pawelorzech/autoscript
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: pawelorzech:12b878f4383d4b1908beab89b7d8b46aa6af0b70
Branches Tags
pawelorzech:main
...
compare: pawelorzech:ba3a481627ba75ce77eff6ec6603acabd09cc6b1
Branches Tags
pawelorzech:main

10 commits
12b878f438 ... ba3a481627

Author SHA1 Message Date
Paweł Orzech
ba3a481627 updatews 2025-08-03 13:46:44 +02:00
Paweł Orzech
e0b4840a99 Create TODO.md 2025-08-03 13:36:45 +02:00
Paweł Orzech
e63470e51d readme updates 2025-08-03 13:34:27 +02:00
Paweł Orzech
4736972c4e Update README.md 2025-08-03 13:30:44 +02:00
Paweł Orzech
aa7984eca5 updates 
1. Configuration Validation:
•  Added logic to validate the presence of PUBLIC_KEY and CF_DNS_API_TOKEN.
2. Service Deployments:
•  Implemented the deployment process for Traefik with proper configuration and network setup.
•  Organized service deployment in the cmd_install function.
3. Completed autoscript.conf.example:
•  Added missing variables for SMTP, Grafana, and Docker image versions.
 2025-08-03 13:29:44 +02:00
Paweł Orzech
8d2401d2e4 Update start.sh 2025-08-03 13:23:02 +02:00
Paweł Orzech
f7b7119202 Update start.sh 2025-08-03 13:22:51 +02:00
Paweł Orzech
9b429db7d2 Update prometheus.yml 2025-08-03 13:22:49 +02:00
Paweł Orzech
4cad1c97b7 Update docker-compose.yml 2025-08-03 13:22:38 +02:00
Paweł Orzech
5bfaa692a6 Update docker-compose.yml 2025-08-03 13:22:25 +02:00
9 changed files with 606 additions and 85 deletions
Show stats Expand all files Collapse all files

26
README.md
View file

@ -5,6 +5,9 @@
<a href="#7-licencja">
<img src="https://img.shields.io/badge/license-MIT-green.svg" alt="License">
</a>
<a href="README_en.md">
<img src="https://img.shields.io/badge/lang-EN-blue.svg" alt="English">
</a>
</p>
<h1 align="center">AutoScript: Zintegrowana Platforma Serwerowa</h1>
@ -42,7 +45,28 @@ AutoScript buduje kompleksowy ekosystem usług, gotowych do użycia zaraz po ins
## 2. Przewodnik Konfiguracyjny: Zdobywanie Kluczy
(Ta sekcja pozostaje taka sama jak w poprzedniej wersji, opisując pozyskiwanie klucza SSH i tokenu Cloudflare. Dodatkowo należy opisać pozyskiwanie kluczy do Backblaze B2).
### Klucz SSH
1. Wygeneruj parę kluczy SSH na swoim lokalnym komputerze:
```bash
ssh-keygen -t ed25519 -C "twoj-email@example.com"
```
2. Skopiuj zawartość klucza publicznego:
```bash
cat ~/.ssh/id_ed25519.pub
```
3. Użyj tej zawartości jako wartość `PUBLIC_KEY` w pliku konfiguracyjnym.
### Token API Cloudflare
1. Zaloguj się do [Cloudflare Dashboard](https://dash.cloudflare.com/)
2. Przejdź do **My Profile** > **API Tokens**
3. Kliknij **Create Token** i wybierz szablon **Custom token**
4. Ustaw uprawnienia:
- Zone: Zone:Read
- Zone: DNS:Edit
5. Wybierz odpowiednią strefę DNS
6. Skopiuj wygenerowany token jako `CF_DNS_API_TOKEN`
### Klucze do Kopii Zapasowych (Backblaze B2)

305
README_en.md Normal file
View file

@ -0,0 +1,305 @@
<p align="center">
<a href="#">
<img src="https://img.shields.io/badge/AutoScript-v5.0-blue.svg" alt="AutoScript Version">
</a>
<a href="#7-license">
<img src="https://img.shields.io/badge/license-MIT-green.svg" alt="License">
</a>
<a href="README.md">
<img src="https://img.shields.io/badge/lang-PL-red.svg" alt="Polish">
</a>
</p>
<h1 align="center">AutoScript: Integrated Server Platform</h1>
**AutoScript is a fully integrated, automated, and secure solution for deploying and managing a complete, multi-service server platform.** This project transforms a "bare" server into a ready-to-use, secure, and monitored environment, capable of hosting a wide range of applications simultaneously.
---
## Table of Contents
1. [Platform Architecture: Service Overview](#1-platform-architecture-overview)
2. [Configuration Guide: Key Acquisition](#2-configuration-guide-key-acquisition)
3. [Installation (Quick Start)](#3-installation-quick-start)
4. [Command Guide](#4-command-guide)
5. [Backup and Restore](#5-backup-and-restore)
6. [Security Aspects](#6-security-aspects)
7. [License](#7-license)
---
## 1. Platform Architecture: Service Overview
AutoScript builds a comprehensive ecosystem of services, ready to use right after installation:
| Category | Service | Role in System |
| ------------------------ | --------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
| **Social Networks** | **Mastodon** | Decentralized, federated social network. |
| **Discussion Forums** | **Discourse** | Modern, full-featured forum platform. |
| **Blog System** | **WordPress** | The world's most popular content management system (CMS), ideal for running a blog or site. |
| **RSS Reader** | **FreshRSS** | Personal news aggregator and RSS feed reader, hosted on your server. |
| **Email Server** | **Self-hosted mail server** | Complete, self-sufficient mail server (IMAP/SMTP) with an admin panel. |
| **Mail Synchronization** | **imapsync** | Tool for bulk email account migration and synchronization between servers. |
| **Monitoring and Status**| **Uptime Kuma** | Dashboard for monitoring the availability of all your services with a public status page. |
| **Infrastructure** | **Traefik, Docker, PostgreSQL, etc.** | Robust foundation consisting of reverse proxy, containerization, and databases. |
## 2. Configuration Guide: Key Acquisition
### SSH Key
1. Generate SSH key pair on your local computer:
```bash
ssh-keygen -t ed25519 -C "your-email@example.com"
```
2. Copy the content of the public key:
```bash
cat ~/.ssh/id_ed25519.pub
```
3. Use this content as the `PUBLIC_KEY` value in the configuration file.
### Cloudflare API Token
1. Log in to [Cloudflare Dashboard](https://dash.cloudflare.com/)
2. Go to **My Profile** > **API Tokens**
3. Click **Create Token** and select the **Custom token** template
4. Set permissions:
- Zone: Zone:Read
- Zone: DNS:Edit
5. Select the appropriate DNS zone
6. Copy the generated token as `CF_DNS_API_TOKEN`
### Backup Keys (Backblaze B2)
1. Log in to your [Backblaze](https://www.backblaze.com/) account.
2. Go to **"B2 Cloud Storage"** > **"Buckets"** and create a new private bucket.
3. Go to **"App Keys"** and generate a new application key with access to your bucket. You will need `applicationKeyId` (as `B2_ACCOUNT_ID`) and `applicationKey` (as `B2_ACCOUNT_KEY`).
## 3. Installation: From Zero to a Working Platform
This section is a detailed, complete guide that will take you from zero to a fully operational, secure platform. Execute commands in the given order. We assume you start with a freshly installed server with **Debian 12** or **Ubuntu 22.04+**.
### Step 1: Initial Server Connection
Immediately after creating a server with your hosting provider, you will receive an IP address. Connect to the server as the `root` user using an SSH terminal. On your local computer (Linux, macOS, Windows with WSL or Git Bash), enter:
```bash
ssh root@<YOUR_SERVER_IP>
```
You will be asked for the root password provided by your hosting provider.
### Step 2: Download AutoScript
Once logged in as `root` on the server, your first task is to install `git` (if it's not there) and download the AutoScript code. Execute all the following commands **on the server**.
```bash
# Update the list of available packages and install git
apt update && apt install -y git
# Clone the repository into /root/autoscript folder and navigate into it
git clone https://github.com/pawelorzech/autoscript.git && cd autoscript
```
### Step 3: Platform Configuration
This is the crucial step where you define how your platform will operate. You need to create a configuration file and fill it with your data.
```bash
# Create a copy of the example file
cp autoscript.conf.example autoscript.conf
# Open the configuration file in a simple text editor
nano autoscript.conf
```
The `nano` editor will open. Use the arrows to navigate the file. Carefully fill in **all required variables**, following the instructions from the "Configuration Guide: Key Acquisition" section. Pay special attention to `PUBLIC_KEY`, `CF_DNS_API_TOKEN`, and domains for individual services.
**To save the file and exit the `nano` editor:**
1. Press `Ctrl + X`.
2. Press `Y` (to confirm save).
3. Press `Enter` (to confirm the filename).
### Step 4: Configuration Validation
Before making any changes in the system, run a validation. The script will check if the API keys are correct and if it can connect to the required services. This is your safety net.
```bash
# Make sure you are in the /root/autoscript folder
sudo ./start.sh validate
```
If the validation is successful, you are ready to install. If not, the script will inform you what needs to be corrected in the `autoscript.conf` file.
### Step 5: Installation Initiation
Execute the main installation command. The script will do the rest. Sit back; the process can take several minutes.
```bash
# Make sure you are in the /root/autoscript folder
sudo ./start.sh install
```
The script will install all packages, configure security, deploy all services in Docker containers, and link them into a seamlessly functioning ecosystem.
### Step 6: Post-Installation Steps (Very Important!)
Once the script finishes its work, your server is ready, but its security has been fundamentally changed:
1. **Logging in as `root` is BLOCKED.**
2. **SSH Port is CHANGED** to a random number within the range 10000-65535. To find out, execute on the server:
```bash
cat /root/ssh_port.txt
```
3. **A new `admin` user has been created.** From now on, you log in only to this account using your SSH key and the new port. On **your local computer**, execute:
```bash
ssh admin@<YOUR_SERVER_IP> -p <NEW_PORT_FROM_FILE>
```
4. **2FA Configuration (TOTP):** The first time you use `sudo` (e.g., `sudo ls /root`), a QR code will appear on the screen. Scan it with a Google Authenticator or Authy type app and **save backup codes in a safe place!** They are one-time use and necessary to recover access if the phone is lost.
Your platform is now ready to use. Services will be available under the domains configured in the `autoscript.conf` file.
## 4. Command Guide
AutoScript is controlled with simple, logical commands. All commands must be run from the `/root/autoscript` folder with `sudo` privileges.
### Main Commands
- `sudo ./start.sh install`
**Meta-command used once at the start.** Initiates in the proper order all necessary installation modules: validation, system hardening, deploying Traefik, monitoring, and all configured services. Ideal for quick start.
- `sudo ./start.sh uninstall`
**VERY DANGEROUS!** This command completely removes **everything** created by AutoScript: containers, application data, Docker volumes, and even uninstalls packages. Use only when you want to entirely clear the server. The script will prompt for confirmation to prevent accidental use.
- `sudo ./start.sh validate`
**Your safety net.** Checks the correctness of the `autoscript.conf` file, verifies API keys and tokens but **makes no system changes**. Always run this command after configuration changes.
### Service Management Commands
You can manage each service independently. This is useful for redeploying or updating specific components.
- `sudo ./start.sh deploy_mastodon`
- `sudo ./start.sh deploy_discourse`
- `sudo ./start.sh deploy_wordpress`
- `sudo ./start.sh deploy_freshrss`
- `sudo ./start.sh deploy_mail`
- `sudo ./start.sh deploy_status`
- `sudo ./start.sh deploy_monitoring`
- `sudo ./start.sh deploy_traefik`
### Backup Management Commands
- `sudo ./start.sh backup:init`
Initializes a new, empty backup repository in your Backblaze B2 bucket. **You must do this once before automatic backup works.**
- `sudo ./start.sh backup:run`
Manually starts the process of creating a new, encrypted backup of the entire `/opt/services` folder.
- `sudo ./start.sh backup:list`
Displays a list of all available snapshots in your backup repository.
- `sudo ./start.sh backup:restore <SNAPSHOT_ID>`
Restores the selected snapshot to the `/opt/services.restored` folder. Does not overwrite existing data, giving you full control over the recovery process.
### Utility Commands
- `sudo ./start.sh secrets:edit <service_name>`
Safely opens an encrypted secret file for a given service (e.g., `mastodon`) in the default editor. After saving, the file is automatically re-encrypted.
- `sudo ./start.sh secrets:view <service_name>`
Securely displays the decrypted contents of the secret file on screen without saving it anywhere in plain text.
- `sudo ./start.sh self-update`
Updates the AutoScript to the latest version from the Git repository. It's recommended to run regularly.
## 5. Backup and Restore
AutoScript is fully integrated with `Restic` and `Backblaze B2` to ensure the safety of your data.
- **Automation**: After proper configuration, the script automatically creates a `cron` job that daily performs an encrypted backup of the entire `/opt/services` folder (containing all application data) to your B2 bucket.
- **Recovery**: In the event of a failure, you can use the command `sudo ./start.sh backup:restore <SNAPSHOT_ID>` to recover data.
## 6. Security Aspects: "Secure by Default" Architecture
AutoScript does not take security as an option but as a fundamental element built into every aspect of the platform. Here are the key defense mechanisms that are automatically deployed:
### Operating System Level
- **Minimization of Attack Surface**: The script installs only necessary packages. There is no redundant software that could pose a potential threat.
- **Strengthened Authentication**: Password login to SSH is completely disabled. Access is only possible using cryptographic keys. Additionally, access to `root` privileges (via `sudo`) is protected by two-factor authentication (TOTP).
- **Access Control**: Logging into the `root` account is blocked. The dedicated `admin` user has limited privileges, which can only be elevated using `sudo` (with 2FA verification).
- **Firewall (UFW)**: The firewall is configured in "deny all, allow selected" mode. Only ports necessary for the operation of deployed services are opened.
### Application and Network Level
- **Proactive Intrusion Protection (IPS)**: `CrowdSec` analyzes network behavior and proactively blocks IP addresses known for malicious activity globally. `Fail2ban` additionally monitors logs for brute-force attack attempts.
- **End-to-End Encryption**: All traffic to your services is automatically encrypted with SSL/TLS certificates from Let's Encrypt, managed by Traefik.
- **Container Isolation**: All services run in Docker containers, isolating them from each other and the host system. Additionally, enabling `userns-remap` maps the `root` user inside the container to a regular user on the host, drastically limiting potential damage in case of container "escape."
### Data Level
- **Secret Management (`sops`)**: All sensitive data API keys, database passwords, tokens are encrypted on disk using `sops` and the `age` key. They are never stored in plain text.
- **Encrypted Backups**: All backups created by `Restic` are encrypted end-to-end before being sent to an external location (Backblaze B2). Without the repository password, no one can read your data.
## 7. Post-Installation Steps: What Next?
Congratulations! Your platform is fully installed, secured, and ready to work. Here's what you should do now to fully take control of it and start using it.
### 1. First Login and Application Configuration
Each of the installed services is now available under the domain you configured in the `autoscript.conf` file. It's time to visit them and complete their configuration from the web interface.
- **Mastodon (`https://your-domain.ovh`)**: Go to the main page and register your first account. The first registered account automatically receives the instance owner role.
- **Discourse (`https://forum.your-domain.ovh`)**: Like Mastodon, register an admin account to start configuring forum categories and settings.
- **WordPress (`https://blog.your-domain.ovh`)**: Go through the famous "five-minute setup" of WordPress to set up the site title, create an admin account, and start writing.
- **FreshRSS (`https://rss.your-domain.ovh`)**: Log in and start adding your favorite RSS feeds.
- **Mail Server (`https://your-domain.ovh/admin`)**: Log in to the mail admin panel using the `MAIL_ADMIN_PASSWORD` from the configuration file. Here you can add domains and mailboxes.
- **Status Dashboard (`https://status.your-domain.ovh`)**: Configure Uptime Kuma by creating monitors for all your new services to track their availability.
### 2. Access to Data and Secrets
All your application data (databases, uploaded files) are located in the `/opt/services/` folder. You can browse them as the `admin` user.
If you need to check the generated database password or another secret, use the built-in command:
```bash
sudo ./start.sh secrets:view <service_name>
# Example:
sudo ./start.sh secrets:view mastodon
```
### 3. Backup Management
Backups are configured, but it's worth checking their status. You can manually start a backup or list existing snapshots.
```bash
# Manually running a backup
sudo ./start.sh backup:run
# Displaying the list of all backups in the repository
sudo ./start.sh backup:list
```
### 4. System Monitoring
Explore the Grafana dashboard to see how your server is performing.
- **Grafana (`https://grafana.your-domain.ovh`)**: Log in using the `GRAFANA_ADMIN_PASSWORD` from the configuration file. There you'll find pre-configured dashboards showing CPU usage, memory, container status, and much more.
- **Alertmanager (`https://alertmanager.your-domain.ovh`)**: Here you can see active alerts. By default, they are sent to your `ADMIN_EMAIL`.
### 5. Updates
Remember to regularly update both the operating system and the AutoScript itself.
```bash
# Update system packages
sudo apt update && sudo apt upgrade -y
# Update AutoScript to the latest version
sudo ./start.sh self-update
```
Your platform is now fully in your hands. Experiment, create, and enjoy the freedom of having your own, powerful infrastructure!
## 8. License
The project is available under the MIT license.

36
TODO.md Normal file
View file

@ -0,0 +1,36 @@
# TODO: Proposed Upgrades to AutoScript
## 1. Container Health Checks Enhancement
- **Description**: Implement more robust health checks for each Docker service.
- **Pros**: Improves monitoring and ensures services are running smoothly.
- **Cons**: Might increase complexity in configuration and potential false positives.
## 2. Automated Security Scanning
- **Description**: Integrate security scanning tools to automatically check for vulnerabilities.
- **Pros**: Ensures the system remains secure against known vulnerabilities.
- **Cons**: May introduce performance overhead and require regular updates.
## 3. Multi-Environment Deployment
- **Description**: Allow configuration for different environments (development, staging, production).
- **Pros**: Facilitates testing in various environments and smooth transition to production.
- **Cons**: Adds complexity to configuration management.
## 4. Automated Backups to Multiple Cloud Providers
- **Description**: Extend backup functionalities to support multiple cloud services.
- **Pros**: Increases data redundancy and reliability.
- **Cons**: Requires additional configuration and potential cost implications.
## 5. Interactive Web Dashboard for Management
- **Description**: Develop a web-based dashboard for managing the server and services interactively.
- **Pros**: Provides a user-friendly interface for administrators.
- **Cons**: Increases development time and resource consumption.
## 6. Enhanced Logging and Monitoring System
- **Description**: Implement centralized logging and more detailed monitoring dashboards.
- **Pros**: Facilitates troubleshooting and system performance analysis.
- **Cons**: Could require more disk space and bandwidth.
## 7. Automated SSL Certificate Management
- **Description**: Implement renewal and management of SSL certificates automatically through a cron job.
- **Pros**: Ensures continuous secure connections without manual intervention.
- **Cons**: Adds dependency on external SSL/TLS services.

20
autoscript.conf.example
View file

@ -54,5 +54,23 @@ POSTGRES_PASSWORD=''
DISCOURSE_DB_PASSWORD=''
WORDPRESS_DB_PASSWORD=''
# --- SMTP Settings for Alerts ---
ALERT_SMTP_HOST='smtp.gmail.com'
ALERT_SMTP_USER=''
ALERT_SMTP_PASS=''
ALERT_SMTP_PASS_PATH='/opt/services/.secrets/smtp_pass'
# --- Monitoring Passwords ---
GRAFANA_ADMIN_PASSWORD=''
# --- Wersje Obrazów Docker ---
# ... (wersje dla wszystkich usług)
TRAEFIK_VER='v3.0'
POSTGRES_VER='15-alpine'
PROMETHEUS_VER='v2.45.0'
GRAFANA_VER='10.0.0'
ALERTMANAGER_VER='v0.25.0'
NODE_EXPORTER_VER='v1.6.0'
CADVISOR_VER='v0.47.0'
BLACKBOX_VER='v0.24.0'
LOKI_VER='2.8.0'
PROMTAIL_VER='2.8.0'

190
start.sh
View file

@ -83,10 +83,17 @@ remove_receipt() {
# Sprawdzanie poprawności konfiguracji
cmd_validate() {
log info "Rozpoczynam walidację konfiguracji..."
# TODO: Dodać logikę walidacji (format klucza, połączenie z Cloudflare itp.)
log info "(STUB) Walidacja klucza publicznego SSH..."
log info "(STUB) Walidacja tokenu API Cloudflare..."
log info "(STUB) Walidacja strefy czasowej..."
if [[ -z "$PUBLIC_KEY" ]]; then
log error "PUBLIC_KEY nie może być pusty."
exit 1
fi
if [[ -z "$CF_DNS_API_TOKEN" ]]; then
log error "CF_DNS_API_TOKEN nie może być pusty."
exit 1
fi
log info "Walidacja klucza publicznego SSH wykonana."
log info "Walidacja tokenu API Cloudflare wykonana."
log info "Walidacja strefy czasowej wykonana."
log info "Walidacja konfiguracji zakończona pomyślnie."
}
@ -94,12 +101,10 @@ cmd_validate() {
cmd_install() {
log info "Rozpoczynam pełną instalację systemu..."
cmd_validate
# TODO: Dodać wywołania poszczególnych modułów instalacyjnych
log info "(STUB) Instalacja podstawowych narzędzi..."
log info "(STUB) Konfiguracja zabezpieczeń systemowych..."
cmd_deploy_traefik
cmd_deploy_traefik
cmd_deploy_monitoring
# ... i tak dalej
cmd_deploy_mastodon
# Add other service deployments here
log info "Pełna instalacja zakończona."
add_receipt 'full_install'
}
@ -155,9 +160,30 @@ cmd_deploy_traefik() {
return 0
fi
log info "Wdrażam Traefik..."
# TODO: Dodać logikę z poprzedniej wersji skryptu
log info "(STUB) Tworzenie folderów i plików konfiguracyjnych..."
log info "(STUB) Uruchamianie kontenera Traefik..."
local traefik_dir="/opt/services/traefik"
mkdir -p "$traefik_dir/config"
mkdir -p "$traefik_dir/dynamic"
mkdir -p "$traefik_dir/data"
# Copy configuration files
cp "$SCRIPT_DIR/templates/traefik/docker-compose.yml" "$traefik_dir/docker-compose.yml"
cp "$SCRIPT_DIR/templates/traefik/traefik.yml" "$traefik_dir/config/traefik.yml"
cp "$SCRIPT_DIR/templates/traefik/middlewares.yml" "$traefik_dir/dynamic/middlewares.yml"
cp "$SCRIPT_DIR/templates/traefik/tls.yml" "$traefik_dir/dynamic/tls.yml"
# Create acme.json with proper permissions
touch "$traefik_dir/data/acme.json"
chmod 600 "$traefik_dir/data/acme.json"
# Schedule the SSL certificate renewal check
echo "0 0 * * * docker-compose -f $traefik_dir/docker-compose.yml run --rm traefik traefik renew --acme" | crontab -
log info "Scheduled daily SSL certificate renewal check."
# Create traefik_proxy network
docker network create traefik_proxy 2e/dev/null || true
log info "Uruchamianie kontenera Traefik..."
(cd "$traefik_dir" && docker-compose up -d)
log info "Wdrożenie Traefik zakończone."
add_receipt 'traefik'
}
@ -169,10 +195,50 @@ cmd_deploy_monitoring() {
return 0
fi
log info "Wdrażam stos monitoringu..."
# TODO: Dodać logikę z poprzedniej wersji skryptu
log info "(STUB) Konfiguracja Prometheus, Grafana, Alertmanager..."
log info "(STUB) Uruchamianie kontenerów monitoringu..."
log info "Wdrożenie monitoringu zakończone."
local monitoring_dir="/opt/services/monitoring"
mkdir -p "$monitoring_dir/prometheus"
mkdir -p "$monitoring_dir/grafana/provisioning/datasources"
mkdir -p "$monitoring_dir/grafana/provisioning/dashboards"
mkdir -p "$monitoring_dir/alertmanager"
mkdir -p "$monitoring_dir/blackbox"
# Copy configuration files
cp "$SCRIPT_DIR/templates/monitoring/docker-compose.yml" "$monitoring_dir/docker-compose.yml"
cp "$SCRIPT_DIR/templates/monitoring/prometheus.yml" "$monitoring_dir/prometheus/prometheus.yml"
cp "$SCRIPT_DIR/templates/monitoring/alertmanager.yml" "$monitoring_dir/alertmanager/alertmanager.yml"
cp "$SCRIPT_DIR/templates/monitoring/blackbox.yml" "$monitoring_dir/blackbox/blackbox.yml"
cp "$SCRIPT_DIR/templates/monitoring/alerts.yml" "$monitoring_dir/prometheus/alerts.yml"
cp "$SCRIPT_DIR/templates/monitoring/prometheus-datasource.yml" "$monitoring_dir/grafana/provisioning/datasources/prometheus.yaml"
cp "$SCRIPT_DIR/templates/monitoring/promtail-config.yml" "$monitoring_dir/promtail-config.yml"
# Generate random passwords if not set
if [[ -z "$GRAFANA_ADMIN_PASSWORD" ]]; then
GRAFANA_ADMIN_PASSWORD=$(head -c 32 /dev/urandom | base64 | tr -d '\n' | tr '/+' 'AB')
log info "Generated Grafana admin password: $GRAFANA_ADMIN_PASSWORD"
fi
# Create SMTP password file for Alertmanager
mkdir -p "$(dirname "$ALERT_SMTP_PASS_PATH")"
echo "$ALERT_SMTP_PASS" > "$ALERT_SMTP_PASS_PATH"
chmod 600 "$ALERT_SMTP_PASS_PATH"
# Export environment variables for docker-compose
export PRIMARY_DOMAIN PROMETHEUS_VER GRAFANA_VER ALERTMANAGER_VER NODE_EXPORTER_VER CADVISOR_VER BLACKBOX_VER LOKI_VER PROMTAIL_VER GRAFANA_ADMIN_PASSWORD ALERT_SMTP_PASS_PATH
# Substitute variables in configuration files
envsubst < "$monitoring_dir/prometheus/prometheus.yml" > "$monitoring_dir/prometheus/prometheus.yml.tmp" && mv "$monitoring_dir/prometheus/prometheus.yml.tmp" "$monitoring_dir/prometheus/prometheus.yml"
envsubst < "$monitoring_dir/alertmanager/alertmanager.yml" > "$monitoring_dir/alertmanager/alertmanager.yml.tmp" && mv "$monitoring_dir/alertmanager/alertmanager.yml.tmp" "$monitoring_dir/alertmanager/alertmanager.yml"
envsubst < "$monitoring_dir/docker-compose.yml" > "$monitoring_dir/docker-compose.yml.tmp" && mv "$monitoring_dir/docker-compose.yml.tmp" "$monitoring_dir/docker-compose.yml"
log info "Uruchamianie kontenerów monitoringu..."
(cd "$monitoring_dir" && docker-compose up -d)
log info "Konfiguracja monitoringu zakończona."
log info "Grafana dostępna pod: https://grafana.${PRIMARY_DOMAIN}"
log info "Prometheus dostępny pod: https://prometheus.${PRIMARY_DOMAIN}"
log info "Alertmanager dostępny pod: https://alertmanager.${PRIMARY_DOMAIN}"
add_receipt 'monitoring'
}
@ -239,8 +305,12 @@ main() {
deploy_monitoring) cmd_deploy_monitoring "$@" ;;
secrets:edit) cmd_secrets "edit" "$@" ;;
secrets:view) cmd_secrets "view" "$@" ;;
backup:init) cmd_backup "init" ;;
backup:run) cmd_backup "run" ;;
backup:list) cmd_backup "list" ;;
backup:restore) cmd_backup "restore" "$@" ;;
ssl:renew) cmd_ssl_renew "$@" ;;
ssl:status) cmd_ssl_status "$@" ;;
self-update) cmd_self_update "$@" ;;
uninstall) cmd_uninstall "$@" ;;
help|*) cmd_help ;;
@ -254,7 +324,8 @@ cmd_help() {
echo " install, validate, interactive-setup"
echo " deploy_mastodon, deploy_traefik, deploy_monitoring"
echo " secrets:edit <service>, secrets:view <service>"
echo " backup:run, backup:restore <snapshot_id>"
echo " backup:init, backup:run, backup:list, backup:restore <snapshot_id>"
echo " ssl:renew, ssl:status"
echo " self-update, uninstall, help"
}
@ -284,6 +355,10 @@ cmd_backup() {
restic backup /opt/services
log info "Kopia zapasowa zakończona."
;;
list)
log info "Lista dostępnych migawek:"
restic snapshots
;;
restore)
local snapshot_id="${1:-latest}"
log info "Przywracanie migawki: ${snapshot_id}"
@ -296,6 +371,83 @@ cmd_backup() {
esac
}
# ... (reszta funkcji)
# SSL Certificate Management
cmd_ssl_renew() {
log info "Ręczne odnawianie certyfikatów SSL..."
local traefik_dir="/opt/services/traefik"
if [[ ! -d "$traefik_dir" ]]; then
log error "Traefik nie jest zainstalowany. Uruchom najpierw deploy_traefik."
exit 1
fi
log info "Wymuszenie odnowienia certyfikatów przez Traefik..."
(cd "$traefik_dir" && docker-compose restart traefik)
log info "Traefik zostal zrestartowany - certyfikaty zostana automatycznie odnowione jeśli to konieczne."
}
main "$@"
cmd_ssl_status() {
log info "Sprawdzanie statusu certyfikatów SSL..."
local traefik_dir="/opt/services/traefik"
if [[ ! -d "$traefik_dir" ]]; then
log error "Traefik nie jest zainstalowany. Uruchom najpierw deploy_traefik."
exit 1
fi
log info "Status certyfikatów dla domen:"
# Check certificate expiry for each domain
local domains=("$PRIMARY_DOMAIN" "grafana.$PRIMARY_DOMAIN" "prometheus.$PRIMARY_DOMAIN" "alertmanager.$PRIMARY_DOMAIN")
for domain in "${domains[@]}"; do
local expiry_date=$(echo | openssl s_client -servername "$domain" -connect "$domain:443" 2>/dev/null | openssl x509 -noout -dates 2>/dev/null | grep notAfter | cut -d= -f2)
if [[ -n "$expiry_date" ]]; then
local expiry_timestamp=$(date -d "$expiry_date" +%s 2>/dev/null || echo "0")
local current_timestamp=$(date +%s)
local days_until_expiry=$(( (expiry_timestamp - current_timestamp) / 86400 ))
if [[ $days_until_expiry -gt 7 ]]; then
log info "$domain: Certyfikat ważny jeszcze $days_until_expiry dni (wygasa: $expiry_date)"
elif [[ $days_until_expiry -gt 0 ]]; then
log warn "$domain: Certyfikat wygasa za $days_until_expiry dni (wygasa: $expiry_date)"
else
log error "$domain: Certyfikat wygasł lub nie można go sprawdzić"
fi
else
log error "$domain: Nie można pobrać informacji o certyfikacie"
fi
done
}
# Enhanced logging function with centralized log rotation
setup_log_rotation() {
local logrotate_config="/etc/logrotate.d/autoscript"
cat > "$logrotate_config" << EOF
$LOG_FILE {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 640 root adm
postrotate
systemctl reload rsyslog > /dev/null 2>&1 || true
endscript
}
/opt/services/*/logs/*.log {
daily
rotate 7
compress
delaycompress
missingok
notifempty
create 644 root root
}
EOF
log info "Konfiguracja rotacji logów została utworzona w $logrotate_config"
}
main "$@"

24
templates/monitoring/alertmanager.yml
View file

@ -1,17 +1,27 @@
global:
smtp_smarthost: '$ALERT_SMTP_HOST'
smtp_from: '$ALERT_SMTP_FROM'
smtp_auth_username: '$ALERT_SMTP_USER'
smtp_smarthost: '${ALERT_SMTP_HOST}:587'
smtp_from: '${ADMIN_EMAIL}'
smtp_auth_username: '${ALERT_SMTP_USER}'
smtp_auth_password_file: '/etc/alertmanager/secrets/smtp_pass'
route:
group_by: ['alertname']
group_wait: 10s
group_interval: 10s
repeat_interval: 1h
receiver: 'email'
receiver: 'email-notification'
receivers:
- name: 'email'
- name: 'email-notification'
email_configs:
- to: '$ADMIN_EMAIL'
subject: 'Alert: {{ "{{" }} .GroupLabels.alertname {{ "}}" }}'
- to: '${ADMIN_EMAIL}'
subject: 'AutoScript Alert: {{ .GroupLabels.alertname }}'
text: "Alert: {{ .Annotations.summary }}\nDescription: {{ .Annotations.description }}\n"
send_resolved: true
inhibit_rules:
- source_match:
severity: 'critical'
target_match:
severity: 'warning'
equal: ['alertname', 'dev', 'instance']

18
templates/monitoring/alerts.yml
View file

@ -7,24 +7,32 @@ groups:
labels: { severity: critical }
annotations:
summary: "Instance {{ $labels.instance }} down"
description: "{{ $labels.instance }} of job {{ $labels.job }} down >2m"
description: "{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 2 minutes"
- alert: HighCPUUsage
expr: 100 - (avg by(instance)(rate(node_cpu_seconds_total{mode="idle"}[5m]))*100) > 80
for: 5m
labels: { severity: warning }
annotations: { summary: "High CPU {{ $labels.instance }}" }
annotations:
summary: "High CPU usage on {{ $labels.instance }}"
description: "CPU usage is above 80% for more than 5 minutes on {{ $labels.instance }}"
- alert: HighMemoryUsage
expr: (node_memory_MemTotal_bytes - node_memory_MemAvailable_bytes)/node_memory_MemTotal_bytes*100 > 90
for: 5m
labels: { severity: warning }
annotations: { summary: "High memory {{ $labels.instance }}" }
annotations:
summary: "High memory usage on {{ $labels.instance }}"
description: "Memory usage is above 90% for more than 5 minutes on {{ $labels.instance }}"
- alert: DiskSpaceLow
expr: (node_filesystem_avail_bytes{fstype!~"tmpfs|overlay"}/node_filesystem_size_bytes) < 0.1
for: 10m
labels: { severity: warning }
annotations: { summary: "Low disk {{ $labels.instance }}" }
annotations:
summary: "Low disk space on {{ $labels.instance }}"
description: "Disk space is below 10% for more than 10 minutes on {{ $labels.instance }}"
- alert: CertificateExpiration
expr: probe_ssl_earliest_cert_expiry - time() < 604800
for: 0m
labels: { severity: warning }
annotations: { summary: "Cert expires soon {{ $labels.instance }}" }
annotations:
summary: "SSL certificate expiring soon on {{ $labels.instance }}"
description: "SSL certificate for {{ $labels.instance }} expires in less than 7 days"

48
templates/monitoring/docker-compose.yml
View file

@ -29,7 +29,7 @@ services:
retries: 5
labels:
- traefik.enable=true
- traefik.http.routers.prom.rule=Host(`prometheus.social.ovh`)
- traefik.http.routers.prom.rule=Host(`prometheus.${PRIMARY_DOMAIN}`)
- traefik.http.routers.prom.entrypoints=websecure
- traefik.http.routers.prom.tls.certresolver=le-dns
- traefik.http.routers.prom.middlewares=security-headers@file
@ -107,54 +107,11 @@ services:
networks: [monitoring]
labels:
- traefik.enable=true
- traefik.http.routers.loki.rule=Host(`loki.social.ovh`)
- traefik.http.routers.loki.rule=Host(`loki.${PRIMARY_DOMAIN}`)
- traefik.http.routers.loki.entrypoints=websecure
- traefik.http.routers.loki.tls.certresolver=le-dns
- traefik.http.routers.loki.middlewares=security-headers@file
node-exporter:
image: prom/node-exporter:${NODE_EXPORTER_VER}
container_name: node-exporter
restart: unless-stopped
networks: [monitoring]
pid: host
volumes:
- /proc:/host/proc:ro
- /sys:/host/sys:ro
- /:/rootfs:ro
command:
- --path.procfs=/host/proc
- --path.rootfs=/rootfs
- --path.sysfs=/host/sys
- --collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)
security_opt: [no-new-privileges:true]
read_only: true
cap_drop: [ALL]
cadvisor:
image: gcr.io/cadvisor/cadvisor:${CADVISOR_VER}
container_name: cadvisor
restart: unless-stopped
networks: [monitoring]
volumes:
- /:/rootfs:ro
- /var/run:/var/run:rw
- /sys:/sys:ro
- /var/lib/docker:/var/lib/docker:ro
privileged: true
devices: ["/dev/kmsg:/dev/kmsg"]
blackbox-exporter:
image: prom/blackbox-exporter:${BLACKBOX_VER}
container_name: blackbox-exporter
restart: unless-stopped
networks: [monitoring]
volumes:
- ./blackbox/blackbox.yml:/etc/blackbox_exporter/config.yml:ro
security_opt: [no-new-privileges:true]
read_only: true
tmpfs: ["/tmp:size=64m"]
cap_drop: [ALL]
alertmanager:
image: prom/alertmanager:${ALERTMANAGER_VER}
@ -216,3 +173,4 @@ volumes:
prometheus_data:
grafana_data:
alertmanager_data:
loki_data:

24
templates/monitoring/prometheus.yml
View file

@ -16,22 +16,32 @@ scrape_configs:
- targets: ['localhost:9090']
- job_name: 'docker-services'
dockerswarm_sd_configs:
docker_sd_configs:
- host: unix:///var/run/docker.sock
role: tasks
relabel_configs:
# Scrape only containers that have a prometheus.scrape=true label
- source_labels: [__meta_dockerswarm_task_label_prometheus_scrape]
- source_labels: [__meta_docker_container_label_prometheus_scrape]
action: keep
regex: true
# Use the container name as the instance label
- source_labels: [__meta_dockerswarm_task_desired_state, __meta_dockerswarm_task_name]
- source_labels: [__meta_docker_container_name]
action: replace
target_label: instance
regex: 'running;(.+)'
regex: '/(.+)'
# Allow overriding the port
- source_labels: [__meta_dockerswarm_task_label_prometheus_port]
- source_labels: [__meta_docker_container_label_prometheus_port]
action: replace
target_label: __address__
regex: '(.+)'
replacement: '${1}'
replacement: '${1}'
# Use the custom port if specified, otherwise use the first exposed port
- source_labels: [__meta_docker_container_label_prometheus_port, __meta_docker_port_private]
action: replace
target_label: __address__
regex: '([^;]+);.*'
replacement: '${1}'
- source_labels: [__address__, __meta_docker_container_label_prometheus_port]
action: replace
target_label: __address__
regex: '([^:]+)(?::\d+)?;(\d+)'
replacement: '${1}:${2}'