networks: monitoring: traefik_proxy: external: true services: prometheus: image: prom/prometheus:${PROMETHEUS_VER} container_name: prometheus restart: unless-stopped networks: [monitoring, traefik_proxy] volumes: - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro - ./prometheus/rules:/etc/prometheus/rules:ro - prometheus_data:/prometheus command: - --config.file=/etc/prometheus/prometheus.yml - --storage.tsdb.path=/prometheus - --storage.tsdb.retention.time=30d - --web.enable-lifecycle - --web.external-url=https://prometheus.${PRIMARY_DOMAIN} security_opt: [no-new-privileges:true] read_only: true tmpfs: ["/tmp:size=64m"] cap_drop: [ALL] healthcheck: test: ["CMD","wget","-qO-","http://localhost:9090/-/healthy"] interval: 30s timeout: 3s retries: 5 labels: - traefik.enable=true - traefik.http.routers.prom.rule=Host(`prometheus.${PRIMARY_DOMAIN}`) - traefik.http.routers.prom.entrypoints=websecure - traefik.http.routers.prom.tls.certresolver=le-dns - traefik.http.routers.prom.middlewares=security-headers@file node-exporter: image: prom/node-exporter:${NODE_EXPORTER_VER} container_name: node-exporter restart: unless-stopped networks: [monitoring] pid: host volumes: - /proc:/host/proc:ro - /sys:/host/sys:ro - /:/rootfs:ro command: - --path.procfs=/host/proc - --path.rootfs=/rootfs - --path.sysfs=/host/sys - --collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($|/) security_opt: [no-new-privileges:true] read_only: true cap_drop: [ALL] labels: - prometheus.scrape=true - prometheus.port=9100 cadvisor: image: gcr.io/cadvisor/cadvisor:${CADVISOR_VER} container_name: cadvisor restart: unless-stopped networks: [monitoring] volumes: - /:/rootfs:ro - /var/run:/var/run:rw - /sys:/sys:ro - /var/lib/docker:/var/lib/docker:ro privileged: true devices: ["/dev/kmsg:/dev/kmsg"] labels: - prometheus.scrape=true - prometheus.port=8080 blackbox-exporter: image: prom/blackbox-exporter:${BLACKBOX_VER} container_name: blackbox-exporter restart: unless-stopped networks: [monitoring] volumes: - ./blackbox/blackbox.yml:/etc/blackbox_exporter/config.yml:ro security_opt: [no-new-privileges:true] read_only: true tmpfs: ["/tmp:size=64m"] cap_drop: [ALL] labels: - prometheus.scrape=true - prometheus.port=9115 promtail: image: grafana/promtail:${PROMTAIL_VER} container_name: promtail restart: unless-stopped volumes: - /var/log:/var/log:ro - /var/lib/docker/containers:/var/lib/docker/containers:ro - ./promtail-config.yml:/etc/promtail/config-docker.yml:ro command: -config.file=/etc/promtail/config-docker.yml networks: [monitoring] loki: image: grafana/loki:${LOKI_VER} container_name: loki restart: unless-stopped volumes: - loki_data:/loki networks: [monitoring] labels: - traefik.enable=true - traefik.http.routers.loki.rule=Host(`loki.${PRIMARY_DOMAIN}`) - traefik.http.routers.loki.entrypoints=websecure - traefik.http.routers.loki.tls.certresolver=le-dns - traefik.http.routers.loki.middlewares=security-headers@file alertmanager: image: prom/alertmanager:${ALERTMANAGER_VER} container_name: alertmanager restart: unless-stopped networks: [monitoring, traefik_proxy] volumes: - ./alertmanager/alertmanager.yml:/etc/alertmanager/alertmanager.yml:ro - alertmanager_data:/alertmanager - ${ALERT_SMTP_PASS_PATH}:/etc/alertmanager/secrets/smtp_pass:ro command: - --config.file=/etc/alertmanager/alertmanager.yml - --storage.path=/alertmanager - --web.external-url=https://alertmanager.${PRIMARY_DOMAIN} security_opt: [no-new-privileges:true] read_only: true tmpfs: ["/tmp:size=64m"] cap_drop: [ALL] healthcheck: test: ["CMD","wget","-qO-","http://localhost:9093/-/healthy"] interval: 30s timeout: 3s retries: 5 labels: - traefik.enable=true - traefik.http.routers.alert.rule=Host(`alertmanager.${PRIMARY_DOMAIN}`) - traefik.http.routers.alert.entrypoints=websecure - traefik.http.routers.alert.tls.certresolver=le-dns - traefik.http.routers.alert.middlewares=security-headers@file grafana: image: grafana/grafana:${GRAFANA_VER} container_name: grafana user: "472" restart: unless-stopped networks: [monitoring, traefik_proxy] volumes: - grafana_data:/var/lib/grafana - ./grafana/provisioning:/etc/grafana/provisioning:ro environment: GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_ADMIN_PASSWORD} GF_USERS_ALLOW_SIGN_UP: "false" GF_SERVER_ROOT_URL: https://grafana.${PRIMARY_DOMAIN} security_opt: [no-new-privileges:true] cap_drop: [ALL] healthcheck: test: ["CMD","wget","-qO-","http://localhost:3000/api/health"] interval: 30s timeout: 3s retries: 5 labels: - traefik.enable=true - traefik.http.routers.grafana.rule=Host(`grafana.${PRIMARY_DOMAIN}`) - traefik.http.routers.grafana.entrypoints=websecure - traefik.http.routers.grafana.tls.certresolver=le-dns - traefik.http.routers.grafana.middlewares=security-headers@file volumes: prometheus_data: grafana_data: alertmanager_data: loki_data: