diff --git a/apps/dawarich/README.md b/apps/dawarich/README.md index f9c408e..fff5825 100644 --- a/apps/dawarich/README.md +++ b/apps/dawarich/README.md @@ -43,6 +43,7 @@ openssl rand -base64 48 > /mnt/user/appdata/secrets/dawarich_postgres_password.t openssl rand -base64 48 | tr -dc 'A-Za-z0-9._~-' | head -c 48 > /mnt/user/appdata/secrets/dawarich_redis_password.txt openssl rand -hex 64 > /mnt/user/appdata/secrets/dawarich_secret_key_base.txt openssl rand -base64 48 > /mnt/user/appdata/secrets/dawarich_metrics_password.txt +printf 'prometheus:%s' "$(cat /mnt/user/appdata/secrets/dawarich_metrics_password.txt)" | base64 -w0 > /mnt/user/appdata/secrets/dawarich_metrics_basic_auth.txt openssl rand -base64 48 > /mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt chmod 600 /mnt/user/appdata/secrets/dawarich_*.txt ``` @@ -75,7 +76,8 @@ Die Tracking-API-Routen fuer OwnTracks, Overland und Traccar sind separat und pr Der Monitoring-Stack ist dafuer bereits vorbereitet: -- `/mnt/user/appdata/secrets/dawarich_metrics_password.txt` ist als Docker Secret eingebunden. +- `/mnt/user/appdata/secrets/dawarich_metrics_password.txt` ist in Dawarich eingebunden. +- `/mnt/user/appdata/secrets/dawarich_metrics_basic_auth.txt` ist in Prometheus eingebunden und enthaelt nur den Base64-Credential-Teil fuer den HTTP-Header. Nicht `dawarich_app:9394` scrapen: das ist nach aktueller Dawarich-Doku veraltet. Der Web-Service aggregiert App- und Sidekiq-Metriken unter `/metrics`. Im KalliLab wird dieser Endpoint ueber `https://dawarich.kaleschke.info/metrics` gescraped, damit Traefik den HTTPS-Kontext setzt und Dawarich nicht auf HTTPS umleitet. diff --git a/apps/dawarich/prometheus-scrape.snippet.yml b/apps/dawarich/prometheus-scrape.snippet.yml index bb8597f..9e3b8bb 100644 --- a/apps/dawarich/prometheus-scrape.snippet.yml +++ b/apps/dawarich/prometheus-scrape.snippet.yml @@ -9,9 +9,9 @@ - job_name: dawarich metrics_path: /metrics scheme: https - basic_auth: - username: prometheus - password_file: /run/secrets/dawarich_metrics_password + authorization: + type: Basic + credentials_file: /run/secrets/dawarich_metrics_basic_auth static_configs: - targets: - dawarich.kaleschke.info diff --git a/apps/dawarich/secrets/dawarich_metrics_basic_auth.txt.example b/apps/dawarich/secrets/dawarich_metrics_basic_auth.txt.example new file mode 100644 index 0000000..e163711 --- /dev/null +++ b/apps/dawarich/secrets/dawarich_metrics_basic_auth.txt.example @@ -0,0 +1 @@ +BASE64_OF_PROMETHEUS_COLON_METRICS_PASSWORD diff --git a/docs/SECRETS_MAP.md b/docs/SECRETS_MAP.md index 2d82e81..a7a2249 100644 --- a/docs/SECRETS_MAP.md +++ b/docs/SECRETS_MAP.md @@ -63,7 +63,8 @@ Dieses Dokument listet sensible Daten, deren Ablageorte und die vorgesehene Einb | Dawarich | DB Password | `/mnt/user/appdata/secrets/dawarich_postgres_password.txt` -> Docker Secret `/run/secrets/dawarich_postgres_password`; Postgres nutzt `POSTGRES_PASSWORD_FILE`, App/Sidekiq lesen per Entrypoint-Export | geplant | | Dawarich | Redis Password | `/mnt/user/appdata/secrets/dawarich_redis_password.txt` -> Docker Secret `/run/secrets/dawarich_redis_password`; Redis `--requirepass`, App/Sidekiq `REDIS_URL` | geplant | | Dawarich | Rails `SECRET_KEY_BASE` | `/mnt/user/appdata/secrets/dawarich_secret_key_base.txt` -> Docker Secret `/run/secrets/dawarich_secret_key_base` | geplant | -| Dawarich Metrics | Basic-Auth Password | `/mnt/user/appdata/secrets/dawarich_metrics_password.txt` -> Docker Secret `/run/secrets/dawarich_metrics_password`; Prometheus `password_file` | geplant | +| Dawarich Metrics | Basic-Auth Password | `/mnt/user/appdata/secrets/dawarich_metrics_password.txt` -> Docker Secret `/run/secrets/dawarich_metrics_password` in Dawarich | aktiv | +| Dawarich Metrics | Prometheus Basic-Auth Credential | `/mnt/user/appdata/secrets/dawarich_metrics_basic_auth.txt` -> Docker Secret `/run/secrets/dawarich_metrics_basic_auth`; Prometheus `authorization.credentials_file` | aktiv | | Grafana -> Dawarich | Read-only DB Password | `/mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt` -> Docker Secret `/run/secrets/dawarich_grafana_ro_password`; Grafana-Env `DAWARICH_GRAFANA_RO_PASSWORD` | geplant | | Renovate Bot | Gitea Service-Account PAT | `/mnt/user/appdata/secrets/renovate_token.txt` -> Host-Datei (chmod 600), gelesen von `ops/renovate/run-renovate.sh` und an Renovate-Container als `RENOVATE_TOKEN` weitergegeben | aktiv nach Operator-Setup (siehe `docs/RENOVATE.md`) | | n8n | Encryption Key fuer interne Credential-Verschluesselung | `/mnt/user/appdata/secrets/n8n_encryption_key.txt` (chmod 600) -> Komodo Stack ENV `${N8N_ENCRYPTION_KEY}`; kein `_FILE`-Support im Upstream-Image | aktiv | @@ -117,6 +118,7 @@ Dieses Dokument listet sensible Daten, deren Ablageorte und die vorgesehene Einb |-- dawarich_redis_password.txt |-- dawarich_secret_key_base.txt |-- dawarich_metrics_password.txt +|-- dawarich_metrics_basic_auth.txt |-- dawarich_grafana_ro_password.txt `-- vaultwarden_admin_token.txt ``` diff --git a/monitoring/docker-compose.yml b/monitoring/docker-compose.yml index b1438a7..8a5a73b 100644 --- a/monitoring/docker-compose.yml +++ b/monitoring/docker-compose.yml @@ -22,7 +22,7 @@ services: expose: - "9090" secrets: - - source: dawarich_metrics_password + - source: dawarich_metrics_basic_auth mode: 0444 security_opt: - no-new-privileges:true @@ -421,5 +421,7 @@ secrets: file: /mnt/user/appdata/secrets/influxdb3_admin_token.json dawarich_metrics_password: file: /mnt/user/appdata/secrets/dawarich_metrics_password.txt + dawarich_metrics_basic_auth: + file: /mnt/user/appdata/secrets/dawarich_metrics_basic_auth.txt dawarich_grafana_ro_password: file: /mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt diff --git a/monitoring/prometheus/prometheus.yml b/monitoring/prometheus/prometheus.yml index 7ae2e4a..c745884 100644 --- a/monitoring/prometheus/prometheus.yml +++ b/monitoring/prometheus/prometheus.yml @@ -39,9 +39,9 @@ scrape_configs: - job_name: dawarich metrics_path: /metrics scheme: https - basic_auth: - username: prometheus - password_file: /run/secrets/dawarich_metrics_password + authorization: + type: Basic + credentials_file: /run/secrets/dawarich_metrics_basic_auth static_configs: # Dawarich >= 1.7.7 serves aggregated web + Sidekiq metrics here. - targets: