feat(): add Prometheus container

.env.default

@@ -41,5 +41,6 @@ DESECSTACK_NSMASTER_CARBONOURNAME=
 # replication-manager
 DESECSTACK_REPLICATION_MANAGER_CERTS=
 
-# slave watchdog
+# monitoring
 DESECSTACK_WATCHDOG_SLAVES=ns1.example.org ns2.example.net
+DESECSTACK_PROMETHEUS_PASSWORD=

.env.dev

@@ -40,3 +40,7 @@ DESECSTACK_NSMASTER_CARBONOURNAME=
 
 # replication-manager
 DESECSTACK_REPLICATION_MANAGER_CERTS=./replication-certs
+
+# monitoring
+DESECSTACK_WATCHDOG_SLAVES=
+DESECSTACK_PROMETHEUS_PASSWORD=insecure

.travis.yml

@@ -30,6 +30,7 @@ env:
    - DESECSTACK_WWW_CERTS=./certs
    - DESECSTACK_DBMASTER_CERTS=./dbmastercerts
    - DESECSTACK_MINIMUM_TTL_DEFAULT=3600
+   - DESECSTACK_PROMETHEUS_PASSWORD=Je9NNkqbULsg
 
 services:
   - docker

README.md

@@ -11,7 +11,8 @@ This is a docker-compose application providing the basic stack for deSEC name se
 - `celery`: A shadow instance of the `api` code for performing asynchronous tasks (email delivery).
 - `rabbitmq`: `celery`'s queue
 - `memcached`: `api`-wide in-memory cache, currently used to keep API throttling state
-- `openvpn-server`: OpenVPN server used to tunnel replication traffic between this stack and frontend DNS slaves.
+- `openvpn-server`: OpenVPN server used to tunnel replication traffic between this stack and frontend DNS slaves
+- `prometheus`: Prometheus server for monitoring
 
 Requirements
 ------------
@@ -69,8 +70,9 @@ Although most configuration is contained in this repository, some external depen
       - `DESECSTACK_NSMASTER_CARBONOURNAME`: pdns `carbon-ourname` setting on nsmaster (optional)
     - replication-manager related
       - `DESECSTACK_REPLICATION_MANAGER_CERTS`: a directory where `replication-manager` (to configure slave replication) will dump the slave's TLS key and certificate
-    - watchdog-related
+    - monitoring-related
       - `DESECSTACK_WATCHDOG_SLAVES`: space-separated list of slave hostnames; used to check correct replication of recent DNS changes
+      - `DESECSTACK_PROMETHEUS_PASSWORD`: basic auth password for user `prometheus` at `https://${DESECSTACK_DOMAIN}/prometheus/`
 
 How to Run
 ----------

docker-compose.dev.yml

@@ -77,6 +77,10 @@ services:
     logging:
       driver: "json-file"
 
+  prometheus:
+    logging:
+      driver: "json-file"
+
 networks:
   rearwebapp:
     driver: bridge

docker-compose.yml

@@ -17,8 +17,10 @@ services:
     environment:
     - DESECSTACK_DOMAIN
     - DESECSTACK_WWW_CERTS
+    - DESECSTACK_PROMETHEUS_PASSWORD
     depends_on:
     - api
+    - prometheus
     mac_address: 06:42:ac:10:00:80
     networks:
       front:
@@ -27,6 +29,7 @@ services:
       rearwww:
       rearreplication:
         ipv4_address: ${DESECSTACK_IPV4_REAR_PREFIX16}.7.4
+      rearmonitoring_www:
     logging:
       driver: "syslog"
       options:
@@ -281,10 +284,39 @@ services:
         tag: "desec/openvpn-server"
     restart: unless-stopped
 
+  prometheus:
+    image: prom/prometheus:latest
+    init: true
+    volumes:
+    - ./prometheus/conf:/etc/prometheus:ro
+    - prometheus:/prometheus
+    networks:
+      rearmonitoring_www:
+        ipv4_address: ${DESECSTACK_IPV4_REAR_PREFIX16}.8.2
+    extra_hosts:
+    - prometheus.localhost:${DESECSTACK_IPV4_REAR_PREFIX16}.8.2
+    command: [
+      # Defaults follow
+      "--config.file=/etc/prometheus/prometheus.yml",
+      "--storage.tsdb.path=/prometheus",
+      "--web.console.libraries=/usr/share/prometheus/console_libraries",
+      "--web.console.templates=/usr/share/prometheus/consoles",
+      # Local parameters follow
+      "--web.listen-address=${DESECSTACK_IPV4_REAR_PREFIX16}.8.2:9090",
+      "--web.external-url=https://desec.${DESECSTACK_DOMAIN}/prometheus",
+      "--web.route-prefix=/",
+    ]
+    logging:
+      driver: "syslog"
+      options:
+        tag: "desec/prometheus"
+    restart: unless-stopped
+
 volumes:
   dbapi_mysql:
   dblord_mysql:
   dbmaster_mysql:
+  prometheus:
   rabbitmq_data:
   webapp_dist:
 
@@ -351,3 +383,11 @@ networks:
       config:
       - subnet: ${DESECSTACK_IPV4_REAR_PREFIX16}.7.0/24
         gateway: ${DESECSTACK_IPV4_REAR_PREFIX16}.7.1
+  # Monitoring
+  rearmonitoring_www:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+      - subnet: ${DESECSTACK_IPV4_REAR_PREFIX16}.8.0/29
+        gateway: ${DESECSTACK_IPV4_REAR_PREFIX16}.8.1

prometheus/conf/prometheus.yml

@@ -0,0 +1,14 @@
+global:
+  scrape_interval:     15s # By default, scrape targets every 15 seconds.
+
+  # Attach these labels to any time series or alerts when communicating with
+  # external systems (federation, remote storage, Alertmanager).
+  external_labels:
+    monitor: 'desec-stack'
+
+# A scrape configuration containing exactly one endpoint to scrape:
+# Here it's Prometheus itself.
+scrape_configs:
+  - job_name: 'prometheus'
+    static_configs:
+      - targets: ['prometheus.localhost:9090']

www/conf/sites-available/90-desec.conf.var

@@ -31,5 +31,6 @@ server {
 
     # include api and static locations, these files may be overridden for debugging
     include sites-available/90-desec.api.location;
+    include sites-available/90-desec.prometheus.location;
     include sites-available/90-desec.static.location;
 }

www/conf/sites-available/90-desec.prometheus.location

@@ -0,0 +1,13 @@
+######
+# Pass requests to Prometheus (require basic authentication)
+######
+location /prometheus/ {
+    expires epoch;
+    etag off;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+
+    auth_basic "Prometheus";
+    auth_basic_user_file /etc/nginx/htpasswd;
+
+    proxy_pass http://prometheus:9090/;
+}

www/entrypoint.sh

@@ -1,7 +1,12 @@
 #!/bin/bash
 
+# Figure out how to route responses when slaves access through VPN
 /sbin/ip route add 10.8.0.0/24 via 172.16.7.2
 
+# Prometheus basic auth
+[[ -z "${DESECSTACK_PROMETHEUS_PASSWORD}" ]] && { echo "You must set DESECSTACK_PROMETHEUS_PASSWORD to a non-empty value."; exit 1; }
+echo prometheus:$(openssl passwd -apr1 -stdin <<< $DESECSTACK_PROMETHEUS_PASSWORD) > /etc/nginx/htpasswd
+
 # list of domains we're using
 DOMAINS="\
     checkipv4.dedyn.${DESECSTACK_DOMAIN} \