modified: .gitignore

modified: apps/gramps/docker-compose.yml modified: apps/nextcloud/docker-compose.yml modified: apps/passbolt/docker-compose.yml modified: core/docker-compose.yml modified: monitoring/gotify/docker-compose.yml modified: monitoring/prometheus/docker-compose.yml modified: monitoring/prometheus/prometheus.yml .env.example DEPLOYMENT.md SECURITY_SECRETS_INVENTORY.md secrets/
2026-04-07 19:38:51 +10:00
parent 8d0ecf0adf
commit 3b1e0efa19
8 changed files with 121 additions and 90 deletions
@@ -4,10 +4,10 @@ services:
    image: gotify/server:latest
    container_name: gotify
    restart: always
-
+    env_file:
+      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    volumes:
      - ${PROJECT_ROOT}/monitoring/gotify/data:/app/data
-
    environment:
      - TZ=${TZ}
      - GOTIFY_DEFAULTUSER_NAME=${GOTIFY_DEFAULTUSER_NAME}
@@ -15,9 +15,7 @@ services:
      - GOTIFY_REGISTRATION=${GOTIFY_REGISTRATION}

    networks:
-#      - traefik_reverse_proxy
      - traefik
-
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=core_traefik"
@@ -26,7 +24,3 @@ services:
      - "traefik.http.routers.gotify.entrypoints=websecure"
      - "traefik.http.routers.gotify.tls.certresolver=myresolver"
      - "traefik.http.services.gotify.loadbalancer.server.port=80"
-
-#networks:
-#  traefik_reverse_proxy:
-#    external: true
@@ -4,6 +4,8 @@ services:
  prometheus:
    profiles: ["monitoring","all","prometheus"]
    image: prom/prometheus:latest
+    env_file:
+      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    container_name: prometheus
    depends_on:
 #      - alertmanager
@@ -22,6 +24,7 @@ services:
      - ${PROJECT_ROOT}/monitoring/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
      - ${PROJECT_ROOT}/monitoring/prometheus/data:/prometheus
      - ${PROJECT_ROOT}/monitoring/prometheus/rules:/etc/prometheus/rules:ro
+      - ${PROJECT_ROOT}/secrets/prometheus_kuma_basic_auth_password.txt:/run/secrets/prometheus_kuma_basic_auth_password:ro

    restart: unless-stopped
    labels:
@@ -53,7 +56,7 @@ services:
 #    volumes:
 #      - ./alertmanager/alertmanager.yml:/etc/alertmanager/alertmanager.yml:ro
 #    restart: unless-stopped
-#    networks:
+#    secrets:
 #      - edge
 #      - traefik_reverse_proxy
 #    healthcheck:
@@ -101,14 +104,18 @@ services:
    image: influxdb:2.7
    container_name: influxdb
    restart: unless-stopped
+    env_file:
+      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    volumes:
      - ${PROJECT_ROOT}/monitoring/influxdb:/var/lib/influxdb2
    environment:
-      DOCKER_INFLUXDB_INIT_MODE: ${INFLUXDB_INIT_MODE}
+      DOCKER_INFLUXDB_INIT_MODE: setup
      DOCKER_INFLUXDB_INIT_USERNAME: ${INFLUXDB_INIT_USERNAME}
-      DOCKER_INFLUXDB_INIT_PASSWORD: ${INFLUXDB_INIT_PASSWORD}
+      DOCKER_INFLUXDB_INIT_PASSWORD_FILE: /run/secrets/influxdb_init_password
      DOCKER_INFLUXDB_INIT_ORG: ${INFLUXDB_INIT_ORG}
      DOCKER_INFLUXDB_INIT_BUCKET: ${INFLUXDB_INIT_BUCKET}
+    secrets:
+      - influxdb_init_password
    networks:
 #      - edge
 #      - traefik_reverse_proxy
@@ -205,10 +212,12 @@ services:
    profiles: ["monitoring","all","prometheus-exporters"]
    image: ekofr/pihole-exporter:latest
    container_name: pihole-exporter
+    env_file:
+      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    environment:
      PIHOLE_HOSTNAME: ${PIHOLE_HOSTNAME}
-      PIHOLE_PASSWORD: "${PIHOLE_PASSWORD}"
-      PORT: ${PIHOLE_EXPORTER_PORT}
+      PIHOLE_PASSWORD: ${PIHOLE_PASSWORD}
+      PORT: 9617
    ports:
      - "9617:9617"
    restart: unless-stopped
@@ -228,3 +237,8 @@ services:
 #    external: true


+
+
+secrets:
+  influxdb_init_password:
+    file: ${PROJECT_ROOT}/secrets/influxdb_init_password.txt
@@ -96,8 +96,8 @@ scrape_configs:
    scrape_interval: 30s

    basic_auth:
-      username: wayne.bennett@live.com
-      password: '4vjCco?[%{=+,t`):C'
+      username: ${PROMETHEUS_KUMA_BASIC_AUTH_USERNAME}
+      password_file: /run/secrets/prometheus_kuma_basic_auth_password

    static_configs:
      - targets: