Add Prometheus/Grafana monitoring

.forgejo/workflows/shellcheck.yaml

@@ -5,7 +5,7 @@ jobs:
     runs-on: debian-12
     steps:
       - name: Install ShellCheck
-        run: apt-get update && apt-get install shellcheck
+        run: apt-get update && apt-get install -y shellcheck
       - name: Checkout
         uses: actions/checkout@v4
       - name: Run ShellCheck

container-config/alloy/config.alloy

@@ -0,0 +1,15 @@
+prometheus.exporter.unix "local" {
+  rootfs_path = "/run/host"
+}
+prometheus.scrape "scraper" {
+  targets = prometheus.exporter.unix.local.targets
+  forward_to [prometheus.remote_write.writer.receiver]
+prometheus.remote_write "writer" {
+  endpoint {
+    url = "https://metrics.strypsteen.com/api/v1/write"
+    basic_auth {
+      username = "admin"
+      password = env("PROMETHEUS_PASSWORD")
+    }
+  }
+}

container-config/code-server/settings.json

@@ -17,7 +17,6 @@
   "files.trimFinalNewlines": true,
   "files.trimTrailingWhitespace": true,
   "git.confirmSync": false,
-  "github.gitAuthentication": false,
   "search.smartCase": true,
   "workbench.colorTheme": "Default Dark Modern",
   "workbench.settings.enableNaturalLanguageSearch": false,

container-config/nginx-home/metrics

@@ -0,0 +1,11 @@
+server {
+  server_name metrics.strypsteen.com;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  include snippets/headers.conf;
+  location / {
+    set $upstream systemd-prometheus.:9090;
+    proxy_pass http://$upstream;
+    include snippets/proxy.conf;
+  }
+}

container-config/nginx-home/monitoring

@@ -0,0 +1,16 @@
+server {
+  server_name monitoring.strypsteen.com;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  deny 10.0.0.1;
+  deny fd00::1;
+  include snippets/headers.conf;
+  location / {
+    set $upstream systemd-grafana.:3000;
+    proxy_pass http://$upstream;
+    include snippets/proxy.conf;
+    proxy_http_version 1.1;
+    proxy_set_header Connection upgrade;
+    proxy_set_header Upgrade $http_upgrade;
+  }
+}

container-config/suricata/disable.conf

@@ -1,5 +0,0 @@
-re:protocol-command-decode
-re:not-suspicious
-re:misc-activity
-re:misc-attack
-re:bad-unknown

home/etc/containers/systemd/grafana.container

@@ -0,0 +1,7 @@
+[Container]
+Image=cgr.dev/chainguard/grafana
+Network=nginx.network
+Volume=grafana.volume:/var/lib/grafana:U,Z
+AutoUpdate=registry
+[Install]
+WantedBy=multi-user.target

home/etc/containers/systemd/prometheus.container

@@ -0,0 +1,10 @@
+[Container]
+Image=cgr.dev/chainguard/prometheus
+Network=nginx.network
+Exec=--web.config.file=/run/secrets/prometheus-config --web.enable-remote-write-receiver
+Volume=/var/lib/system-config/container-config/prometheus/prometheus.yml:/prometheus.yml:z,ro
+Volume=prometheus.volume:/data:U,Z
+Secret=prometheus-config
+AutoUpdate=registry
+[Install]
+WantedBy=multi-user.target

server/etc/containers/systemd/alloy.container

@@ -0,0 +1,12 @@
+[Container]
+Image=docker.io/grafana/alloy
+PodmanArgs=--pid=host
+Unmask=ALL
+Network=host
+Volume=/var/lib/system-config/container-config/alloy/config.alloy:/etc/alloy/config.alloy:z,ro
+Volume=/:/run/host:ro
+Tmpfs=/var/lib/alloy
+Secret=PROMETHEUS_PASSWORD,type=env
+AutoUpdate=registry
+[Install]
+WantedBy=multi-user.target

setup-vyos.sh

@@ -8,6 +8,8 @@ set system static-host-mapping host-name home.strypsteen.com alias element.stryp
 set system static-host-mapping host-name home.strypsteen.com alias git.strypsteen.com
 set system static-host-mapping host-name home.strypsteen.com alias llm.strypsteen.com
 set system static-host-mapping host-name home.strypsteen.com alias matrix.strypsteen.com
+set system static-host-mapping host-name home.strypsteen.com alias metrics.strypsteen.com
+set system static-host-mapping host-name home.strypsteen.com alias monitoring.strypsteen.com
 set system static-host-mapping host-name home.strypsteen.com alias network.strypsteen.com
 set system static-host-mapping host-name home.strypsteen.com alias office.strypsteen.com
 set system static-host-mapping host-name home.strypsteen.com alias remote-desktop.strypsteen.com