From 2f106966cf74ce3b70827dbd50accc4ca9f19e41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Fri, 29 Apr 2016 21:07:22 +0200 Subject: [PATCH] first commit --- .dockerignore | 3 ++ .gitignore | 1 + Dockerfile | 71 +++++++++++++++++++++++++++++++++++++ Makefile | 7 ++++ etc/fix-attrs.d/grafana-dir | 2 ++ etc/influxdb/config.toml | 16 +++++++++ etc/services.d/cron/run | 2 ++ etc/services.d/grafana/run | 4 +++ etc/services.d/icinga2/run | 2 ++ etc/services.d/influxdb/run | 2 ++ etc/services.d/nginx/run | 2 ++ etc/services.d/postgres/run | 2 ++ etc/services.d/sshd/run | 2 ++ usr/bin/update-certs | 27 ++++++++++++++ 14 files changed, 143 insertions(+) create mode 100644 .dockerignore create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 Makefile create mode 100644 etc/fix-attrs.d/grafana-dir create mode 100644 etc/influxdb/config.toml create mode 100755 etc/services.d/cron/run create mode 100755 etc/services.d/grafana/run create mode 100755 etc/services.d/icinga2/run create mode 100755 etc/services.d/influxdb/run create mode 100755 etc/services.d/nginx/run create mode 100755 etc/services.d/postgres/run create mode 100755 etc/services.d/sshd/run create mode 100755 usr/bin/update-certs diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..63e021f --- /dev/null +++ b/.dockerignore @@ -0,0 +1,3 @@ +.envrc +Dockerfile +cache diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..06cf653 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +cache diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..6e5c47d --- /dev/null +++ b/Dockerfile @@ -0,0 +1,71 @@ +FROM alpine:edge + +# 1. common tools +# 2. programing languages +# 3. icinga2 stuff +# 4. letsencrypt deps +RUN apk add --no-cache --update \ + bind-tools tcpdump openssh lsof curl wget git mercurial strace tmux vim rsync htop bash openssl \ + ruby python go build-base \ + nginx postgresql icinga2 \ + py-requests py-setuptools && \ + mkdir -p /run/nginx + +## S6 supervisor +RUN curl -sSL https://github.com/just-containers/s6-overlay/releases/download/v1.17.2.0/s6-overlay-amd64.tar.gz | tar -xzf - -C / + +## Influxdb +RUN export GOPATH=/tmp/go \ + && mkdir -p /etc/influxdb/ $GOPATH/src/github.com/influxdata \ + && curl -sSL https://github.com/influxdata/influxdb/archive/v0.12.2.tar.gz | tar -xzf - -C /tmp \ + && mv /tmp/influxdb-* $GOPATH/src/github.com/influxdata/influxdb \ + && cd $GOPATH/src/github.com/influxdata/influxdb \ + && go get github.com/sparrc/gdm \ + && export PATH=$GOPATH/bin:$PATH \ + && gdm restore \ + && go install ./... \ + && cp $GOPATH/bin/influx* /usr/bin/ \ + && rm -rf $GOPATH + +## Grafana +RUN apk add --no-cache nodejs \ + && export GOPATH=/tmp/go \ + && mkdir -p /opt/grafana/conf $GOPATH/src/github.com/grafana/ \ + && curl -sSL https://github.com/grafana/grafana/archive/v3.0-beta5.tar.gz | tar -xzf - -C /tmp \ + && mv /tmp/grafana-* $GOPATH/src/github.com/grafana/grafana \ + && cd $GOPATH/src/github.com/grafana/grafana \ + && go run build.go setup \ + && $GOPATH/bin/godep restore \ + && go run build.go build \ + && npm install \ + && npm install -g grunt-cli \ + && grunt \ + && npm uninstall -g grunt-cli \ + && npm cache clear \ + && cp -a $GOPATH/src/github.com/grafana/grafana/bin/* /usr/bin/ \ + && cp -ra $GOPATH/src/github.com/grafana/grafana/public_gen /opt/grafana/public \ + && apk del --purge nodejs \ + && rm -rf $GOPATH /root/.npm* \ + && addgroup -g 45555 grafana \ + && adduser -u 45555 -G grafana -D grafana + +## simp_le +RUN apk --no-cache add libffi-dev python-dev openssl-dev && \ + mkdir -p /tmp/simp_le /etc/ssl/letsencrypt && \ + curl -sSL https://github.com/kuba/simp_le/archive/master.tar.gz | tar -xzf - -C /tmp && \ + cd /tmp/simp_le-master && \ + python ./setup.py install && \ + rm -rf /tmp/simp_le-master && apk del git py-pip libffi-dev python-dev openssl-dev && \ + echo "3 10 * * * /usr/bin/update-certs" >> /etc/crontabs/root + +## temporary keys until letsencrypt certificate is generated +RUN cd /etc/ssl/letsencrypt && \ + openssl req -x509 -newkey rsa:2048 -keyout nginx/key.pem -out nginx/fullchain.pem -days 5 && \ + cat nginx/key.pem nginx/fullchain.pem > influxdb/combined.pem + +RUN icinga2 feature enable ido-pgsql + +VOLUME [ "/var/lib/influxdb/data", "/var/lib/influxdb/meta", "/var/lib/postgres/", "/var/lib/grafana", "/etc/grafana", "/etc/icinga2", "/etc/icinga-web", "/etc/icingaweb2", "/var/lib/icinga2", "/etc/ssmtp"] +EXPOSE 22 80 443 +ADD . / +ENTRYPOINT ["/init"] diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..df7b2f5 --- /dev/null +++ b/Makefile @@ -0,0 +1,7 @@ +all: run + +build: + docker build -t monitoring . + +run: build + docker run --rm -ti monitoring sh diff --git a/etc/fix-attrs.d/grafana-dir b/etc/fix-attrs.d/grafana-dir new file mode 100644 index 0000000..b43accb --- /dev/null +++ b/etc/fix-attrs.d/grafana-dir @@ -0,0 +1,2 @@ +/var/lib/grafana true grafana 0755 0755 +/var/log/grafana true grafana 0755 0755 diff --git a/etc/influxdb/config.toml b/etc/influxdb/config.toml new file mode 100644 index 0000000..b37507c --- /dev/null +++ b/etc/influxdb/config.toml @@ -0,0 +1,16 @@ +reporting-disabled = true + +[meta] + dir = "/var/lib/influxdb/meta" + retention-autocreate = true + logging-enabled = true + lease-duration = "1m0s" + +[http] + auth-enabled = true + https-enabled = true + https-certificate = "/etc/ssl/letsencrypt/influxdb/combined.pem" + +[admin] + https-enabled = true + https-certificate = "/etc/ssl/letsencrypt/influxdb/combined.pem" diff --git a/etc/services.d/cron/run b/etc/services.d/cron/run new file mode 100755 index 0000000..7a54446 --- /dev/null +++ b/etc/services.d/cron/run @@ -0,0 +1,2 @@ +#!/usr/bin/execlineb -P +crond -l 2 -f diff --git a/etc/services.d/grafana/run b/etc/services.d/grafana/run new file mode 100755 index 0000000..cd0dda9 --- /dev/null +++ b/etc/services.d/grafana/run @@ -0,0 +1,4 @@ +#!/usr/bin/execlineb -P +cat +#s6-setuidgid grafana +#/opt/grafana/bin/grafana-server -homepath /opt/grafana cfg:default.paths.data=/var/lib/grafana diff --git a/etc/services.d/icinga2/run b/etc/services.d/icinga2/run new file mode 100755 index 0000000..aa66c29 --- /dev/null +++ b/etc/services.d/icinga2/run @@ -0,0 +1,2 @@ +#!/usr/bin/execlineb -P +cat diff --git a/etc/services.d/influxdb/run b/etc/services.d/influxdb/run new file mode 100755 index 0000000..559819f --- /dev/null +++ b/etc/services.d/influxdb/run @@ -0,0 +1,2 @@ +#!/usr/bin/execlineb -P +/usr/bin/influxd -config /etc/influxdb/config.toml diff --git a/etc/services.d/nginx/run b/etc/services.d/nginx/run new file mode 100755 index 0000000..503eb56 --- /dev/null +++ b/etc/services.d/nginx/run @@ -0,0 +1,2 @@ +#!/usr/bin/execlineb -P +nginx -g "daemon off;" diff --git a/etc/services.d/postgres/run b/etc/services.d/postgres/run new file mode 100755 index 0000000..aa66c29 --- /dev/null +++ b/etc/services.d/postgres/run @@ -0,0 +1,2 @@ +#!/usr/bin/execlineb -P +cat diff --git a/etc/services.d/sshd/run b/etc/services.d/sshd/run new file mode 100755 index 0000000..aa66c29 --- /dev/null +++ b/etc/services.d/sshd/run @@ -0,0 +1,2 @@ +#!/usr/bin/execlineb -P +cat diff --git a/usr/bin/update-certs b/usr/bin/update-certs new file mode 100755 index 0000000..d7820df --- /dev/null +++ b/usr/bin/update-certs @@ -0,0 +1,27 @@ +#!/bin/sh + +set -eux + +gen_cert() { + local app="$1"; shift + local restart_action="$1"; shift + + cd "/etc/ssl/letsencrypt/$app" + mkdir -p "/etc/ssl/letsencrypt/$app" + + set +e + simp_le --email joerg@higgsboson.tk \ + -f account_key.json \ + -f fullchain.pem \ + -f key.pem \ + $(for domain in "$@"; do echo "-d $domain"; done) \ + --default_root /var/www/letsenrypt + cat fullchain.pem key.pem > combined.pem + local rc=$? + [ $rc = 1 ] && $restart_action + [ $rc != 0 ] && exit $rc +} + +gen_cert "nginx" "nginx -s reload" "status.higgsboson.tk" "stats.higgsboson.tk" +gen_cert "influxdb" "s6-svc -t /var/run/s6/services/influxdb" "influxdb.higgsboson.tk" +touch /etc/ssl/letsencrypt/last-check