Implementing Secure Production-Ready Setup

.dockerignore

@@ -43,4 +43,7 @@ next-env.d.ts
 /src/generated/prisma
 
 # secrets
-/secrets/
+/secrets/
+
+#security scanning
+/trivy-results/

.gitignore

@@ -45,4 +45,7 @@ next-env.d.ts
 /src/generated/prisma
 
 #secrets
-/secrets/
+/secrets/
+
+#trivy
+/trivy-results/

docker-compose-monitoring.yml

@@ -0,0 +1,112 @@
+version: '3.8'
+
+services:
+  prometheus:
+    image: prom/prometheus:v2.37.1
+  
+    volumes:
+      - prometheus_data:/prometheus
+    command:
+      - '--config.file=/etc/prometheus/prometheus.yml'
+      - '--storage.tsdb.path=/prometheus'
+      - '--web.console.libraries=/etc/prometheus/console_libraries'
+      - '--web.console.templates=/etc/prometheus/consoles'
+      - '--web.enable-lifecycle'
+    ports:
+      - "9090:9090"
+    configs:
+      - source: prometheus_config
+        target: /etc/prometheus/prometheus.yml
+    networks:
+      - monitoring
+      - sipintar-overlay
+
+  grafana:
+    image: grafana/grafana
+    ports:
+      - "4000:3000"
+    networks:
+      - monitoring
+      - sipintar-overlay
+
+  alertmanager:
+    image: prom/alertmanager
+    configs:
+      - source: alertmanager_config
+        target: /etc/alertmanager/config.yml
+    ports:
+      - "9093:9093"
+    networks:
+      - monitoring
+      - sipintar-overlay
+
+  loki:
+    image: grafana/loki:2.8.2
+    ports:
+      - "3100:3100"
+    volumes:
+      - ./monitoring/loki/config.yml:/etc/loki/local-config.yml:ro
+      - loki-data:/loki
+    command: 
+      - -config.file=/etc/loki/local-config.yml
+    networks:
+      - monitoring
+      - sipintar-overlay
+    deploy:
+      replicas: 1
+
+  promtail:
+    image: grafana/promtail:2.7.3
+    configs:
+      - source: promtail_config
+        target: /etc/promtail/config.yml
+    volumes:
+      - /var/lib/docker/containers:/var/lib/docker/containers:ro
+    networks:
+      - monitoring
+      - sipintar-overlay
+
+  node-exporter:
+    image: prom/node-exporter
+    ports:
+      - "9100:9100"
+    networks:
+      - monitoring
+      - sipintar-overlay
+
+  cadvisor:
+    image: gcr.io/cadvisor/cadvisor
+    ports:
+      - "8080:8080"
+    networks:
+      - monitoring
+      - sipintar-overlay
+
+configs:
+  prometheus_config:
+    file: ./monitoring/prometheus/prometheus.yml
+  alertmanager_config:
+    file: ./monitoring/alertmanager/config.yml
+  loki_config:
+    file: ./monitoring/loki/config.yml
+  promtail_config:
+    file: ./monitoring/promtail/config.yml
+
+networks:
+  sipintar-overlay:
+    driver: overlay
+    external: true
+    name: sipintar_stack_sipintar-overlay
+  monitoring:
+    driver: overlay
+    external: true
+    name: monitoring_sipintar-overlay
+
+volumes:
+  prometheus_data:
+  loki-data:
+
+
+
+# docker stack deploy -c docker-compose-monitoring.yml monitoring
+# docker stack rm monitoring

docker-compose-prod.yml

@@ -5,10 +5,7 @@ services:
     working_dir: /app
     ports:
       - "3000:3000"
-    # environment:
+    
-    #   # DATABASE_URL: /run/secrets/db_url
-    #   # DATABASE_URL_FILE: /run/secrets/db_url
-    #   DATABASE_URL: "mysql://sipintar_user:$$(cat /run/secrets/db_password)@sipintar_mysql:3306/sipintar_school"
     depends_on:
       - db
     networks:
@@ -107,3 +104,5 @@ networks:
 #docker-compose down
 # docker system prune -f
 # docker network prune -f
+
+# docker stack rm sipintar_stack

monitoring/alertmanager/config.yml

@@ -0,0 +1,15 @@
+global:
+  resolve_timeout: 5m
+
+route:
+  receiver: 'default'
+
+receivers:
+  - name: 'default'
+    email_configs:
+      - to: 'youremail@example.com'
+        from: 'alert@example.com'
+        smarthost: 'smtp.gmail.com:587'
+        auth_username: 'alert@example.com'
+        auth_identity: 'alert@example.com'
+        auth_password: 'yourpassword'

monitoring/loki/config.yml

@@ -0,0 +1,54 @@
+auth_enabled: false
+
+server:
+  http_listen_port: 3100
+  grpc_listen_port: 9096
+
+ingester:
+  lifecycler:
+    address: 0.0.0.0
+    ring:
+      kvstore:
+        store: inmemory
+      replication_factor: 1
+  chunk_idle_period: 5m
+  max_chunk_age: 1h
+  chunk_target_size: 1048576
+  chunk_retain_period: 30s
+  wal:
+    enabled: true
+    dir: /loki/wal
+
+schema_config:
+  configs:
+    - from: 2020-10-24
+      store: boltdb-shipper
+      object_store: filesystem
+      schema: v11
+      index:
+        prefix: index_
+        period: 24h
+
+storage_config:
+  boltdb_shipper:
+    active_index_directory: /loki/index
+    cache_location: /loki/cache
+    shared_store: filesystem
+  filesystem:
+    directory: /loki/chunks
+
+compactor:
+  working_directory: /loki/compactor
+  shared_store: filesystem
+
+limits_config:
+  ingestion_rate_mb: 8
+  ingestion_burst_size_mb: 16
+  max_concurrent_tail_requests: 20
+
+chunk_store_config:
+  max_look_back_period: 0s
+
+table_manager:
+  retention_deletes_enabled: true
+  retention_period: 168h   # 7 hari

monitoring/prometheus/prometheus.yml

@@ -1,52 +1,25 @@
-services:
+global:
-  prometheus:
+  scrape_interval: 15s
-    image: prom/prometheus:v2.37.1
+  evaluation_interval: 15s
-    volumes:
-      - ./prometheus:/etc/prometheus
-      - prometheus_data:/prometheus
-    command:
-      - "--config.file=/etc/prometheus/prometheus.yml"
-      - "--storage.tsdb.path=/prometheus"
-      - "--web.console.libraries=/usr/share/prometheus/console_libraries"
-      - "--web.console.templates=/usr/share/prometheus/consoles"
-    deploy:
-      placement:
-        constraints:
-          - node.role == manager
-    networks:
-      - traefik-public
 
-  node-exporter:
+scrape_configs:
-    image: prom/node-exporter:v1.3.1
+  - job_name: 'sipintar-app'
-    volumes:
+    metrics_path: '/api/metrics'
-      - /proc:/host/proc:ro
+    static_configs:
-      - /sys:/host/sys:ro
+      - targets: ['localhost:3000']
-      - /:/rootfs:ro
-    command:
-      - "--path.procfs=/host/proc"
-      - "--path.sysfs=/host/sys"
-      - "--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)"
-    deploy:
-      mode: global
-    networks:
-      - traefik-public
 
-  cadvisor:
+  - job_name: 'prometheus'
-    image: gcr.io/cadvisor/cadvisor:v0.45.0
+    static_configs:
-    volumes:
+      - targets: ['localhost:9090']
-      - /:/rootfs:ro
-      - /var/run:/var/run:ro
-      - /sys:/sys:ro
-      - /var/lib/docker/:/var/lib/docker:ro
-      - /dev/disk/:/dev/disk:ro
-    deploy:
-      mode: global
-    networks:
-      - traefik-public
 
-volumes:
+  - job_name: 'node-exporter'
-  prometheus_data:
+    static_configs:
+      - targets: ['node-exporter:9100']
 
-networks:
+  - job_name: 'cadvisor'
-  traefik-public:
+    static_configs:
-    external: true
+      - targets: ['cadvisor:8080']
+  
+  - job_name: 'loki'
+    static_configs:
+      - targets: ['loki:3100']

monitoring/promtail/config.yml

@@ -0,0 +1,18 @@
+server:
+  http_listen_port: 9080
+  grpc_listen_port: 0
+
+positions:
+  filename: /tmp/positions.yaml
+
+clients:
+  - url: http://loki:3100/loki/api/v1/push
+
+scrape_configs:
+  - job_name: docker
+    static_configs:
+      - targets:
+          - localhost
+        labels:
+          job: varlogs
+          __path__: /var/lib/docker/containers/*/*.log

src/app/api/metrics/route.ts

@@ -0,0 +1,11 @@
+export const runtime = "nodejs";
+import { Registry, collectDefaultMetrics } from 'prom-client';
+
+const register = new Registry();
+collectDefaultMetrics({ register });
+
+export async function GET() {
+  return new Response(await register.metrics(), {
+    headers: { 'Content-Type': register.contentType },
+  });
+}

src/types/prom-client.d.ts

@@ -0,0 +1,8 @@
+declare module 'prom-client' {
+  export class Registry {
+    metrics(): Promise<string>;
+    contentType: string;
+  }
+
+  export function collectDefaultMetrics(opts: { register: Registry }): void;
+}

tsconfig.json

@@ -22,6 +22,6 @@
       "@/*": ["./src/*"]
     }
   },
-  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
+  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts", "src", "src/types"],
   "exclude": ["node_modules"]
 }