inside of TraPrAlGra all you need to do is to set up some labels in your docker-compose.yml
for that service. For example running a NGINX container that serves static HTML might look like this:
version: '3.3'
services:
my-container:
image: my-container:latest
restart: unless-stopped
container_name: my-container
security_opt:
- no-new-privileges:true
networks:
- proxy
labels:
- "traefik.enable=true"
- "traefik.http.routers.my-container.rule=Host(`sub.domain.tld`)"
- "traefik.http.routers.my-container.tls.certresolver=leresolver"
- "traefik.http.routers.my-container.entrypoints=websecure"
- "traefik.http.routers.my-container.middlewares=secure-compress@file"
- "traefik.http.services.my-container.loadbalancer.server.port=80"
- "traefik.docker.network=proxy"
networks:
proxy:
external: true
Let's break it down:
- The network block at end end enables the container to connect to the external proxy network
"traefik.enable=true"
: explicitly tell Traefik to be the router for this container"traefik.http.routers.my-container.rule=Host(```sub.domain.tld```)"
: sets the route to which this container should be available on the internet"traefik.http.routers.my-container.tls.certresolver=leresolver"
: define the Let's Encrypt resolver of this container's SSL certificates (can be eitherstaging
orleresolver
)"traefik.http.routers.my-container.entrypoints=websecure"
: set the entrypoint used by the container. Always set this towebsecure
since this is the https entrypoint and all http traffic gets redirect to https anyways"traefik.http.routers.my-container.middlewares=secure-compress@file"
: set some basic http headers and compress the response. You can always use this line whenever you want this behaviour (also check the headers in theconfig.yml
file)"traefik.http.services.my-container.loadbalancer.server.port=80"
: set the port that this container uses for its communication. Replace the80
in this example with the port number.
In the future TraPrAlGra should also support multiple domains using wildcard certificates since Traefik basically supports those but I still have to try out how to configure it. Further read here.
MIT