A Traefik, Prometheus, node-exporter, cAdvisor, pushgateway, Alertmanager and Grafana edge router and monitoring stack. The goal of this project is to provide people an easy to set up and deploy stack using modern technologies. It will auto generate A+ rated (according to SSL-Labs) SSL certificates issued by Let's Encrypt. TraPrAlGra also redirects users, trying to access pages using http, to their https counterparts automatically.

Traefik is an open-source Edge Router that makes publishing your services a fun and easy experience. It receives requests on behalf of your system and finds out which components are responsible for handling them. - Traefik

Traefik makes registering new services (including their respective subdomains) a breeze and keeps the configuration lean and readable.

Prometheus is a free software application used for event monitoring and alerting. It records real-time metrics in a time series database (allowing for high dimensionality) built using a HTTP pull model, with flexible queries and real-time alerting. - Wikipedia

Prometheus is the center point of the monitoring stack which collets all kinds of metric data generated by its sub-party (node-exporter, cAdvisor, push-gateway and traefik itself). In case of a definable alert it (Alertmanager) will send out a message to configurable receivers. Since not all services support the Prometheus pull model the push-gateway is included in this stack to allow collecting metrics from these services as well.

Grafana is an open-source, general purpose dashboard and graph composer, which runs as a web application. - Arch Wiki

Grafana takes the metrics provided by Prometheus and displays them in beautiful graph dashboards. TraPrAlGra includes 4 preconfigured dashboards to serve different use cases:

• Docker Containers: Displays graphs about metrics collected from Docker containers that are not part of the monitoring stack.
• Docker Host: Displays graphs of the server's hardware usage, and general machine stats such as uptime .
• Monitor Services: Displays graphs about the monitoring containers and Prometheus' own generated metrics.
• Traefik: Displays graphs generated out of Traefik's metrics such as HTTP status codes and average response times.

To use TraPrAlGra you need the following:

• A domain
• A server with installed docker and docker-compose
• An Alertmanager compatible receiver (this repo already includes a template for Slack)

1. Clone this repository to your machine: git clone git@github.com:sebastianwachter/TraPrAlGra.git
2. Create a Docker network called "proxy": docker network create proxy. This is the network your services use to get proxied by Traefik.
3. Restrict the acme.json's permissions to 600: chmod 600 acme.json
4. In the traefik.yml file fill in your E-Mail address where it's required (this must be the same address in both cases).
5. Generate a http basic auth user + password pair by using: htpasswd -nb <user> <password> and copy the output.
6. Open the .env file and replace the placeholders (TRAEFIK_DASHBOARD_USER and TRAEFIK_DASHBOARD_PASSWORD) with the data generated in step 5.
7. Still in .env replace TRAEFIK_DOMAIN with your domain like: example.com
8. Also in the .env file decide (TRAEFIK_LE_RESOLVER) whether you want to use the staging or the usual Let's Encrypt resolver (leresolver). The staging server generates invalid self-signed certificates used for development purposes while the leresolver generates A+ rated SSL certificates but doing this too often in a short period of time will get this domain rate limited (further read on rate limits here).
9. As a final step in the .env: Replace the GF_SECURITY_ADMIN_PASSWORD placeholder with a password in plain text. This will be used to log in to Grafana.
10. Create an incoming webhook for your slack workspace using this guide and paste the generated URL in the api_url field in ./alertmanager/config.yml. If you don't want to use slack as a receiver for monitoring alerts here are some alternative examples.
11. Run docker-compose up -d
12. Profit!

If you want to run any dockerized service inside of TraPrAlGra all you need to do is to set up some labels in your docker-compose.yml for that service. For example running a NGINX container that serves static HTML might look like this:

version: '3.3'

services:
  my-container:
    image: my-container:latest
    restart: unless-stopped
    container_name: my-container
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.my-container.rule=Host(`sub.domain.tld`)"
      - "traefik.http.routers.my-container.tls.certresolver=leresolver"
      - "traefik.http.routers.my-container.entrypoints=websecure"
      - "traefik.http.routers.my-container.middlewares=secure-compress@file"
      - "traefik.http.services.my-container.loadbalancer.server.port=80"
      - "traefik.docker.network=proxy"

networks:
  proxy:
    external: true

Let's break it down:

• The network block at end end enables the container to connect to the external proxy network
• "traefik.enable=true": explicitly tell Traefik to be the router for this container
• "traefik.http.routers.my-container.rule=Host(```sub.domain.tld```)": sets the route to which this container should be available on the internet
• "traefik.http.routers.my-container.tls.certresolver=leresolver": define the Let's Encrypt resolver of this container's SSL certificates (can be either staging or leresolver)
• "traefik.http.routers.my-container.entrypoints=websecure": set the entrypoint used by the container. Always set this to websecure since this is the https entrypoint and all http traffic gets redirect to https anyways
• "traefik.http.routers.my-container.middlewares=secure-compress@file": set some basic http headers and compress the response. You can always use this line whenever you want this behaviour (also check the headers in the config.yml file)
• "traefik.http.services.my-container.loadbalancer.server.port=80": set the port that this container uses for its communication. Replace the 80 in this example with the port number.

In the future TraPrAlGra should also support multiple domains using wildcard certificates since Traefik basically supports those but I still have to try out how to configure it. Further read here.

• @stefanprodan for dockprom
• @containous for Traefik

MIT