====== Traefik ======
==== Traefik стек (docker-compose.yml) ====
version: "3.9"
services:
traefik:
image: traefik:latest
container_name: traefik
command:
# --- Dashboard ---
- "--api.dashboard=true" # вмикаємо Dashboard
- "--api.insecure=false" # вимикаємо доступ без auth
# Для тесту можна включити insecure:
# - "--api.insecure=true"
# --- Docker provider ---
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
# --- EntryPoints ---
- "--entrypoints.web.address=:80" # HTTP
- "--entrypoints.websecure.address=:443" # HTTPS
# HTTP -> HTTPS redirect
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
# --- ACME / Let's Encrypt ---
- "--certificatesresolvers.lets-encrypt.acme.httpchallenge=true"
- "--certificatesresolvers.lets-encrypt.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.lets-encrypt.acme.email=admin@osvex.com"
- "--certificatesresolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json"
ports:
- "80:80" # HTTP
- "443:443" # HTTPS
- "8080:8080" # Dashboard
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
restart: unless-stopped
networks:
- shared_traefik
networks:
shared_traefik:
external: true
💡 Пояснення:
* **HTTP-only**: якщо хочеш тестити без TLS, можна закоментувати websecure entrypoint і редиректи.
* **HTTPS / Let’s Encrypt**: включається через websecure entrypoint і certresolver=lets-encrypt.
* Dashboard можна захистити Basic Auth
----
==== Monitoring стек (docker-compose.yml) ====
version: "3.9"
services:
prometheus:
image: prom/prometheus:latest
container_name: prometheus
volumes:
- ./prometheus:/etc/prometheus
- prom_data:/prometheus
- ./prometheus/alerts:/etc/prometheus/alerts
command:
- "--config.file=/etc/prometheus/prometheus.yml"
- "--storage.tsdb.path=/prometheus"
- "--storage.tsdb.retention.time=30d"
restart: unless-stopped
ports:
- "9090:9090"
networks:
- shared_traefik
- monitoring
alertmanager:
image: prom/alertmanager:latest
container_name: alertmanager
volumes:
- ./alertmanager:/etc/alertmanager
- alertmanager_data:/alertmanager
command:
- "--config.file=/etc/alertmanager/alertmanager.yml"
- "--storage.path=/alertmanager"
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.alertmanager.rule=Host(`alertmanager.osvex.com`)"
# --- HTTP-only ---
- "traefik.http.routers.alertmanager.entrypoints=web"
# --- HTTPS ---
# - "traefik.http.routers.alertmanager.entrypoints=websecure"
# - "traefik.http.routers.alertmanager.tls.certresolver=lets-encrypt"
- "traefik.http.services.alertmanager.loadbalancer.server.port=9093"
- "traefik.docker.network=shared_traefik"
networks:
- shared_traefik
- monitoring
grafana:
image: grafana/grafana:latest
container_name: grafana
environment:
- GF_SECURITY_ADMIN_USER=admin
- GF_SECURITY_ADMIN_PASSWORD=admin
volumes:
- grafana_data:/var/lib/grafana
labels:
- "traefik.enable=true"
- "traefik.http.routers.grafana.rule=Host(`grafana.osvex.com`)"
# --- HTTP-only ---
- "traefik.http.routers.grafana.entrypoints=web"
# --- HTTPS ---
# - "traefik.http.routers.grafana.entrypoints=websecure"
# - "traefik.http.routers.grafana.tls.certresolver=lets-encrypt"
- "traefik.http.services.grafana.loadbalancer.server.port=3000"
- "traefik.http.services.grafana.loadbalancer.server.scheme=http"
- "traefik.docker.network=shared_traefik"
networks:
- shared_traefik
- monitoring
karma:
image: ghcr.io/prymitive/karma:latest
container_name: karma
command: ["--config.file=/etc/karma/config.yml"]
volumes:
- ./karma:/etc/karma
- karma_data:/karma_data
labels:
- "traefik.enable=true"
- "traefik.http.routers.karma.rule=Host(`karma.osvex.com`)"
# --- HTTP-only ---
- "traefik.http.routers.karma.entrypoints=web"
# --- HTTPS ---
# - "traefik.http.routers.karma.entrypoints=websecure"
# - "traefik.http.routers.karma.tls.certresolver=lets-encrypt"
- "traefik.http.services.karma.loadbalancer.server.port=8080"
- "traefik.http.services.karma.loadbalancer.server.scheme=http"
- "traefik.http.middlewares.karma-auth.basicauth.users=osvex:$$apr1$$fpZgIrG8$$BIT6g9qiTm1RM09s5BZVh/"
- "traefik.http.routers.karma.middlewares=karma-auth"
- "traefik.docker.network=shared_traefik"
networks:
- shared_traefik
- monitoring
loki:
image: grafana/loki:latest
container_name: loki
command: ["-config.file=/etc/loki/config.yml"]
volumes:
- ./loki:/etc/loki
- loki_data:/loki
restart: unless-stopped
ports:
- "3100:3100"
networks:
- shared_traefik
- monitoring
promtail:
image: grafana/promtail:latest
container_name: promtail
command: ["-config.file=/etc/promtail/config.yml"]
volumes:
- ./promtail:/etc/promtail
- /var/log:/var/log:ro
- /tmp:/tmp
restart: unless-stopped
networks:
- shared_traefik
- monitoring
blackbox_exporter:
image: prom/blackbox-exporter:latest
container_name: blackbox_exporter
volumes:
- ./blackbox/blackbox.yml:/etc/blackbox_exporter/config.yml:ro
command: ["--config.file=/etc/blackbox_exporter/config.yml"]
restart: unless-stopped
networks:
- shared_traefik
- monitoring
volumes:
prom_data:
grafana_data:
loki_data:
karma_data:
alertmanager_data:
networks:
shared_traefik:
external: true
monitoring:
driver: bridge
==== 🔹 Пояснення ====
- **HTTP-only**: для тесту, швидкий доступ без сертифікатів, використовується entrypoint web.
- **HTTPS / Let’s Encrypt**: розкоментувати websecure + tls.certresolver=lets-encrypt і переконатися, що Traefik має доступ до acme.json.
- **Basic Auth**: можна підключити окремо для Dashboard або для сервісів (як у Karma).
- **traefik.docker.network=shared_traefik** — важливий для сервісів із декількома мережами, щоб Traefik знав, по якій мережі проксувати.