blob: 8ce6e82fb794abe6b10b8269596b873a683d6a5b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
|
---
frontend:
scheduling_group: frontend
service_credentials:
- name: nginx
enable_server: false
- name: ssoproxy
enable_server: false
- name: replds-acme
systemd_services:
- nginx.service
- haproxy.service
- sso-proxy.service
- replds@acme.service
ports:
- 5005
volumes:
- name: cache
path: /var/cache/nginx
size: 20g
monitoring_endpoints:
- port: 8404
scheme: http
dns:
scheduling_group: frontend
systemd_services:
- bind9.service
monitoring_endpoints:
- name: bind
port: 9119
scheme: http
log-collector:
scheduling_group: backend
num_instances: 1
service_credentials:
- name: log-collector
enable_client: false
monitoring_endpoints:
- port: 9105
scheme: http
containers:
- name: rsyslog
image: registry.git.autistici.org/ai3/docker/rsyslog:master
ports:
- 6514
- 9105
volumes:
- /etc/rsyslog-collector.conf: /etc/rsyslog.conf
- /etc/rsyslog-collector-lognorm: /etc/rsyslog-collector-lognorm
- /var/spool/rsyslog-collector: /var/spool/rsyslog
- /var/log/remote: /var/log/remote
ports:
- 6514
prometheus:
scheduling_group: backend
num_instances: 1
service_credentials:
- { name: prometheus }
containers:
- name: prometheus
image: registry.git.autistici.org/ai3/docker/prometheus:master
port: 9090
volumes:
- /etc/prometheus: /etc/prometheus
- /var/lib/prometheus/metrics2: /var/lib/prometheus/metrics2
args: "--storage.tsdb.retention.time={{ prometheus_tsdb_retention | default('90d') }} --web.external-url=https://monitor.{{ domain_public[0] }} --web.enable-lifecycle --query.max-samples={{ prometheus_max_samples | default('5000000') }}"
- name: alertmanager
image: registry.git.autistici.org/ai3/docker/prometheus-alertmanager:master
ports:
- 9093
- 9094
volumes:
- /etc/prometheus: /etc/prometheus
- /var/lib/prometheus/alertmanager: /var/lib/prometheus/alertmanager
args: "--web.external-url=https://alertmanager.{{ domain_public[0] }} --cluster.listen-address=:9094 --cluster.advertise-address={{ float_host_dns_map.get(inventory_hostname + '.prometheus', ['']) | list | first }}:9094{% for h in groups['prometheus']|sort if h != inventory_hostname %} --cluster.peer={{ h }}.prometheus.{{ domain }}:9094{% endfor %}"
- name: blackbox
image: registry.git.autistici.org/ai3/docker/prometheus-blackbox:master
ports:
- 9115
volumes:
- /etc/prometheus: /etc/prometheus
args: "--config.file /etc/prometheus/blackbox.yml"
docker_options: "--cap-add=NET_RAW"
drop_capabilities: false
- name: grafana
image: registry.git.autistici.org/ai3/docker/grafana:master
port: 2929
volumes:
- /etc/grafana: /etc/grafana
- /var/lib/grafana: /var/lib/grafana
egress_policy: internal
- name: thanos
image: registry.git.autistici.org/ai3/docker/thanos:master
ports:
- 10901 # sidecar grpc
- 10902 # sidecar http
- 10903 # query grpc
- 10904 # query http
- 10905 # query-frontend grpc
- 10906 # query-frontend http
resources:
ram: "1G"
env:
QUERY_FLAGS: "--query.replica-label=monitor {% for h in groups['prometheus']|sort %} --store={{ h }}.prometheus.{{ domain }}:10901{% endfor %}"
SIDECAR_FLAGS: ""
QUERY_FRONTEND_FLAGS: "--query-range.response-cache-config-file=/etc/thanos/query-frontend-cache.yml"
volumes:
- /etc/thanos: /etc/thanos
egress_policy: internal
- name: karma
image: registry.git.autistici.org/ai3/docker/karma:master
ports:
- 9193
env:
# https://github.com/prymitive/karma/blob/master/docs/CONFIGURATION.md#environment-variables
CONFIG_FILE: "/etc/karma/float.yml"
PORT: 9193
volumes:
- /etc/karma: /etc/karma
egress_policy: internal
public_endpoints:
- name: monitor
port: 9090
scheme: http
enable_sso_proxy: true
- name: prober
port: 9115
scheme: http
enable_sso_proxy: true
- name: grafana
port: 2929
scheme: https
enable_sso_proxy: true
- name: thanos
port: 10906
scheme: http
enable_sso_proxy: true
- name: alerts
port: 9193
scheme: http
enable_sso_proxy: true
monitoring_endpoints:
- port: 9090
scheme: http
healthcheck_http_method: OPTIONS
- port: 9093
scheme: http
healthcheck_http_method: OPTIONS
- port: 9193
scheme: http
healthcheck_http_method: GET
- port: 2929
scheme: https
- port: 10904
scheme: http
- port: 10902
scheme: http
- port: 10906
scheme: http
ports:
- 9094
- 10901
volumes:
- name: metrics
path: /var/lib/prometheus
owner: docker-prometheus
group: docker-prometheus
mode: "0755"
annotations:
dependencies:
- client: prometheus
server: alertmanager
- client: karma
server: alertmanager
- client: thanos
server: prometheus
sso-server:
num_instances: 1
scheduling_group: backend
service_credentials:
- name: sso-server
enable_server: false
public_endpoints:
- name: login
port: 5002
scheme: http
monitoring_endpoints:
- port: 5002
scheme: http
systemd_services:
- sso-server.service
annotations:
dependencies:
- client: sso-server
server: user-meta-server/user-meta-server
auth-cache:
scheduling_group: backend
containers:
- name: memcache
image: registry.git.autistici.org/ai3/docker/memcached:master
port: 11212
env:
PORT: "11212"
egress_policy: internal
ports:
- 11212
user-meta-server:
num_instances: 1
scheduling_group: backend
service_credentials:
- name: user-meta-server
monitoring_endpoints:
- port: 5505
scheme: https
ports:
- 5505
systemd_services:
- user-meta-server.service
datasets:
- name: db
type: litestream
path: /var/lib/user-meta-server
filename: usermeta.db
owner: user-meta-server
admin-dashboard:
scheduling_group: frontend
service_credentials:
- name: admin-dashboard
containers:
- name: http
image: registry.git.autistici.org/ai3/tools/float-dashboard:master
port: 8011
volumes:
- /etc/float: /etc/float
env:
ADDR: ":8011"
DOMAIN: "{{ domain_public[0] }}"
egress_policy: internal
public_endpoints:
- name: admin
port: 8011
scheme: http
enable_sso_proxy: true
backup-metadata:
num_instances: 1
scheduling_group: backend
service_credentials:
- name: backup-metadata
enable_client: false
monitoring_endpoints:
- port: 5332
scheme: https
public_endpoints:
- name: backups
port: 5332
scheme: https
enable_sso_proxy: true
ports:
- 5332
systemd_services:
- tabacco-metadb.service
datasets:
- name: db
type: litestream
path: /var/lib/tabacco-metadb
filename: meta.db
owner: backup-metadata
acme:
num_instances: 1
scheduling_group: frontend
service_credentials:
- name: acme
enable_server: false
monitoring_endpoints:
- port: 5004
scheme: http
ports:
- 5004
systemd_services:
- acmeserver.service
assets:
num_instances: 1
scheduling_group: backend
service_credentials:
- name: assetmon
containers:
- name: http
image: registry.git.autistici.org/ai3/tools/assetmon:master
volumes:
- /etc/assetmon/server.yml: /etc/assetmon/server.yml
- /var/lib/assetmon: /var/lib/assetmon
ports:
- 3798
egress_policy: internal
monitoring_endpoints:
- port: 3798
scheme: https
public_endpoints:
- name: assets
port: 3798
scheme: https
enable_sso_proxy: true
datasets:
- name: db
path: /var/lib/assetmon
owner: docker-assets
|
