Harden compose secrets and add required provisioning docs

monitoring/gotify/docker-compose.yml

@@ -4,20 +4,17 @@ services:
     image: gotify/server:latest
     container_name: gotify
     restart: always
-
+    env_file:
+      - ${PROJECT_ROOT}/secrets/stack-secrets.env
     volumes:
       - ${PROJECT_ROOT}/monitoring/gotify/data:/app/data
-
     environment:
       - TZ=${TZ}
-      - GOTIFY_DEFAULTUSER_NAME=admin
-      - GOTIFY_DEFAULTUSER_PASS=R1m@dmin
+      - GOTIFY_DEFAULTUSER_NAME=${GOTIFY_DEFAULTUSER_NAME}
+      - GOTIFY_DEFAULTUSER_PASS=${GOTIFY_DEFAULTUSER_PASS}
       - GOTIFY_REGISTRATION=false
-
     networks:
-#      - traefik_reverse_proxy
       - traefik
-
     labels:
       - "traefik.enable=true"
       - "traefik.docker.network=core_traefik"
@@ -26,7 +23,3 @@ services:
       - "traefik.http.routers.gotify.entrypoints=websecure"
       - "traefik.http.routers.gotify.tls.certresolver=myresolver"
       - "traefik.http.services.gotify.loadbalancer.server.port=80"
-
-#networks:
-#  traefik_reverse_proxy:
-#    external: true

monitoring/prometheus/docker-compose.yml

@@ -4,6 +4,8 @@ services:
   prometheus:
     profiles: ["monitoring","all","prometheus"]
     image: prom/prometheus:latest
+    env_file:
+      - ${PROJECT_ROOT}/secrets/stack-secrets.env
     container_name: prometheus
     depends_on:
 #      - alertmanager
@@ -22,6 +24,7 @@ services:
       - ${PROJECT_ROOT}/monitoring/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro
       - ${PROJECT_ROOT}/monitoring/prometheus/data:/prometheus
       - ${PROJECT_ROOT}/monitoring/prometheus/rules:/etc/prometheus/rules:ro
+      - ${PROJECT_ROOT}/secrets/prometheus_kuma_basic_auth_password.txt:/run/secrets/prometheus_kuma_basic_auth_password:ro
 
     restart: unless-stopped
     labels:
@@ -53,7 +56,7 @@ services:
 #    volumes:
 #      - ./alertmanager/alertmanager.yml:/etc/alertmanager/alertmanager.yml:ro
 #    restart: unless-stopped
-#    networks:
+#    secrets:
 #      - edge
 #      - traefik_reverse_proxy
 #    healthcheck:
@@ -101,14 +104,18 @@ services:
     image: influxdb:2.7
     container_name: influxdb
     restart: unless-stopped
+    env_file:
+      - ${PROJECT_ROOT}/secrets/stack-secrets.env
     volumes:
       - ${PROJECT_ROOT}/monitoring/influxdb:/var/lib/influxdb2
     environment:
       DOCKER_INFLUXDB_INIT_MODE: setup
-      DOCKER_INFLUXDB_INIT_USERNAME: admin
-      DOCKER_INFLUXDB_INIT_PASSWORD: adminpassword
-      DOCKER_INFLUXDB_INIT_ORG: pbs
-      DOCKER_INFLUXDB_INIT_BUCKET: telemetry
+      DOCKER_INFLUXDB_INIT_USERNAME: ${INFLUXDB_INIT_USERNAME}
+      DOCKER_INFLUXDB_INIT_PASSWORD_FILE: /run/secrets/influxdb_init_password
+      DOCKER_INFLUXDB_INIT_ORG: ${INFLUXDB_INIT_ORG}
+      DOCKER_INFLUXDB_INIT_BUCKET: ${INFLUXDB_INIT_BUCKET}
+    secrets:
+      - influxdb_init_password
     networks:
 #      - edge
 #      - traefik_reverse_proxy
@@ -205,9 +212,11 @@ services:
     profiles: ["monitoring","all","prometheus-exporters"]
     image: ekofr/pihole-exporter:latest
     container_name: pihole-exporter
+    env_file:
+      - ${PROJECT_ROOT}/secrets/stack-secrets.env
     environment:
-      PIHOLE_HOSTNAME: pihole.sweet.home
-      PIHOLE_PASSWORD: ""
+      PIHOLE_HOSTNAME: ${PIHOLE_HOSTNAME}
+      PIHOLE_PASSWORD: ${PIHOLE_PASSWORD}
       PORT: 9617
     ports:
       - "9617:9617"
@@ -228,3 +237,8 @@ services:
 #    external: true
 
 
+
+
+secrets:
+  influxdb_init_password:
+    file: ${PROJECT_ROOT}/secrets/influxdb_init_password.txt

monitoring/prometheus/prometheus.yml

@@ -95,8 +95,8 @@ scrape_configs:
     scrape_interval: 30s
 
     basic_auth:
-      username: wayne.bennett@live.com
-      password: '4vjCco?[%{=+,t`):C'
+      username: ${PROMETHEUS_KUMA_BASIC_AUTH_USERNAME}
+      password_file: /run/secrets/prometheus_kuma_basic_auth_password
 
     static_configs:
       - targets: