Features: Prometheus password protection

2025-06-05 15:34:59 +03:00 · 2025-06-05 15:34:59 +03:00 · 30ac2ce0e5
commit 30ac2ce0e5
parent a2d38cbdfb
4 changed files with 69 additions and 60 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -14,9 +14,18 @@ services:
    command: >
      sh -c "poetry run python manage.py await_services &&
             if [ \"$DEBUG\" = \"1\" ]; then
-               poetry run gunicorn evibes.wsgi:application --bind 0.0.0.0:8000 --workers 2 --reload --log-level debug --access-logfile - --error-logfile -;
+               poetry run gunicorn evibes.wsgi:application \
+                 --bind 0.0.0.0:8000 \
+                 --workers 2 \
+                 --reload \
+                 --log-level debug \
+                 --access-logfile - \
+                 --error-logfile -;
             else
-               poetry run gunicorn evibes.wsgi:application --bind 0.0.0.0:8000 --workers 12 --timeout 120;
+               poetry run gunicorn evibes.wsgi:application \
+                 --bind 0.0.0.0:8000 \
+                 --workers 12 \
+                 --timeout 120;
             fi"
    volumes:
      - .:/app
@ -42,45 +51,6 @@ services:
      - .env
    logging: *default-logging

-  worker:
-    container_name: worker
-    build:
-      context: .
-      dockerfile: Dockerfile.app
-    restart: always
-    command: >
-      sh -c "poetry run celery -A evibes worker --loglevel=info --concurrency=4 --autoscale=4,2 --max-tasks-per-child=100 --max-memory-per-child=512000 --soft-time-limit=10800 --time-limit=21600"
-    volumes:
-      - .:/app
-    env_file:
-      - .env
-    depends_on:
-      - app
-      - redis
-      - elasticsearch
-    logging: *default-logging
-    healthcheck:
-      test: [ "CMD", "celery", "-A", "evibes", "status" ]
-      interval: 30s
-      timeout: 10s
-      retries: 5
-    mem_limit: 2g
-
-  beat:
-    container_name: beat
-    build:
-      context: .
-      dockerfile: Dockerfile.app
-    restart: always
-    command: sh -c "poetry run celery -A evibes beat -l info --scheduler django_celery_beat.schedulers:DatabaseScheduler"
-    volumes:
-      - .:/app
-    env_file:
-      - .env
-    depends_on:
-      - worker
-    logging: *default-logging
-
  redis:
    container_name: redis
    image: redis:7.4
@ -110,6 +80,51 @@ services:
      - es-data:/usr/share/elasticsearch/data
    logging: *default-logging

+  worker:
+    container_name: worker
+    build:
+      context: .
+      dockerfile: Dockerfile.app
+    restart: always
+    command: >
+      sh -c "poetry run celery -A evibes worker --loglevel=info \
+             --concurrency=4 --autoscale=4,2 \
+             --max-tasks-per-child=100 \
+             --max-memory-per-child=512000 \
+             --soft-time-limit=10800 \
+             --time-limit=21600"
+    volumes:
+      - .:/app
+    env_file:
+      - .env
+    depends_on:
+      - app
+      - redis
+      - elasticsearch
+    logging: *default-logging
+    healthcheck:
+      test: [ "CMD", "celery", "-A", "evibes", "status" ]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+
+  beat:
+    container_name: beat
+    build:
+      context: .
+      dockerfile: Dockerfile.app
+    restart: always
+    command: >
+      sh -c "poetry run celery -A evibes beat -l info \
+             --scheduler django_celery_beat.schedulers:DatabaseScheduler"
+    volumes:
+      - .:/app
+    env_file:
+      - .env
+    depends_on:
+      - worker
+    logging: *default-logging
+
  prometheus:
    container_name: prometheus
    image: prom/prometheus:v3.4.1
@ -117,30 +132,17 @@ services:
    user: "root"
    volumes:
      - ./monitoring/prometheus.yml:/etc/prometheus/prometheus.yml:ro
+      - ./monitoring/web.yml:/etc/prometheus/web.yml:ro
      - prometheus-data:/prometheus
    ports:
      - "9090:9090"
-    logging: *default-logging
    depends_on:
      - app
      - worker
      - redis
      - elasticsearch
-
-#  nginx:  # TODO complete the service after storefront is present
-#    container_name: nginx
-#    image: nginx
-#    restart: always
-#    ports:
-#      - "80:80"
-#    logging: *default-logging
-
-#  storefront:  # TODO complete the service for future "storefront" Vite-Vue3 base storefront app
-#    container_name: storefront
-#    build:
-#      - dockerfile: Dockerfile.storefront
-#      - context: ./storefront
-#    logging: *default-logging
+    logging: *default-logging

 volumes:
  es-data:
+  prometheus-data:
--- a/monitoring/web.yml
+++ b/monitoring/web.yml
@ -0,0 +1,2 @@
+basic_auth_users:
+  admin: $2b$12$0HraDYmrZnJ089LcH9Vsn.Wv5V5a8oDlucTNm0.5obhULjPyLiYoy
--- a/6
+++ b/6
@ -106,10 +106,10 @@ server {
 }

 # ------------------------------------------------------------
-# Server block for flower.evibes.com
+# Server block for prometheus.evibes.com
 # ------------------------------------------------------------
 server {
-    server_name flower.evibes.com;
+    server_name prometheus.evibes.com;
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/evibes.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/evibes.com/privkey.pem;
@ -119,7 +119,7 @@ server {
    client_max_body_size 100M;

    location / {
-        proxy_pass http://localhost:5555;
+        proxy_pass http://localhost:9090;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--- a/scripts/generate_prometheus_password.py
+++ b/scripts/generate_prometheus_password.py
@ -0,0 +1,5 @@
+import getpass
+
+import bcrypt
+
+print(bcrypt.hashpw(getpass.getpass("Password: ").encode("utf-8"), bcrypt.gensalt()).decode())