diff --git a/5-Monitoring/local-server/docker-compose.yml b/5-Monitoring/local-server/docker-compose.yml new file mode 100644 index 0000000..06b36c8 --- /dev/null +++ b/5-Monitoring/local-server/docker-compose.yml @@ -0,0 +1,93 @@ +version: '3.7' + +volumes: + prometheus_data: {} + grafana_data: {} + +#networks: +# back-tier: + +networks: + front-tier: + back-tier: + +services: + + node-exporter: + container_name: datura-node-exporter + image: quay.io/prometheus/node-exporter:latest + #command: + #- '--path.rootfs=/host' + network_mode: host + pid: host + restart: unless-stopped + volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /:/rootfs:ro + - /:/host:ro,rslave + command: + - '--path.rootfs=/host' + - '--path.procfs=/host/proc' + - '--path.sysfs=/host/sys' + - --collector.filesystem.ignored-mount-points + - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)" + + #volumes: + #- '/:/host:ro,rslave' + #ports: + #- "10.8.0.1:9100:9100" + restart: always + deploy: + mode: global + +#services: + + prometheus: + image: prom/prometheus:v2.36.2 + volumes: + - ./prometheus/:/etc/prometheus/ + - prometheus_data:/prometheus + command: + - '--config.file=/etc/prometheus/prometheus.yml' + - '--storage.tsdb.path=/prometheus' + - '--web.console.libraries=/usr/share/prometheus/console_libraries' + - '--web.console.templates=/usr/share/prometheus/consoles' + ports: + - "10.8.0.2:9999:9090" + #links: + #- cadvisor:cadvisor + #- alertmanager:alertmanager +# - pushgateway:pushgateway + #depends_on: + #- cadvisor +# - pushgateway + networks: + - back-tier + restart: always +# deploy: +# placement: +# constraints: +# - node.hostname == ${HOSTNAME} + +# node-exporter: +# image: quay.io/prometheus/node-exporter:latest +# volumes: +# - /proc:/host/proc:ro +# - /sys:/host/sys:ro +# - /:/rootfs:ro +# - /:/host:ro,rslave +# command: +# - '--path.rootfs=/host' +# - '--path.procfs=/host/proc' +# - '--path.sysfs=/host/sys' +# - --collector.filesystem.ignored-mount-points +# - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)" +# ports: +# - "10.8.0.2:9100:9100" +# networks: +# - back-tier +# restart: always +# deploy: +# mode: global + diff --git a/5-Monitoring/local-server/nginx.conf b/5-Monitoring/local-server/nginx.conf new file mode 100644 index 0000000..fa67bf4 --- /dev/null +++ b/5-Monitoring/local-server/nginx.conf @@ -0,0 +1,74 @@ +upstream monitorbackend { + #server 127.0.0.1:3009; + server 10.8.0.2:3222; +} + +server { + listen 80; + listen [::]:80; + server_name monitor.nihilism.network; + return 301 https://$server_name$request_uri; +} + +server { + ######## TOR CHANGES ######## + listen 4445; + listen [::]:4445; + server_name monitor.nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion; + add_header Onion-Location "http://monitor.nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion$request_uri" always; + ######## TOR CHANGES ######## + + + + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name monitor.nihilism.network; + + ssl_certificate /root/.acme.sh/monitor.nihilism.network/fullchain.cer; + ssl_certificate_key /root/.acme.sh/monitor.nihilism.network/monitor.nihilism.network.key; +########################################## HARDENING SSL ############################################# + ssl_dhparam /root/.acme.sh/dhparam.pem; + + +# SSL Settings + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers on; + + + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /root/.acme.sh/monitor.nihilism.network/fullchain.cer; + resolver 1.1.1.1 208.67.222.222; + + add_header Strict-Transport-Security "max-age=63072000" always; + + + + + access_log off; + error_log off; +###################################END OF HARDENING SSL########################################### +#apt install apache2-utils -y + #htpasswd -c /etc/nginx/auth/default.htpasswd nothing + + auth_basic "Password protection"; + auth_basic_user_file /etc/nginx/auth/default.htpasswd; + + + location / { + proxy_pass http://monitorbackend; + proxy_set_header Host $http_host; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + client_max_body_size 20G; + } +} + diff --git a/5-Monitoring/local-server/prometheus/prometheus.yml b/5-Monitoring/local-server/prometheus/prometheus.yml new file mode 100644 index 0000000..a091688 --- /dev/null +++ b/5-Monitoring/local-server/prometheus/prometheus.yml @@ -0,0 +1,61 @@ +global: + scrape_interval: 15s # By default, scrape targets every 15 seconds. + + # Attach these labels to any time series or alerts when communicating with + # external systems (federation, remote storage, Alertmanager). + external_labels: + monitor: 'datura-monitor' + +# A scrape configuration containing exactly one endpoint to scrape: +# Here it's Prometheus itself. +scrape_configs: + # The job name is added as a label `job=` to any timeseries scraped from this config. + - job_name: 'datura' + #metrics_path: /metrics + + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + + static_configs: + - targets: ['10.8.0.1:9100'] + basic_auth: + username: 'username' + password: '' + + - job_name: 'wonderland' + #metrics_path: /metrics + + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + + static_configs: + - targets: ['10.8.0.2:9100'] + basic_auth: + username: 'username' + password: '' + + - job_name: 'rpibackup' + #metrics_path: /metrics + + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + + + static_configs: + - targets: ['192.168.0.102:80'] + basic_auth: + username: 'username' + password: '' + + - job_name: 'mail-gw' + #metrics_path: /metrics + + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + + static_configs: + - targets: ['mail-gw.nihilism.network:80'] + basic_auth: + username: 'username' + password: '' + diff --git a/5-Monitoring/remote-servers/docker-compose.yml b/5-Monitoring/remote-servers/docker-compose.yml new file mode 100644 index 0000000..617a09b --- /dev/null +++ b/5-Monitoring/remote-servers/docker-compose.yml @@ -0,0 +1,41 @@ +version: '3.7' + +volumes: + prometheus_data: {} + grafana_data: {} + +networks: + front-tier: + back-tier: + +services: + + node-exporter: + container_name: datura-node-exporter + image: quay.io/prometheus/node-exporter:latest + #command: + #- '--path.rootfs=/host' + network_mode: host + pid: host + restart: unless-stopped + volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /:/rootfs:ro + - /:/host:ro,rslave + command: + - '--path.rootfs=/host' + - '--path.procfs=/host/proc' + - '--path.sysfs=/host/sys' + - --collector.filesystem.ignored-mount-points + - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)" + + #volumes: + #- '/:/host:ro,rslave' + #ports: + #- "10.8.0.1:9100:9100" + restart: always + deploy: + mode: global + + diff --git a/5-Monitoring/remote-servers/nginx.conf b/5-Monitoring/remote-servers/nginx.conf new file mode 100644 index 0000000..418b2da --- /dev/null +++ b/5-Monitoring/remote-servers/nginx.conf @@ -0,0 +1,52 @@ +upstream nebackend { + server 10.8.0.1:9100; +} + +server { + listen 80; + listen [::]:80; + server_name ne.datura.network; + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ne.datura.network; + + ssl_certificate /root/.acme.sh/ne.datura.network/fullchain.cer; + ssl_trusted_certificate /root/.acme.sh/ne.datura.network/ne.datura.network.cer; + ssl_certificate_key /root/.acme.sh/ne.datura.network/ne.datura.network.key; + + ssl_protocols TLSv1.3 TLSv1.2; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + ssl_ecdh_curve auto; + ssl_stapling on; + ssl_stapling_verify on; + resolver 80.67.188.188 80.67.169.40 valid=300s; + resolver_timeout 10s; + + add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting + add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking + add_header X-Content-Type-Options nosniff; #MIME-type sniffing + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; + + #apt install apache2-utils -y + #htpasswd -c /etc/nginx/auth/default.htpasswd nothing + + auth_basic "Password protection"; + auth_basic_user_file /etc/nginx/auth/default.htpasswd; + + location / { + proxy_pass http://nebackend; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + } +} + +