adel
/
Docker-AdvancedFeaturesSecurity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Implementing Secure Production-Ready Setup

This commit is contained in:
adelyaou 2025-09-01 18:04:48 +07:00
parent 892619df08
commit 13d26079da
11 changed files with 251 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.dockerignore
View File

@ -43,4 +43,7 @@ next-env.d.ts
/src/generated/prisma
# secrets
/secrets/
/secrets/
#security scanning
/trivy-results/

5
.gitignore vendored
View File

@ -45,4 +45,7 @@ next-env.d.ts
/src/generated/prisma
#secrets
/secrets/
/secrets/
#trivy
/trivy-results/

112
docker-compose-monitoring.yml Normal file
View File

@ -0,0 +1,112 @@
version: '3.8'
services:
prometheus:
image: prom/prometheus:v2.37.1
volumes:
- prometheus_data:/prometheus
command:
- '--config.file=/etc/prometheus/prometheus.yml'
- '--storage.tsdb.path=/prometheus'
- '--web.console.libraries=/etc/prometheus/console_libraries'
- '--web.console.templates=/etc/prometheus/consoles'
- '--web.enable-lifecycle'
ports:
- "9090:9090"
configs:
- source: prometheus_config
target: /etc/prometheus/prometheus.yml
networks:
- monitoring
- sipintar-overlay
grafana:
image: grafana/grafana
ports:
- "4000:3000"
networks:
- monitoring
- sipintar-overlay
alertmanager:
image: prom/alertmanager
configs:
- source: alertmanager_config
target: /etc/alertmanager/config.yml
ports:
- "9093:9093"
networks:
- monitoring
- sipintar-overlay
loki:
image: grafana/loki:2.8.2
ports:
- "3100:3100"
volumes:
- ./monitoring/loki/config.yml:/etc/loki/local-config.yml:ro
- loki-data:/loki
command:
- -config.file=/etc/loki/local-config.yml
networks:
- monitoring
- sipintar-overlay
deploy:
replicas: 1
promtail:
image: grafana/promtail:2.7.3
configs:
- source: promtail_config
target: /etc/promtail/config.yml
volumes:
- /var/lib/docker/containers:/var/lib/docker/containers:ro
networks:
- monitoring
- sipintar-overlay
node-exporter:
image: prom/node-exporter
ports:
- "9100:9100"
networks:
- monitoring
- sipintar-overlay
cadvisor:
image: gcr.io/cadvisor/cadvisor
ports:
- "8080:8080"
networks:
- monitoring
- sipintar-overlay
configs:
prometheus_config:
file: ./monitoring/prometheus/prometheus.yml
alertmanager_config:
file: ./monitoring/alertmanager/config.yml
loki_config:
file: ./monitoring/loki/config.yml
promtail_config:
file: ./monitoring/promtail/config.yml
networks:
sipintar-overlay:
driver: overlay
external: true
name: sipintar_stack_sipintar-overlay
monitoring:
driver: overlay
external: true
name: monitoring_sipintar-overlay
volumes:
prometheus_data:
loki-data:
# docker stack deploy -c docker-compose-monitoring.yml monitoring
# docker stack rm monitoring

7
docker-compose-prod.yml
View File

@ -5,10 +5,7 @@ services:
working_dir: /app
ports:
- "3000:3000"
# environment:
# # DATABASE_URL: /run/secrets/db_url
# # DATABASE_URL_FILE: /run/secrets/db_url
# DATABASE_URL: "mysql://sipintar_user:$$(cat /run/secrets/db_password)@sipintar_mysql:3306/sipintar_school"
depends_on:
- db
networks:
@ -107,3 +104,5 @@ networks:
#docker-compose down
# docker system prune -f
# docker network prune -f
# docker stack rm sipintar_stack

15
monitoring/alertmanager/config.yml Normal file
View File

@ -0,0 +1,15 @@
global:
resolve_timeout: 5m
route:
receiver: 'default'
receivers:
- name: 'default'
email_configs:
- to: 'youremail@example.com'
from: 'alert@example.com'
smarthost: 'smtp.gmail.com:587'
auth_username: 'alert@example.com'
auth_identity: 'alert@example.com'
auth_password: 'yourpassword'

54
monitoring/loki/config.yml Normal file
View File

@ -0,0 +1,54 @@
auth_enabled: false
server:
http_listen_port: 3100
grpc_listen_port: 9096
ingester:
lifecycler:
address: 0.0.0.0
ring:
kvstore:
store: inmemory
replication_factor: 1
chunk_idle_period: 5m
max_chunk_age: 1h
chunk_target_size: 1048576
chunk_retain_period: 30s
wal:
enabled: true
dir: /loki/wal
schema_config:
configs:
- from: 2020-10-24
store: boltdb-shipper
object_store: filesystem
schema: v11
index:
prefix: index_
period: 24h
storage_config:
boltdb_shipper:
active_index_directory: /loki/index
cache_location: /loki/cache
shared_store: filesystem
filesystem:
directory: /loki/chunks
compactor:
working_directory: /loki/compactor
shared_store: filesystem
limits_config:
ingestion_rate_mb: 8
ingestion_burst_size_mb: 16
max_concurrent_tail_requests: 20
chunk_store_config:
max_look_back_period: 0s
table_manager:
retention_deletes_enabled: true
retention_period: 168h # 7 hari

69
monitoring/prometheus/prometheus.yml
View File

@ -1,52 +1,25 @@
services:
prometheus:
image: prom/prometheus:v2.37.1
volumes:
- ./prometheus:/etc/prometheus
- prometheus_data:/prometheus
command:
- "--config.file=/etc/prometheus/prometheus.yml"
- "--storage.tsdb.path=/prometheus"
- "--web.console.libraries=/usr/share/prometheus/console_libraries"
- "--web.console.templates=/usr/share/prometheus/consoles"
deploy:
placement:
constraints:
- node.role == manager
networks:
- traefik-public
global:
scrape_interval: 15s
evaluation_interval: 15s
node-exporter:
image: prom/node-exporter:v1.3.1
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /:/rootfs:ro
command:
- "--path.procfs=/host/proc"
- "--path.sysfs=/host/sys"
- "--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)"
deploy:
mode: global
networks:
- traefik-public
scrape_configs:
- job_name: 'sipintar-app'
metrics_path: '/api/metrics'
static_configs:
- targets: ['localhost:3000']
cadvisor:
image: gcr.io/cadvisor/cadvisor:v0.45.0
volumes:
- /:/rootfs:ro
- /var/run:/var/run:ro
- /sys:/sys:ro
- /var/lib/docker/:/var/lib/docker:ro
- /dev/disk/:/dev/disk:ro
deploy:
mode: global
networks:
- traefik-public
- job_name: 'prometheus'
static_configs:
- targets: ['localhost:9090']
volumes:
prometheus_data:
- job_name: 'node-exporter'
static_configs:
- targets: ['node-exporter:9100']
networks:
traefik-public:
external: true
- job_name: 'cadvisor'
static_configs:
- targets: ['cadvisor:8080']
- job_name: 'loki'
static_configs:
- targets: ['loki:3100']

18
monitoring/promtail/config.yml Normal file
View File

@ -0,0 +1,18 @@
server:
http_listen_port: 9080
grpc_listen_port: 0
positions:
filename: /tmp/positions.yaml
clients:
- url: http://loki:3100/loki/api/v1/push
scrape_configs:
- job_name: docker
static_configs:
- targets:
- localhost
labels:
job: varlogs
__path__: /var/lib/docker/containers/*/*.log

11
src/app/api/metrics/route.ts Normal file
View File

@ -0,0 +1,11 @@
export const runtime = "nodejs";
import { Registry, collectDefaultMetrics } from 'prom-client';
const register = new Registry();
collectDefaultMetrics({ register });
export async function GET() {
return new Response(await register.metrics(), {
headers: { 'Content-Type': register.contentType },
});
}

8
src/types/prom-client.d.ts vendored Normal file
View File

@ -0,0 +1,8 @@
declare module 'prom-client' {
export class Registry {
metrics(): Promise<string>;
contentType: string;
}
export function collectDefaultMetrics(opts: { register: Registry }): void;
}

2
tsconfig.json
View File

@ -22,6 +22,6 @@
"@/*": ["./src/*"]
}
},
"include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
"include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts", "src", "src/types"],
"exclude": ["node_modules"]
}