Métriques business dans /api/metrics : - Abonnements par tier/status (BASIC/PRO/ENTERPRISE × ACTIVE/CANCELED) - Nouveaux abonnements ce mois vs mois dernier - Désabonnements / churn ce mois vs mois dernier - Utilisateurs actifs 7j / 30j (proxy : note modifiée) - Nouvelles inscriptions 7j / ce mois - Runs agents IA par status (30j + aujourd'hui) + tokens consommés - Usage IA par feature (requêtes + tokens ce mois) - Logins aujourd'hui / ce mois (via AuditLog) - Sessions brainstorm ce mois - Flashcards total + reviews ce mois Alertes Prometheus : - HighChurnRate (> 10 désabonnements ce mois) - NoNewUsersLast7Days (aucune inscription 7j) - AgentRunsHighErrorRate (> 20% erreurs agents) - BusinessMetricsCollectionFailed Hardening monitoring : - Ports monitoring → 127.0.0.1 (plus exposés publiquement) - Images pinned (prometheus v2.53.0, grafana 11.1.0, etc.) - alertmanager-bridge fake → metalmatze/alertmanager-bot:0.4.3 - /api/metrics sécurisé avec METRICS_TOKEN bearer - Prometheus auth bearer via credentials_file - Redis AOF + 256mb, healthcheck → /api/build-info - repeat_interval 4h, inhibit_rules alertmanager - Secrets CI/CD : AUTH_GOOGLE_SECRET, METRICS_TOKEN, GRAFANA, MCP_API_KEY Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
145 lines
4.0 KiB
YAML
145 lines
4.0 KiB
YAML
services:
|
|
prometheus:
|
|
image: prom/prometheus:v2.53.0
|
|
container_name: memento-prometheus
|
|
restart: unless-stopped
|
|
volumes:
|
|
- ./prometheus.yml:/etc/prometheus/prometheus.yml:ro
|
|
- ./alerts.yml:/etc/prometheus/alerts.yml:ro
|
|
- ./metrics-token:/etc/prometheus/metrics-token:ro
|
|
- prometheus-data:/prometheus
|
|
command:
|
|
- '--config.file=/etc/prometheus/prometheus.yml'
|
|
- '--storage.tsdb.retention.time=30d'
|
|
- '--web.enable-lifecycle'
|
|
ports:
|
|
- "127.0.0.1:9090:9090"
|
|
networks:
|
|
- memento-monitoring
|
|
- memento-net
|
|
|
|
|
|
grafana:
|
|
image: grafana/grafana:11.1.0
|
|
container_name: memento-grafana
|
|
restart: unless-stopped
|
|
environment:
|
|
GF_SECURITY_ADMIN_PASSWORD: ${GRAFANA_ADMIN_PASSWORD:-memento-admin}
|
|
GF_USERS_ALLOW_SIGN_UP: "false"
|
|
GF_SERVER_ROOT_URL: "${GRAFANA_URL:-http://localhost:3002}"
|
|
GF_SECURITY_DISABLE_GRAVATAR: "true"
|
|
GF_ANALYTICS_REPORTING_ENABLED: "false"
|
|
GF_ANALYTICS_CHECK_FOR_UPDATES: "false"
|
|
volumes:
|
|
- grafana-data:/var/lib/grafana
|
|
- ./grafana-provisioning:/etc/grafana/provisioning:ro
|
|
- ./grafana-dashboards:/etc/grafana/dashboards:ro
|
|
ports:
|
|
- "127.0.0.1:3002:3000"
|
|
networks:
|
|
- memento-monitoring
|
|
|
|
alertmanager:
|
|
image: prom/alertmanager:v0.27.0
|
|
container_name: memento-alertmanager
|
|
restart: unless-stopped
|
|
volumes:
|
|
- ./alertmanager.yml:/etc/alertmanager/alertmanager.yml:ro
|
|
ports:
|
|
- "127.0.0.1:9093:9093"
|
|
networks:
|
|
- memento-monitoring
|
|
|
|
# Real Telegram webhook bridge (replaces the fake alpine sleep)
|
|
alertmanager-telegram:
|
|
image: metalmatze/alertmanager-bot:0.4.3
|
|
container_name: memento-alertmanager-telegram
|
|
restart: unless-stopped
|
|
environment:
|
|
TELEGRAM_TOKEN: ${TELEGRAM_BOT_TOKEN:-}
|
|
TELEGRAM_ADMIN: ${TELEGRAM_CHAT_ID:-}
|
|
ALERTMANAGER_URL: http://alertmanager:9093
|
|
STORE: /data/bolt.db
|
|
LISTEN_ADDR: 0.0.0.0:8080
|
|
volumes:
|
|
- alertmanager-bot-data:/data
|
|
networks:
|
|
- memento-monitoring
|
|
|
|
node-exporter:
|
|
image: prom/node-exporter:v1.8.1
|
|
container_name: memento-node-exporter
|
|
restart: unless-stopped
|
|
pid: host
|
|
volumes:
|
|
- /proc:/host/proc:ro
|
|
- /sys:/host/sys:ro
|
|
- /:/rootfs:ro
|
|
command:
|
|
- '--path.procfs=/host/proc'
|
|
- '--path.sysfs=/host/sys'
|
|
- '--path.rootfs=/rootfs'
|
|
- '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
|
|
ports:
|
|
- "127.0.0.1:9100:9100"
|
|
networks:
|
|
- memento-monitoring
|
|
- memento-net
|
|
|
|
postgres-exporter:
|
|
image: prometheuscommunity/postgres-exporter:v0.15.0
|
|
container_name: memento-postgres-exporter
|
|
restart: unless-stopped
|
|
env_file:
|
|
- /opt/memento/.env.docker
|
|
environment:
|
|
DATA_SOURCE_NAME: "postgresql://${POSTGRES_USER:-memento}:${POSTGRES_PASSWORD:-memento}@memento-postgres:5432/${POSTGRES_DB:-memento}?sslmode=disable"
|
|
ports:
|
|
- "127.0.0.1:9187:9187"
|
|
networks:
|
|
- memento-monitoring
|
|
- memento-net
|
|
|
|
redis-exporter:
|
|
image: oliver006/redis_exporter:v1.62.0
|
|
container_name: memento-redis-exporter
|
|
restart: unless-stopped
|
|
environment:
|
|
REDIS_ADDR: "redis://memento-redis:6379"
|
|
ports:
|
|
- "127.0.0.1:9121:9121"
|
|
networks:
|
|
- memento-monitoring
|
|
- memento-net
|
|
|
|
cadvisor:
|
|
image: gcr.io/cadvisor/cadvisor:v0.49.1
|
|
container_name: memento-cadvisor
|
|
restart: unless-stopped
|
|
privileged: true
|
|
command:
|
|
- '--docker_only=true'
|
|
volumes:
|
|
- /:/rootfs:ro
|
|
- /var/run:/var/run:rw
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- /sys:/sys:ro
|
|
- /var/lib/docker/:/var/lib/docker:ro
|
|
ports:
|
|
- "127.0.0.1:8081:8080"
|
|
networks:
|
|
- memento-monitoring
|
|
- memento-net
|
|
|
|
volumes:
|
|
prometheus-data:
|
|
grafana-data:
|
|
alertmanager-bot-data:
|
|
|
|
networks:
|
|
memento-monitoring:
|
|
driver: bridge
|
|
memento-net:
|
|
external: true
|
|
name: memento_memento-network
|