Use credentials file for Dawarich metrics scrape

apps/dawarich/README.md

@@ -43,6 +43,7 @@ openssl rand -base64 48 > /mnt/user/appdata/secrets/dawarich_postgres_password.t
 openssl rand -base64 48 | tr -dc 'A-Za-z0-9._~-' | head -c 48 > /mnt/user/appdata/secrets/dawarich_redis_password.txt
 openssl rand -hex 64 > /mnt/user/appdata/secrets/dawarich_secret_key_base.txt
 openssl rand -base64 48 > /mnt/user/appdata/secrets/dawarich_metrics_password.txt
+printf 'prometheus:%s' "$(cat /mnt/user/appdata/secrets/dawarich_metrics_password.txt)" | base64 -w0 > /mnt/user/appdata/secrets/dawarich_metrics_basic_auth.txt
 openssl rand -base64 48 > /mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt
 chmod 600 /mnt/user/appdata/secrets/dawarich_*.txt
 ```
@@ -75,7 +76,8 @@ Die Tracking-API-Routen fuer OwnTracks, Overland und Traccar sind separat und pr
 
 Der Monitoring-Stack ist dafuer bereits vorbereitet:
 
-- `/mnt/user/appdata/secrets/dawarich_metrics_password.txt` ist als Docker Secret eingebunden.
+- `/mnt/user/appdata/secrets/dawarich_metrics_password.txt` ist in Dawarich eingebunden.
+- `/mnt/user/appdata/secrets/dawarich_metrics_basic_auth.txt` ist in Prometheus eingebunden und enthaelt nur den Base64-Credential-Teil fuer den HTTP-Header.
 
 Nicht `dawarich_app:9394` scrapen: das ist nach aktueller Dawarich-Doku veraltet. Der Web-Service aggregiert App- und Sidekiq-Metriken unter `/metrics`. Im KalliLab wird dieser Endpoint ueber `https://dawarich.kaleschke.info/metrics` gescraped, damit Traefik den HTTPS-Kontext setzt und Dawarich nicht auf HTTPS umleitet.
 

apps/dawarich/prometheus-scrape.snippet.yml

@@ -9,9 +9,9 @@
 - job_name: dawarich
   metrics_path: /metrics
   scheme: https
-  basic_auth:
+  authorization:
-    username: prometheus
+    type: Basic
-    password_file: /run/secrets/dawarich_metrics_password
+    credentials_file: /run/secrets/dawarich_metrics_basic_auth
   static_configs:
     - targets:
         - dawarich.kaleschke.info

apps/dawarich/secrets/dawarich_metrics_basic_auth.txt.example

@@ -0,0 +1 @@
+BASE64_OF_PROMETHEUS_COLON_METRICS_PASSWORD

docs/SECRETS_MAP.md

@@ -63,7 +63,8 @@ Dieses Dokument listet sensible Daten, deren Ablageorte und die vorgesehene Einb
 | Dawarich | DB Password | `/mnt/user/appdata/secrets/dawarich_postgres_password.txt` -> Docker Secret `/run/secrets/dawarich_postgres_password`; Postgres nutzt `POSTGRES_PASSWORD_FILE`, App/Sidekiq lesen per Entrypoint-Export | geplant |
 | Dawarich | Redis Password | `/mnt/user/appdata/secrets/dawarich_redis_password.txt` -> Docker Secret `/run/secrets/dawarich_redis_password`; Redis `--requirepass`, App/Sidekiq `REDIS_URL` | geplant |
 | Dawarich | Rails `SECRET_KEY_BASE` | `/mnt/user/appdata/secrets/dawarich_secret_key_base.txt` -> Docker Secret `/run/secrets/dawarich_secret_key_base` | geplant |
-| Dawarich Metrics | Basic-Auth Password | `/mnt/user/appdata/secrets/dawarich_metrics_password.txt` -> Docker Secret `/run/secrets/dawarich_metrics_password`; Prometheus `password_file` | geplant |
+| Dawarich Metrics | Basic-Auth Password | `/mnt/user/appdata/secrets/dawarich_metrics_password.txt` -> Docker Secret `/run/secrets/dawarich_metrics_password` in Dawarich | aktiv |
+| Dawarich Metrics | Prometheus Basic-Auth Credential | `/mnt/user/appdata/secrets/dawarich_metrics_basic_auth.txt` -> Docker Secret `/run/secrets/dawarich_metrics_basic_auth`; Prometheus `authorization.credentials_file` | aktiv |
 | Grafana -> Dawarich | Read-only DB Password | `/mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt` -> Docker Secret `/run/secrets/dawarich_grafana_ro_password`; Grafana-Env `DAWARICH_GRAFANA_RO_PASSWORD` | geplant |
 | Renovate Bot | Gitea Service-Account PAT | `/mnt/user/appdata/secrets/renovate_token.txt` -> Host-Datei (chmod 600), gelesen von `ops/renovate/run-renovate.sh` und an Renovate-Container als `RENOVATE_TOKEN` weitergegeben | aktiv nach Operator-Setup (siehe `docs/RENOVATE.md`) |
 | n8n | Encryption Key fuer interne Credential-Verschluesselung | `/mnt/user/appdata/secrets/n8n_encryption_key.txt` (chmod 600) -> Komodo Stack ENV `${N8N_ENCRYPTION_KEY}`; kein `_FILE`-Support im Upstream-Image | aktiv |
@@ -117,6 +118,7 @@ Dieses Dokument listet sensible Daten, deren Ablageorte und die vorgesehene Einb
 |-- dawarich_redis_password.txt
 |-- dawarich_secret_key_base.txt
 |-- dawarich_metrics_password.txt
+|-- dawarich_metrics_basic_auth.txt
 |-- dawarich_grafana_ro_password.txt
 `-- vaultwarden_admin_token.txt
 ```

monitoring/docker-compose.yml

@@ -22,7 +22,7 @@ services:
     expose:
       - "9090"
     secrets:
-      - source: dawarich_metrics_password
+      - source: dawarich_metrics_basic_auth
         mode: 0444
     security_opt:
       - no-new-privileges:true
@@ -421,5 +421,7 @@ secrets:
     file: /mnt/user/appdata/secrets/influxdb3_admin_token.json
   dawarich_metrics_password:
     file: /mnt/user/appdata/secrets/dawarich_metrics_password.txt
+  dawarich_metrics_basic_auth:
+    file: /mnt/user/appdata/secrets/dawarich_metrics_basic_auth.txt
   dawarich_grafana_ro_password:
     file: /mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt

monitoring/prometheus/prometheus.yml

@@ -39,9 +39,9 @@ scrape_configs:
   - job_name: dawarich
     metrics_path: /metrics
     scheme: https
-    basic_auth:
+    authorization:
-      username: prometheus
+      type: Basic
-      password_file: /run/secrets/dawarich_metrics_password
+      credentials_file: /run/secrets/dawarich_metrics_basic_auth
     static_configs:
       # Dawarich >= 1.7.7 serves aggregated web + Sidekiq metrics here.
       - targets: