From 30ac2ce0e50b9a9b5ff7f2ca8249868cb7504174 Mon Sep 17 00:00:00 2001 From: Egor fureunoir Gorbunov Date: Thu, 5 Jun 2025 15:34:59 +0300 Subject: [PATCH] Features: Prometheus password protection --- docker-compose.yml | 116 ++++++++++++------------ monitoring/web.yml | 2 + nginx | 6 +- scripts/generate_prometheus_password.py | 5 + 4 files changed, 69 insertions(+), 60 deletions(-) create mode 100644 monitoring/web.yml create mode 100644 scripts/generate_prometheus_password.py diff --git a/docker-compose.yml b/docker-compose.yml index af7e19d5..c316c2a2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -14,9 +14,18 @@ services: command: > sh -c "poetry run python manage.py await_services && if [ \"$DEBUG\" = \"1\" ]; then - poetry run gunicorn evibes.wsgi:application --bind 0.0.0.0:8000 --workers 2 --reload --log-level debug --access-logfile - --error-logfile -; + poetry run gunicorn evibes.wsgi:application \ + --bind 0.0.0.0:8000 \ + --workers 2 \ + --reload \ + --log-level debug \ + --access-logfile - \ + --error-logfile -; else - poetry run gunicorn evibes.wsgi:application --bind 0.0.0.0:8000 --workers 12 --timeout 120; + poetry run gunicorn evibes.wsgi:application \ + --bind 0.0.0.0:8000 \ + --workers 12 \ + --timeout 120; fi" volumes: - .:/app @@ -42,45 +51,6 @@ services: - .env logging: *default-logging - worker: - container_name: worker - build: - context: . - dockerfile: Dockerfile.app - restart: always - command: > - sh -c "poetry run celery -A evibes worker --loglevel=info --concurrency=4 --autoscale=4,2 --max-tasks-per-child=100 --max-memory-per-child=512000 --soft-time-limit=10800 --time-limit=21600" - volumes: - - .:/app - env_file: - - .env - depends_on: - - app - - redis - - elasticsearch - logging: *default-logging - healthcheck: - test: [ "CMD", "celery", "-A", "evibes", "status" ] - interval: 30s - timeout: 10s - retries: 5 - mem_limit: 2g - - beat: - container_name: beat - build: - context: . - dockerfile: Dockerfile.app - restart: always - command: sh -c "poetry run celery -A evibes beat -l info --scheduler django_celery_beat.schedulers:DatabaseScheduler" - volumes: - - .:/app - env_file: - - .env - depends_on: - - worker - logging: *default-logging - redis: container_name: redis image: redis:7.4 @@ -110,6 +80,51 @@ services: - es-data:/usr/share/elasticsearch/data logging: *default-logging + worker: + container_name: worker + build: + context: . + dockerfile: Dockerfile.app + restart: always + command: > + sh -c "poetry run celery -A evibes worker --loglevel=info \ + --concurrency=4 --autoscale=4,2 \ + --max-tasks-per-child=100 \ + --max-memory-per-child=512000 \ + --soft-time-limit=10800 \ + --time-limit=21600" + volumes: + - .:/app + env_file: + - .env + depends_on: + - app + - redis + - elasticsearch + logging: *default-logging + healthcheck: + test: [ "CMD", "celery", "-A", "evibes", "status" ] + interval: 30s + timeout: 10s + retries: 5 + + beat: + container_name: beat + build: + context: . + dockerfile: Dockerfile.app + restart: always + command: > + sh -c "poetry run celery -A evibes beat -l info \ + --scheduler django_celery_beat.schedulers:DatabaseScheduler" + volumes: + - .:/app + env_file: + - .env + depends_on: + - worker + logging: *default-logging + prometheus: container_name: prometheus image: prom/prometheus:v3.4.1 @@ -117,30 +132,17 @@ services: user: "root" volumes: - ./monitoring/prometheus.yml:/etc/prometheus/prometheus.yml:ro + - ./monitoring/web.yml:/etc/prometheus/web.yml:ro - prometheus-data:/prometheus ports: - "9090:9090" - logging: *default-logging depends_on: - app - worker - redis - elasticsearch - -# nginx: # TODO complete the service after storefront is present -# container_name: nginx -# image: nginx -# restart: always -# ports: -# - "80:80" -# logging: *default-logging - -# storefront: # TODO complete the service for future "storefront" Vite-Vue3 base storefront app -# container_name: storefront -# build: -# - dockerfile: Dockerfile.storefront -# - context: ./storefront -# logging: *default-logging + logging: *default-logging volumes: es-data: + prometheus-data: diff --git a/monitoring/web.yml b/monitoring/web.yml new file mode 100644 index 00000000..687037e1 --- /dev/null +++ b/monitoring/web.yml @@ -0,0 +1,2 @@ +basic_auth_users: + admin: $2b$12$0HraDYmrZnJ089LcH9Vsn.Wv5V5a8oDlucTNm0.5obhULjPyLiYoy diff --git a/nginx b/nginx index 31b8ef0b..3646892a 100644 --- a/nginx +++ b/nginx @@ -106,10 +106,10 @@ server { } # ------------------------------------------------------------ -# Server block for flower.evibes.com +# Server block for prometheus.evibes.com # ------------------------------------------------------------ server { - server_name flower.evibes.com; + server_name prometheus.evibes.com; listen 443 ssl; ssl_certificate /etc/letsencrypt/live/evibes.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/evibes.com/privkey.pem; @@ -119,7 +119,7 @@ server { client_max_body_size 100M; location / { - proxy_pass http://localhost:5555; + proxy_pass http://localhost:9090; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/scripts/generate_prometheus_password.py b/scripts/generate_prometheus_password.py new file mode 100644 index 00000000..c5643fe1 --- /dev/null +++ b/scripts/generate_prometheus_password.py @@ -0,0 +1,5 @@ +import getpass + +import bcrypt + +print(bcrypt.hashpw(getpass.getpass("Password: ").encode("utf-8"), bcrypt.gensalt()).decode())