updated

5-Monitoring/local-server/docker-compose.yml

@@ -0,0 +1,93 @@
+version: '3.7'
+
+volumes:
+    prometheus_data: {}
+    grafana_data: {}
+
+#networks:
+#  back-tier:
+
+networks:
+  front-tier:
+  back-tier:
+
+services:
+
+  node-exporter:
+    container_name: datura-node-exporter
+    image: quay.io/prometheus/node-exporter:latest
+    #command:
+      #- '--path.rootfs=/host'
+    network_mode: host
+    pid: host
+    restart: unless-stopped
+    volumes:
+      - /proc:/host/proc:ro
+      - /sys:/host/sys:ro
+      - /:/rootfs:ro
+      - /:/host:ro,rslave
+    command:
+      - '--path.rootfs=/host'
+      - '--path.procfs=/host/proc'
+      - '--path.sysfs=/host/sys'
+      - --collector.filesystem.ignored-mount-points
+      - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)"
+
+    #volumes:
+      #- '/:/host:ro,rslave'
+    #ports:
+      #- "10.8.0.1:9100:9100"
+    restart: always
+    deploy:
+      mode: global
+
+#services:
+
+  prometheus:
+    image: prom/prometheus:v2.36.2
+    volumes:
+      - ./prometheus/:/etc/prometheus/
+      - prometheus_data:/prometheus
+    command:
+      - '--config.file=/etc/prometheus/prometheus.yml'
+      - '--storage.tsdb.path=/prometheus'
+      - '--web.console.libraries=/usr/share/prometheus/console_libraries'
+      - '--web.console.templates=/usr/share/prometheus/consoles'
+    ports:
+      - "10.8.0.2:9999:9090"
+    #links:
+      #- cadvisor:cadvisor
+      #- alertmanager:alertmanager
+#      - pushgateway:pushgateway
+    #depends_on:
+      #- cadvisor
+#      - pushgateway
+    networks:
+      - back-tier
+    restart: always
+#    deploy:
+#      placement:
+#        constraints:
+#          - node.hostname == ${HOSTNAME}
+
+#  node-exporter:
+#    image: quay.io/prometheus/node-exporter:latest
+#    volumes:
+#      - /proc:/host/proc:ro
+#      - /sys:/host/sys:ro
+#      - /:/rootfs:ro
+#      - /:/host:ro,rslave
+#    command:
+#      - '--path.rootfs=/host'
+#      - '--path.procfs=/host/proc'
+#      - '--path.sysfs=/host/sys'
+#      - --collector.filesystem.ignored-mount-points
+#      - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)"
+#    ports:
+#      - "10.8.0.2:9100:9100"
+#    networks:
+#      - back-tier
+#    restart: always
+#    deploy:
+#      mode: global
+

5-Monitoring/local-server/nginx.conf

@@ -0,0 +1,74 @@
+upstream monitorbackend {
+        #server 127.0.0.1:3009;
+        server 10.8.0.2:3222;
+}
+
+server {
+        listen 80;
+        listen [::]:80;
+        server_name monitor.nihilism.network;
+        return 301 https://$server_name$request_uri;
+}
+
+server {
+ ######## TOR CHANGES ########
+        listen 4445;
+        listen [::]:4445;
+        server_name monitor.nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion;
+        add_header Onion-Location "http://monitor.nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion$request_uri" always;
+        ######## TOR CHANGES ########
+
+
+
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        server_name monitor.nihilism.network;
+
+        ssl_certificate /root/.acme.sh/monitor.nihilism.network/fullchain.cer;
+        ssl_certificate_key /root/.acme.sh/monitor.nihilism.network/monitor.nihilism.network.key;
+########################################## HARDENING SSL #############################################
+                ssl_dhparam     /root/.acme.sh/dhparam.pem;
+
+
+# SSL Settings
+                ssl_protocols TLSv1.2 TLSv1.3;
+                ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+                ssl_prefer_server_ciphers on;
+
+
+                ssl_session_cache shared:SSL:10m;
+                ssl_session_timeout 10m;
+                ssl_session_tickets off;
+                ssl_ecdh_curve auto;
+
+                # OCSP stapling
+                ssl_stapling on;
+                ssl_stapling_verify on;
+                ssl_trusted_certificate /root/.acme.sh/monitor.nihilism.network/fullchain.cer;
+                resolver 1.1.1.1 208.67.222.222;
+
+                add_header Strict-Transport-Security "max-age=63072000" always;
+
+
+
+
+        access_log  off;
+    error_log off;
+###################################END OF HARDENING SSL###########################################
+#apt install apache2-utils -y
+        #htpasswd -c /etc/nginx/auth/default.htpasswd nothing
+
+        auth_basic "Password protection";
+        auth_basic_user_file /etc/nginx/auth/default.htpasswd;
+
+
+        location / {
+                proxy_pass http://monitorbackend;
+                                proxy_set_header Host $http_host;
+                proxy_http_version 1.1;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "Upgrade";
+                client_max_body_size 20G;
+        }
+}
+

5-Monitoring/local-server/prometheus/prometheus.yml

@@ -0,0 +1,61 @@
+global:
+  scrape_interval:     15s # By default, scrape targets every 15 seconds.
+
+  # Attach these labels to any time series or alerts when communicating with
+  # external systems (federation, remote storage, Alertmanager).
+  external_labels:
+    monitor: 'datura-monitor'
+
+# A scrape configuration containing exactly one endpoint to scrape:
+# Here it's Prometheus itself.
+scrape_configs:
+  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
+  - job_name: 'datura'
+    #metrics_path: /metrics
+
+    # Override the global default and scrape targets from this job every 5 seconds.
+    scrape_interval: 5s
+
+    static_configs:
+      - targets: ['10.8.0.1:9100']
+    basic_auth:
+      username: 'username'
+      password: ''
+
+  - job_name: 'wonderland'
+    #metrics_path: /metrics
+
+    # Override the global default and scrape targets from this job every 5 seconds.
+    scrape_interval: 5s
+
+    static_configs:
+      - targets: ['10.8.0.2:9100']
+    basic_auth:
+      username: 'username'
+      password: ''
+
+  - job_name: 'rpibackup'
+    #metrics_path: /metrics
+
+    # Override the global default and scrape targets from this job every 5 seconds.
+    scrape_interval: 5s
+
+
+    static_configs:
+      - targets: ['192.168.0.102:80']
+    basic_auth:
+      username: 'username'
+      password: ''
+
+  - job_name: 'mail-gw'
+    #metrics_path: /metrics
+
+    # Override the global default and scrape targets from this job every 5 seconds.
+    scrape_interval: 5s
+
+    static_configs:
+      - targets: ['mail-gw.nihilism.network:80']
+    basic_auth:
+      username: 'username'
+      password: ''
+

5-Monitoring/remote-servers/docker-compose.yml

@@ -0,0 +1,41 @@
+version: '3.7'
+
+volumes:
+    prometheus_data: {}
+    grafana_data: {}
+
+networks:
+  front-tier:
+  back-tier:
+
+services:
+
+  node-exporter:
+    container_name: datura-node-exporter
+    image: quay.io/prometheus/node-exporter:latest
+    #command:
+      #- '--path.rootfs=/host'
+    network_mode: host
+    pid: host
+    restart: unless-stopped
+    volumes:
+      - /proc:/host/proc:ro
+      - /sys:/host/sys:ro
+      - /:/rootfs:ro
+      - /:/host:ro,rslave
+    command:
+      - '--path.rootfs=/host'
+      - '--path.procfs=/host/proc'
+      - '--path.sysfs=/host/sys'
+      - --collector.filesystem.ignored-mount-points
+      - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)"
+
+    #volumes:
+      #- '/:/host:ro,rslave'
+    #ports:
+      #- "10.8.0.1:9100:9100"
+    restart: always
+    deploy:
+      mode: global
+
+

5-Monitoring/remote-servers/nginx.conf

@@ -0,0 +1,52 @@
+upstream nebackend {
+        server 10.8.0.1:9100;
+}
+
+server {
+        listen 80;
+        listen [::]:80;
+        server_name ne.datura.network;
+        return 301 https://$server_name$request_uri;
+}
+
+server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        server_name ne.datura.network;
+
+        ssl_certificate /root/.acme.sh/ne.datura.network/fullchain.cer;
+        ssl_trusted_certificate /root/.acme.sh/ne.datura.network/ne.datura.network.cer;
+        ssl_certificate_key /root/.acme.sh/ne.datura.network/ne.datura.network.key;
+
+        ssl_protocols TLSv1.3 TLSv1.2;
+        ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 10m;
+        ssl_session_tickets off;
+        ssl_ecdh_curve auto;
+        ssl_stapling on;
+        ssl_stapling_verify on;
+        resolver 80.67.188.188 80.67.169.40 valid=300s;
+        resolver_timeout 10s;
+
+        add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting
+        add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking
+        add_header X-Content-Type-Options nosniff; #MIME-type sniffing
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+
+                #apt install apache2-utils -y
+                #htpasswd -c /etc/nginx/auth/default.htpasswd nothing
+
+                auth_basic "Password protection";
+                auth_basic_user_file /etc/nginx/auth/default.htpasswd;
+
+        location / {
+                proxy_pass http://nebackend;
+                proxy_http_version 1.1;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "Upgrade";
+        }
+}
+
+