ajout des dockers traefik et grafana

dockers/grafana/.env

@@ -0,0 +1 @@
+../../config/dockers.env

dockers/grafana/docker-compose.yml

@@ -0,0 +1,67 @@
+version: '3'
+
+services:
+
+  prometheus:
+    image: prom/prometheus:v2.15.2
+    restart: unless-stopped
+    container_name: ${prometheusServName}
+    volumes:
+      - ./prometheus/:/etc/prometheus/
+      - prometheus:/prometheus
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    command:
+      - "--web.route-prefix=/"
+      - "--web.external-url=https://${site}.${domain}/prometheus"
+      - "--config.file=/etc/prometheus/prometheus.yml"
+      - "--storage.tsdb.path=/prometheus"
+      - "--web.console.libraries=/usr/share/prometheus/console_libraries"
+      - "--web.console.templates=/usr/share/prometheus/consoles"
+    networks:
+      - traefikNet
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.prometheus-secure.entrypoints=websecure"
+      - "traefik.http.middlewares.prometheus-stripprefix.stripprefix.prefixes=/prometheus"
+      - "traefik.http.routers.prometheus-secure.rule=Host(`${site}.${domain}`) && PathPrefix(`/prometheus`)"
+      # - "traefik.http.routers.prometheus-secure.tls=true"
+      - "traefik.http.routers.prometheus-secure.middlewares=prometheus-stripprefix,test-adminipwhitelist@file,traefik-auth"
+      - "traefik.http.routers.prometheus-secure.service=prometheus"
+      - "traefik.http.services.prometheus.loadbalancer.server.port=9090"
+      - "traefik.docker.network=traefikNet"
+
+  grafana:
+    image: grafana/grafana:6.6.1
+    restart: unless-stopped
+    container_name: ${grafanaServName}
+    volumes:
+      - grafana:/var/lib/grafana
+      - ./grafana/provisioning:/etc/grafana/provisioning
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    env_file:
+      - grafana.env
+    depends_on:
+      - prometheus
+    networks:
+      - traefikNet
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.grafana-secure.entrypoints=websecure"
+      - "traefik.http.middlewares.grafana-stripprefix.stripprefix.prefixes=/grafana"
+      - "traefik.http.routers.grafana-secure.rule=Host(`${site}.${domain}`) && PathPrefix(`/grafana`)"
+      # - "traefik.http.routers.grafana-secure.tls=true"
+      - "traefik.http.routers.grafana-secure.service=grafana"
+      - "traefik.http.routers.grafana-secure.middlewares=grafana-stripprefix,test-adminipwhitelist@file,traefik-auth"
+      - "traefik.http.services.grafana.loadbalancer.server.port=3000"
+      - "traefik.docker.network=traefikNet"
+
+networks:
+  traefikNet:
+    external: true
+    name: traefikNet
+
+volumes:
+  prometheus:
+  grafana:

dockers/grafana/grafana.env

@@ -0,0 +1,6 @@
+GF_AUTH_ANONYMOUS_ENABLED=true
+GF_AUTH_BASIC_ENABLED=false
+GF_AUTH_PROXY_ENABLED=false
+GF_USERS_ALLOW_SIGN_UP=false
+GF_INSTALL_PLUGINS=grafana-piechart-panel
+GF_SERVER_ROOT_URL=%(protocol)s://%(domain)s:%(http_port)s/grafana

dockers/grafana/grafana/provisioning/dashboards/dashboard.yml

@@ -0,0 +1,21 @@
+apiVersion: 1
+
+providers:
+  # <string> provider name
+- name: 'default'
+  # <int> org id. will default to orgId 1 if not specified
+  orgId: 1
+  # <string, required> name of the dashboard folder. Required
+  folder: ''
+  # <string> folder UID. will be automatically generated if not specified
+  folderUid: ''
+  # <string, required> provider type. Required
+  type: file
+  # <bool> disable dashboard deletion
+  disableDeletion: false
+  # <bool> enable dashboard editing
+  editable: true
+  # <int> how often Grafana will scan for changed dashboards
+  updateIntervalSeconds: 10
+  options:
+    path: /etc/grafana/provisioning/dashboards

dockers/grafana/grafana/provisioning/datasources/datasource.yml

@@ -0,0 +1,50 @@
+# config file version
+apiVersion: 1
+
+# list of datasources that should be deleted from the database
+deleteDatasources:
+  - name: Prometheus
+    orgId: 1
+
+# list of datasources to insert/update depending
+# whats available in the database
+datasources:
+  # <string, required> name of the datasource. Required
+- name: Prometheus
+  # <string, required> datasource type. Required
+  type: prometheus
+  # <string, required> access mode. direct or proxy. Required
+  access: proxy
+  # <int> org id. will default to orgId 1 if not specified
+  orgId: 1
+  # <string> url
+  url: http://prometheus:9090
+  # <string> database password, if used
+  password:
+  # <string> database user, if used
+  user:
+  # <string> database name, if used
+  database:
+  # <bool> enable/disable basic auth
+  basicAuth: false
+  # <string> basic auth username
+  basicAuthUser:
+  # <string> basic auth password
+  basicAuthPassword:
+  # <bool> enable/disable with credentials headers
+  withCredentials:
+  # <bool> mark as default datasource. Max one per org
+  isDefault: true
+  # <map> fields that will be converted to json and stored in json_data
+  jsonData:
+     graphiteVersion: "1.1"
+     tlsAuth: false
+     tlsAuthWithCACert: false
+  # <string> json object of data that will be encrypted.
+  secureJsonData:
+    tlsCACert: "..."
+    tlsClientCert: "..."
+    tlsClientKey: "..."
+  version: 1
+  # <bool> allow users to edit datasources from the UI.
+  editable: true

dockers/grafana/prometheus/alert.rules

@@ -0,0 +1,11 @@
+groups:
+- name: traefik
+  rules:
+  - alert: service_down
+    expr: up == 0
+    for: 2m
+    labels:
+      severity: page
+    annotations:
+      summary: "Instance {{ $labels.instance }} down"
+      description: "{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 2 minutes"

dockers/grafana/prometheus/prometheus.yml

@@ -0,0 +1,12 @@
+global:
+  scrape_interval:     15s
+  evaluation_interval: 15s
+
+rule_files:
+  - 'alert.rules'
+
+scrape_configs:
+  - job_name: 'traefik'
+    scrape_interval: 5s
+    static_configs:
+      - targets: ['dashboard.kaz.sns:8289','dashboard2.kaz.sns:8289']

dockers/traefik/.env

@@ -0,0 +1 @@
+../../config/dockers.env

dockers/traefik/conf/dynamic/certificates.yml.tmpl

@@ -0,0 +1,20 @@
+#tls:
+#  certificates:
+#    - certFile: __SSL_CERT__
+#      keyFile: __SSL_KEY__
+#
+#  stores:
+#    default:
+#      defaultCertificate:
+#        certFile: __SSL_CERT__
+#        keyFile: __SSL_KEY__
+#  options:
+#    default:
+#      minVersion: VersionTLS12
+#      cipherSuites:
+#        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+#        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+#        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+#        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+#        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+#        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

dockers/traefik/conf/dynamic/conf.yml

@@ -0,0 +1,11 @@
+# http:
+#   middlewares:
+#     redirect-to-https:
+#       redirectscheme:
+#         scheme: https
+#         permanent: true
+#   routers:
+#     http-catchall:
+#       rule: "HostRegexp(`{host:.+}`)"
+#       middlewares: redirect-to-https
+#       service: noop@internal

dockers/traefik/conf/traefik.yml.old

@@ -0,0 +1,54 @@
+providers:
+  file:
+     directory: "/etc/traefik/dynamic"
+     watch: true
+  docker: {}
+
+entryPoints:
+  web:
+    address: ":80"
+  websecure:
+    address: ":443"
+    http:
+      tls:
+        certResolver: letsencrypt
+  # Ajout d'un point d'entrée sur le port 8289
+  metrics:
+    address: ":8289"
+
+#serversTransport:
+#  rootCAs:
+#    - /etc/letsencrypt/local/rootCA.pem
+
+
+api:
+  dashboard: true
+
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  format: json
+
+certificatesresolvers:
+  letsencrypt:
+    acme:
+    #  email: sysadmins@kaz.bzh
+      storage: /letsencrypt/acme.json
+    #  caServer: "https://acme-staging.api.letsencrypt.org/directory"
+      httpChallenge:
+        entryPoint: web
+
+# Ajout de la partie métrique qui concerne Prometheus
+metrics:
+  prometheus:
+    # Nom du point d'entrée défini au dessus
+    entryPoint: metrics
+    # On configure la latence des métriques
+    buckets:
+      - 0.1
+      - 0.3
+      - 1.2
+      - 5.0
+    # Ajout des métriques sur les points d'entrée
+    addEntryPointsLabels: true
+    # Ajout des services
+    addServicesLabels: true

dockers/traefik/docker-compose.tmpl.yml.dist

@@ -0,0 +1,188 @@
+version: '3'
+
+services:
+  reverse-proxy:
+    # The official v2 Traefik docker image
+    image: traefik:v2.10
+    container_name: ${traefikServName}
+    # Enables the web UI and tells Traefik to listen to docker
+    ports:
+      # The HTTP port
+      - ${MAIN_IP}:80:80
+      - ${MAIN_IP}:443:443
+      # The Web UI (enabled by --api.insecure=true)
+      # - ${MAIN_IP}:8289:8289
+    volumes:
+      # So that Traefik can listen to the Docker events
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./conf:/etc/traefik/
+      - letsencrypt:/letsencrypt
+    environment:
+      - TRAEFIK_PROVIDERS_DOCKER=true
+      - TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT=false
+      - TRAEFIK_API=true
+      - TRAEFIK_PROVIDERS_FILE_DIRECTORY=/etc/traefik/dynamic
+      - TRAEFIK_ENTRYPOINTS_web_ADDRESS=:80
+      - TRAEFIK_ENTRYPOINTS_web_HTTP_REDIRECTIONS_ENTRYPOINT_TO=websecure
+      - TRAEFIK_ENTRYPOINTS_websecure_ADDRESS=:443
+      - TRAEFIK_ENTRYPOINTS_websecure_HTTP_TLS_CERTRESOLVER=letsencrypt
+      #- TRAEFIK_ENTRYPOINTS_metrics_ADDRESS=:8289
+      #- TRAEFIK_METRICS_PROMETHEUS_ENTRYPOINT=metrics
+      - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_EMAIL=postmaster@${domain}
+      - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_CASERVER=${acme_server}
+      - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_STORAGE=/letsencrypt/acme.json
+      - TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_TLSCHALLENGE=true
+      - TRAEFIK_LOG_LEVEL=INFO
+      #- TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_HTTPCHALLENGE=true
+      #- TRAEFIK_CERTIFICATESRESOLVERS_letsencrypt_ACME_HTTPCHALLENGE_ENTRYPOINT=web
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik_https.rule=Host(`${site}.${domain}`)"
+      - "traefik.http.routers.traefik_https.entrypoints=websecure"
+      # - "traefik.http.routers.traefik_https.tls=true"
+      - "traefik.http.routers.traefik_https.service=api@internal"
+      - "traefik.http.routers.traefik_https.middlewares=test-adminipwhitelist@file,traefik-auth"
+      # - "traefik.http.routers.traefik_https.tls.certresolver=letsencrypt"
+      - "traefik.http.middlewares.traefik-auth.basicauth.usersfile=/etc/traefik/passfile"
+    networks:
+      - traefikNet
+{{web
+      - webNet
+}}
+{{jirafeau
+      - jirafeauNet
+}}
+{{ethercalc
+      - ethercalcNet
+}}
+{{etherpad
+      - etherpadNet
+}}
+{{framadate
+      - framadateNet
+}}
+{{ldap
+      - ldapNet
+}}
+{{mobilizon
+      - mobilizonNet
+}}
+{{cloud
+      - cloudNet
+}}
+{{collabora
+      - collaboraNet
+}}
+{{garradin
+      - garradinNet
+}}
+{{mattermost
+      - mattermostNet
+}}
+{{roundcube
+      - roundcubeNet
+}}
+{{gitea
+      - giteaNet
+}}
+{{dokuwiki
+      - dokuwikiNet
+}}
+{{postfix
+      - postfixNet
+}}
+{{vaultwarden
+      - vaultwardenNet
+}}
+#### BEGIN ORGA USE_NET
+#### END ORGA USE_NET
+
+networks:
+  traefikNet:
+    external: true
+    name: traefikNet
+{{web
+  webNet:
+    external: true
+    name: webNet
+}}
+{{jirafeau
+  jirafeauNet:
+    external: true
+    name: jirafeauNet
+}}
+{{ethercalc
+  ethercalcNet:
+    external: true
+    name: ethercalcNet
+}}
+{{etherpad
+  etherpadNet:
+    external: true
+    name: etherpadNet
+}}
+{{framadate
+  framadateNet:
+    external: true
+    name: framadateNet
+}}
+{{ldap
+  ldapNet:
+    external: true
+    name: ldapNet
+}}
+{{mobilizon
+  mobilizonNet:
+    external: true
+    name: mobilizonNet
+}}
+{{cloud
+  cloudNet:
+    external: true
+    name: cloudNet
+}}
+{{collabora
+  collaboraNet:
+    external: true
+    name: collaboraNet
+}}
+{{garradin
+  garradinNet:
+    external: true
+    name: garradinNet
+}}
+{{mattermost
+  mattermostNet:
+    external: true
+    name: mattermostNet
+}}
+{{roundcube
+  roundcubeNet:
+    external: true
+    name: roundcubeNet
+}}
+{{gitea
+  giteaNet:
+    external: true
+    name: giteaNet
+}}
+{{dokuwiki
+  dokuwikiNet:
+    external: true
+    name: dokuwikiNet
+}}
+{{postfix
+  postfixNet:
+    external: true
+    name: postfixNet
+}}
+{{vaultwarden
+  vaultwardenNet:
+    external: true
+    name: vaultwardenNet
+}}
+#### BEGIN ORGA DEF_NET
+#### END ORGA DEF_NET
+
+volumes:
+  letsencrypt:

dockers/traefik/proxy-gen.sh

@@ -0,0 +1,165 @@
+#!/bin/bash
+
+KAZ_ROOT=$(cd "$(dirname $0)/../.."; pwd)
+. "${KAZ_ROOT}/bin/.commonFunctions.sh"
+setKazVars
+. "${DOCKERS_ENV}"
+. "${KAZ_ROOT}/secret/SetAllPass.sh"
+
+printKazMsg "\n  *** Proxy update config"
+
+#NGINX_TMPL=config/nginx.tmpl.conf
+#NGINX_CONF=config/nginx.conf
+DOCKER_DIST=docker-compose.tmpl.yml.dist
+DOCKER_TMPL=docker-compose.tmpl.yml
+DOCKER_CONF=docker-compose.yml
+PASSFILE=conf/passfile
+
+ALLOW_ADMIN_IP_FILE="/kaz/secret/allow_admin_ip"
+ALLOW_IP_FILE="/kaz/config/proxy/allow_ip"
+
+# TODO
+# for service in agora cloud garradin wiki wp; do
+#     touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_map"
+#     touch "${KAZ_CONF_PROXY_DIR}/${service}_kaz_name"
+# done
+
+cd $(dirname $0)
+# update ip allowed
+TRAEFIK_ALLOW_IP_FILE=conf/dynamic/allow_ip.yml
+if [ ! -f "${TRAEFIK_ALLOW_IP_FILE}" ]; then
+    cat > "${TRAEFIK_ALLOW_IP_FILE}"  <<EOF
+http:
+  middlewares:
+    test-ipwhitelist:
+      ipWhiteList:
+        sourceRange:
+          # Remove ALLOWEDIP / FINALLOWEDIP flags to prevent proxy-gen to modify this
+          #ALLOWEDIP
+          - "0.0.0.0/0"
+          #FINALLOWEDIP
+    test-adminipwhitelist:
+      ipWhiteList:
+        sourceRange:
+          # Remove ADMINIP / FINADMINIP flags to prevent proxy-gen to modify this
+          #ADMINIP
+          - "0.0.0.0/0"	      
+          #FINADMINIP
+EOF
+fi
+
+# berk berk ... pour éviter d'avoir à maintenir le fichier traefik, on extrait les ip depuis les fichiers allow_admin_ip et allow_ip de nginx
+if [[ -f ${ALLOW_ADMIN_IP_FILE} && -n $(grep -e '^\s*allow' ${ALLOW_ADMIN_IP_FILE}) ]]; then
+    sed -i 's/#ADMINIP/#ADMINIP\n          #FINADMINIP\n#DELETE/' ${TRAEFIK_ALLOW_IP_FILE}
+    sed -i '/#DELETE/,/#FINADMINIP/d' ${TRAEFIK_ALLOW_IP_FILE}
+    grep -e '^\s*allow' ${ALLOW_ADMIN_IP_FILE} | awk '{print $2}' | sed 's/all/0.0.0.0\\\\\/0/;s/[^.0-9/]//g;s/\//\\\\\//g' | xargs -I '{}' sed -i "s/#ADMINIP/#ADMINIP\n          - \"{}\"/"  ${TRAEFIK_ALLOW_IP_FILE}
+fi
+if [[ -f ${ALLOW_IP_FILE} && -n $(grep -e '^\s*allow' ${ALLOW_IP_FILE}) ]]; then
+    sed -i 's/#ALLOWEDIP/#ALLOWEDIP\n          #FINALLOWEDIP\n#DELETE/' ${TRAEFIK_ALLOW_IP_FILE}
+    sed -i '/#DELETE/,/#FINALLOWEDIP/d' ${TRAEFIK_ALLOW_IP_FILE}
+    grep -e '^\s*allow' ${ALLOW_IP_FILE} | awk '{print $2}' | sed 's/all/0.0.0.0\\\\\/0/;s/[^.0-9/]//g;s/\//\\\\\//g' | xargs -I '{}' sed -i "s/#ALLOWEDIP/#ALLOWEDIP\n          - \"{}\"/"  ${TRAEFIK_ALLOW_IP_FILE}
+fi
+
+
+CERTFILE_TMPL=conf/dynamic/certificates.yml.tmpl
+CERTFILE=conf/dynamic/certificates.yml
+if [ ! -f "${CERTFILE}" ]; then
+    cp "${CERTFILE_TMPL}" "${CERTFILE}"
+    case "${domain}" in
+     kaz.bzh)
+         SSL_CERT="/etc/ssl/certs/wildcard_${domain//./_}.chain.pem"
+         SSL_KEY="/etc/ssl/private/wildcard_${domain//./_}.key.pem"
+         ;;
+     kaz.local)
+         SSL_CERT="/etc/letsencrypt/local/_wildcard.${domain}.pem"
+         SSL_KEY="/etc/letsencrypt/local/_wildcard.${domain}-key.pem"
+         ;;
+     *)
+         SSL_CERT="/etc/letsencrypt/live/${domain}/fullchain.pem"
+         SSL_KEY="/etc/letsencrypt/live/${domain}/privkey.pem"
+         ;;
+     esac
+
+    sed -i "s|__SSL_CERT__|${SSL_CERT}|g" ${CERTFILE}
+    sed -i "s|__SSL_KEY__|${SSL_KEY}|g" ${CERTFILE}
+fi
+
+#     cat > "${PROXY_PORT_CFG}"  <<EOF
+# listen 443 ssl http2;
+
+# ssl_certificate ${SSL_CERT};
+# ssl_certificate_key ${SSL_KEY};
+
+# ssl_session_timeout 1d;
+# ssl_protocols TLSv1.2 TLSv1.3;
+# ssl_early_data on;
+# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+# ssl_prefer_server_ciphers on;
+# ssl_session_cache shared:SSL:50m;
+# ssl_stapling on;
+# ssl_stapling_verify on;
+# EOF
+#fi
+
+# update redirect
+# PROXY_REDIRECT="${KAZ_CONF_PROXY_DIR}/redirect"
+# if [ ! -f "${PROXY_REDIRECT}" ]; then
+#     cat > "${PROXY_REDIRECT}"  <<EOF
+# server {
+#   listen 80;
+#   return 301 https://\$host\$request_uri;
+# }
+
+# # file
+# server {
+#   listen 80;
+#   server_name file.${domain};
+#   return 301 https://depot.${domain}\$request_uri;
+# }
+
+# # cacl
+# server {
+#   listen 80;
+#   server_name calc.${domain};
+#   return 301 https://tableur.${domain}\$request_uri;
+# }
+
+# # date
+# server {
+#   listen 80;
+#   server_name date.${domain};
+#   return 301 https://sondage.${domain}\$request_uri;
+# }
+
+# # cloud
+# server {
+#   listen 80;
+#   server_name bureau.${domain};
+#   return 301 https://cloud.${domain}\$request_uri;
+# }
+
+# # mattermost
+# server {
+#   listen 80;
+#   server_name mattermost.${domain};
+#   return 301 https://agora.${domain}\$request_uri;
+# }
+
+# # dokuwiki
+# server {
+#   listen 80;
+#   server_name dokuwiki.${domain};
+#   return 301 https://wiki.${domain}\$request_uri;
+# }
+# EOF
+# fi
+
+cd $(dirname $0)
+
+
+[[ -f "${PASSFILE}" ]] || printf "${traefik_DASHBOARD_USER}:$( echo ${traefik_DASHBOARD_PASSWORD} | openssl passwd -apr1 -stdin)\n" >> ${PASSFILE}
+[[ -f "${DOCKER_TMPL}" ]] || cp "${DOCKER_DIST}" "${DOCKER_TMPL}"
+"${APPLY_TMPL}" -time "${DOCKER_TMPL}" "${DOCKER_CONF}"
+# "${APPLY_TMPL}" -time "${NGINX_TMPL}" "${NGINX_CONF}"
+
+#("${KAZ_COMP_DIR}/web/web-gen.sh" ) &

dockers/traefik/reload.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Do nothing 
+# Théoriquement traefik gère tout seul sauf les changements dans le traefik.yml