Restore Dawarich metrics basic auth config

apps/dawarich/README.md

@@ -43,7 +43,6 @@ openssl rand -base64 48 > /mnt/user/appdata/secrets/dawarich_postgres_password.t
 openssl rand -base64 48 | tr -dc 'A-Za-z0-9._~-' | head -c 48 > /mnt/user/appdata/secrets/dawarich_redis_password.txt
 openssl rand -hex 64 > /mnt/user/appdata/secrets/dawarich_secret_key_base.txt
 openssl rand -base64 48 > /mnt/user/appdata/secrets/dawarich_metrics_password.txt
-printf 'prometheus:%s' "$(cat /mnt/user/appdata/secrets/dawarich_metrics_password.txt)" | base64 -w0 > /mnt/user/appdata/secrets/dawarich_metrics_basic_auth.txt
 openssl rand -base64 48 > /mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt
 chmod 600 /mnt/user/appdata/secrets/dawarich_*.txt
 ```
@@ -76,8 +75,7 @@ Die Tracking-API-Routen fuer OwnTracks, Overland und Traccar sind separat und pr
 
 Der Monitoring-Stack ist dafuer bereits vorbereitet:
 
-- `/mnt/user/appdata/secrets/dawarich_metrics_password.txt` ist in Dawarich eingebunden.
-- `/mnt/user/appdata/secrets/dawarich_metrics_basic_auth.txt` ist in Prometheus eingebunden und enthaelt nur den Base64-Credential-Teil fuer den HTTP-Header.
+- `/mnt/user/appdata/secrets/dawarich_metrics_password.txt` ist in Dawarich und Prometheus eingebunden.
 
 Nicht `dawarich_app:9394` scrapen: das ist nach aktueller Dawarich-Doku veraltet. Der Web-Service aggregiert App- und Sidekiq-Metriken unter `/metrics`. Im KalliLab wird dieser Endpoint ueber `https://dawarich.kaleschke.info/metrics` gescraped, damit Traefik den HTTPS-Kontext setzt und Dawarich nicht auf HTTPS umleitet.
 

apps/dawarich/prometheus-scrape.snippet.yml

@@ -9,9 +9,9 @@
 - job_name: dawarich
   metrics_path: /metrics
   scheme: https
-  authorization:
-    type: Basic
-    credentials_file: /run/secrets/dawarich_metrics_basic_auth
+  basic_auth:
+    username: prometheus
+    password_file: /run/secrets/dawarich_metrics_password
   static_configs:
     - targets:
         - dawarich.kaleschke.info

apps/dawarich/secrets/dawarich_metrics_basic_auth.txt.example

@@ -1 +0,0 @@
-BASE64_OF_PROMETHEUS_COLON_METRICS_PASSWORD

docs/SECRETS_MAP.md

@@ -63,8 +63,7 @@ Dieses Dokument listet sensible Daten, deren Ablageorte und die vorgesehene Einb
 | Dawarich | DB Password | `/mnt/user/appdata/secrets/dawarich_postgres_password.txt` -> Docker Secret `/run/secrets/dawarich_postgres_password`; Postgres nutzt `POSTGRES_PASSWORD_FILE`, App/Sidekiq lesen per Entrypoint-Export | geplant |
 | Dawarich | Redis Password | `/mnt/user/appdata/secrets/dawarich_redis_password.txt` -> Docker Secret `/run/secrets/dawarich_redis_password`; Redis `--requirepass`, App/Sidekiq `REDIS_URL` | geplant |
 | Dawarich | Rails `SECRET_KEY_BASE` | `/mnt/user/appdata/secrets/dawarich_secret_key_base.txt` -> Docker Secret `/run/secrets/dawarich_secret_key_base` | geplant |
-| Dawarich Metrics | Basic-Auth Password | `/mnt/user/appdata/secrets/dawarich_metrics_password.txt` -> Docker Secret `/run/secrets/dawarich_metrics_password` in Dawarich | aktiv |
-| Dawarich Metrics | Prometheus Basic-Auth Credential | `/mnt/user/appdata/secrets/dawarich_metrics_basic_auth.txt` -> Docker Secret `/run/secrets/dawarich_metrics_basic_auth`; Prometheus `authorization.credentials_file` | aktiv |
+| Dawarich Metrics | Basic-Auth Password | `/mnt/user/appdata/secrets/dawarich_metrics_password.txt` -> Docker Secret `/run/secrets/dawarich_metrics_password`; Prometheus `password_file` | aktiv |
 | Grafana -> Dawarich | Read-only DB Password | `/mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt` -> Docker Secret `/run/secrets/dawarich_grafana_ro_password`; Grafana-Env `DAWARICH_GRAFANA_RO_PASSWORD` | geplant |
 | Renovate Bot | Gitea Service-Account PAT | `/mnt/user/appdata/secrets/renovate_token.txt` -> Host-Datei (chmod 600), gelesen von `ops/renovate/run-renovate.sh` und an Renovate-Container als `RENOVATE_TOKEN` weitergegeben | aktiv nach Operator-Setup (siehe `docs/RENOVATE.md`) |
 | n8n | Encryption Key fuer interne Credential-Verschluesselung | `/mnt/user/appdata/secrets/n8n_encryption_key.txt` (chmod 600) -> Komodo Stack ENV `${N8N_ENCRYPTION_KEY}`; kein `_FILE`-Support im Upstream-Image | aktiv |
@@ -118,7 +117,6 @@ Dieses Dokument listet sensible Daten, deren Ablageorte und die vorgesehene Einb
 |-- dawarich_redis_password.txt
 |-- dawarich_secret_key_base.txt
 |-- dawarich_metrics_password.txt
-|-- dawarich_metrics_basic_auth.txt
 |-- dawarich_grafana_ro_password.txt
 `-- vaultwarden_admin_token.txt
 ```

monitoring/docker-compose.yml

@@ -22,7 +22,7 @@ services:
     expose:
       - "9090"
     secrets:
-      - source: dawarich_metrics_basic_auth
+      - source: dawarich_metrics_password
         mode: 0444
     security_opt:
       - no-new-privileges:true
@@ -421,7 +421,5 @@ secrets:
     file: /mnt/user/appdata/secrets/influxdb3_admin_token.json
   dawarich_metrics_password:
     file: /mnt/user/appdata/secrets/dawarich_metrics_password.txt
-  dawarich_metrics_basic_auth:
-    file: /mnt/user/appdata/secrets/dawarich_metrics_basic_auth.txt
   dawarich_grafana_ro_password:
     file: /mnt/user/appdata/secrets/dawarich_grafana_ro_password.txt

monitoring/prometheus/prometheus.yml

@@ -39,9 +39,9 @@ scrape_configs:
   - job_name: dawarich
     metrics_path: /metrics
     scheme: https
-    authorization:
-      type: Basic
-      credentials_file: /run/secrets/dawarich_metrics_basic_auth
+    basic_auth:
+      username: prometheus
+      password_file: /run/secrets/dawarich_metrics_password
     static_configs:
       # Dawarich >= 1.7.7 serves aggregated web + Sidekiq metrics here.
       - targets: