sendico/infra/monitoring/docker-compose.yml

secrets:
  monitoring_vault_role_id:
    external: true
  monitoring_vault_secret_id:
    external: true

networks:
  cicd:
    external: true

volumes:
  loki_data:
  grafana_data:
  prometheus_data:
  alertmanager_data:
  alertmanager_config:
    driver: local
    driver_opts:
      type: tmpfs
      device: tmpfs
      o: size=8m,uid=0,gid=0,mode=0755
  vault_secrets:
    driver: local
    driver_opts:
      type: tmpfs
      device: tmpfs
      o: size=32m,uid=472,gid=472,mode=0750

services:
  vault-agent-monitoring:
    image: hashicorp/vault:latest
    networks: [cicd]
    cap_add: ["IPC_LOCK"]
    environment:
      VAULT_ADDR: "http://vault:8200"
    command: >
      sh -lc 'vault agent -config=/etc/vault/agent.hcl'
    secrets:
      - source: monitoring_vault_role_id
        target: /etc/vault/role_id
      - source: monitoring_vault_secret_id
        target: /etc/vault/secret_id
    volumes:
      - ./vault-agent/agent.hcl:/etc/vault/agent.hcl:ro
      - ./vault-agent/templates:/etc/vault/templates:ro
      - vault_secrets:/vault/secrets:rw
      - alertmanager_config:/vault/alertmanager:rw
    healthcheck:
      test: ["CMD-SHELL", "test -s /vault/secrets/grafana.env"]
      interval: 30s
      timeout: 5s
      retries: 3
    deploy:
      restart_policy:
        condition: any

  prometheus:
    image: prom/prometheus:latest
    networks: [cicd]
    command:
      - --config.file=/etc/prometheus/prometheus.yml
      - --storage.tsdb.path=/prometheus
      - --storage.tsdb.retention.time=30d
      - --web.enable-lifecycle
    volumes:
      - ./prometheus/config.yml:/etc/prometheus/prometheus.yml:ro
      - prometheus_data:/prometheus
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "http://localhost:9090/-/ready"]
      interval: 30s
      timeout: 5s
      retries: 3
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.prometheus.rule=Host(`prometheus.sendico.io`)"
      - "traefik.http.routers.prometheus.entrypoints=websecure"
      - "traefik.http.routers.prometheus.tls.certresolver=letsencrypt"
      - "traefik.http.services.prometheus.loadbalancer.server.port=9090"
    deploy:
      restart_policy:
        condition: any

  alertmanager:
    image: prom/alertmanager:latest
    networks: [cicd]
    command: >
      sh -c 'while [ ! -s /vault/alertmanager/alertmanager.yml ]; do echo "⏳ waiting for alertmanager.yml"; sleep 2; done;
             exec /bin/alertmanager --config.file=/vault/alertmanager/alertmanager.yml --storage.path=/alertmanager'
    volumes:
      - alertmanager_data:/alertmanager
      - alertmanager_config:/vault/alertmanager:ro
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "http://localhost:9093/-/ready"]
      interval: 30s
      timeout: 5s
      retries: 3
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.alertmanager.rule=Host(`alertmanager.sendico.io`)"
      - "traefik.http.routers.alertmanager.entrypoints=websecure"
      - "traefik.http.routers.alertmanager.tls.certresolver=letsencrypt"
      - "traefik.http.services.alertmanager.loadbalancer.server.port=9093"
    deploy:
      restart_policy:
        condition: any

  loki:
    image: grafana/loki:latest
    networks: [cicd]
    command: ["-config.file=/etc/loki/config.yml"]
    volumes:
      - ./loki/config.yml:/etc/loki/config.yml:ro
      - loki_data:/loki
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "http://localhost:3100/ready"]
      interval: 30s
      timeout: 5s
      retries: 5
    deploy:
      restart_policy:
        condition: any

  grafana:
    image: grafana/grafana:latest
    networks: [cicd]
    command: >
      sh -c 'while [ ! -s /vault/secrets/grafana.env ]; do echo "⏳ waiting for grafana.env"; sleep 2; done;
             set -a; . /vault/secrets/grafana.env; set +a; exec /run.sh'
    volumes:
      - grafana_data:/var/lib/grafana
      - vault_secrets:/vault/secrets:ro
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "http://localhost:3000/api/health"]
      interval: 30s
      timeout: 5s
      retries: 5
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.grafana.rule=Host(`grafana.sendico.io`)"
      - "traefik.http.routers.grafana.entrypoints=websecure"
      - "traefik.http.routers.grafana.tls.certresolver=letsencrypt"
      - "traefik.http.services.grafana.loadbalancer.server.port=3000"
    deploy:
      restart_policy:
        condition: any