version: '2.1' services: # # Welcome to Grafolean! # # Ideally, this file should not be changed - please use .env file to change configuration (see .env.example). # # When using HTTPS, please read the comments to change settings below appropriately. # # This file installs local bots (ICMP Ping, SNMP, NetFlow) in addition to Grafolean services. If you do not need them and # would prefer if they are disabled, simply stop their containers (if running) and remove their entries below. # db: image: timescale/timescaledb:1.7.4-pg12 container_name: postgres volumes: # You should always save DB data to a host directory unless you are prepared to lose it. By default # the location of data on host is '/grafolean/db/'. # Note that if you ever wish to copy this directory as backup, you need to stop grafolean # container first. For alternative backup approaches consult PostgreSQL documentation. - ${DB_DIR:-/grafolean/db/}:/var/lib/postgresql/data/ environment: # It is probably a good idea to change DB access credentials (before running `docker-compose up` for the first time). # If you do that, you should also update corresponding DB_* environment variables on grafolean service below. - POSTGRES_DB=${DB_NAME:-grafolean} - POSTGRES_USER=${DB_USER:-admin} - POSTGRES_PASSWORD=${DB_PASS:-admin} restart: always healthcheck: test: ["CMD-SHELL", "pg_isready -h db -U ${DB_USER:-admin} -t 1 -q"] interval: 10s timeout: 5s retries: 3 networks: - grafolean grafolean: # If you wish to load an explicit version, change the next line. For example: # image: grafolean/grafolean:v1.0.0 image: grafolean/grafolean container_name: grafolean depends_on: db: condition: service_healthy environment: - DB_HOST=db - DB_DATABASE=${DB_NAME:-grafolean} - DB_USERNAME=${DB_USER:-admin} - DB_PASSWORD=${DB_PASS:-admin} - MQTT_HOSTNAME=mosquitto - MQTT_PORT=1883 # MQTT_WS_HOSTNAME must be set to domain (or IP address) under which Mosquitto websockets will be available. # In default configuration this is the same hostname as used for everything else (backend and frontend) because # Mosquitto is served through nginx. Port can be ignored in default configuration. - MQTT_WS_HOSTNAME=${EXTERNAL_HOSTNAME} - MQTT_WS_PORT=${HTTP_PORT:-80} # In default setting (where backend API is proxied through nginx, and is thus available on the same # domain) GRAFOLEAN_CORS_DOMAINS can be ignored. It is only needed if you want to install # Grafolean backend on a different origin than frontend. You will also be warned if this needs to be changed. # # GRAFOLEAN_CORS_DOMAINS: Comma-delimited list of domains on which we allow frontend to be shown. The # domains should follow the same format as Origin header and may include port number. # This setting affects backend only, but frontend learns about the setting through /admin/status/info # endpoint (which allows access from all domains by design) and warns if it is not set correctly. # Example setting: # - GRAFOLEAN_CORS_DOMAINS=http://example.com,http://grafolean.example.com,http://11.22.33.44:3000 # # If backend is sending out e-mails (signup), it needs to know the URL at which Grafolean frontend is # accessible. In default setting there is no need to set this setting, because backend uses the same # origin as frontend. # - FRONTEND_ORIGIN=http://example.com:2222 # # These settings are needed if Grafolean is sending e-mails: (for signup, forgot pass, alerts) #- MAIL_SERVER=${MAIL_SERVER} #- MAIL_PORT=587 #- MAIL_USE_TLS=true #- MAIL_USERNAME=${MAIL_USERNAME} #- MAIL_PASSWORD=${MAIL_PASSWORD} #- MAIL_REPLY_TO=${MAIL_REPLY_TO} # # Uncomment this if you want the users to be able to register (and create their accounts) by themselves: #- ENABLE_SIGNUP=true # - TELEMETRY=${TELEMETRY} ports: - "${HTTP_PORT:-80}:80" # If you wish to enable HTTPS, you need to both enable port 443 and supply a valid certificate. See # doc/HOWTO-HTTPS.md for installation instructions. #- "443:443" restart: always volumes: - shared-secrets:/shared-secrets #- /etc/letsencrypt/acme-challenge:/var/www/acme-challenge #- /etc/letsencrypt/live/yourdomain.example.org/fullchain.pem:/etc/certs/cert.crt #- /etc/letsencrypt/live/yourdomain.example.org/privkey.pem:/etc/certs/cert.key networks: - grafolean mosquitto: image: grafolean/mosquitto container_name: mosquitto restart: always networks: - grafolean # ICMP Ping bot (optional) pingbot: image: grafolean/grafolean-ping-bot container_name: grafolean-ping-bot environment: - BACKEND_URL=http://grafolean/api - BOT_TOKEN_FROM_FILE=/shared-secrets/tokens/ping-bot.token - JOBS_REFRESH_INTERVAL=60 restart: always volumes: # to automatically authenticate systemwide ping bot, we need to pass it a secret: - shared-secrets:/shared-secrets networks: - grafolean # SNMP bot (optional) snmpbot: image: grafolean/grafolean-snmp-bot container_name: grafolean-snmp-bot depends_on: db: condition: service_healthy environment: - BACKEND_URL=http://grafolean/api - BOT_TOKEN_FROM_FILE=/shared-secrets/tokens/snmp-bot.token - JOBS_REFRESH_INTERVAL=60 - DB_HOST=db - DB_DATABASE=${DB_NAME:-grafolean} - DB_USERNAME=${DB_USER:-admin} - DB_PASSWORD=${DB_PASS:-admin} restart: always volumes: - shared-secrets:/shared-secrets networks: - grafolean # NetFlow bot is composed of 3 services: netflowbot, netflowcollector and netflowwriter. # If you wish to disable it, remove all three services below. netflowbot: image: grafolean/grafolean-netflow-bot container_name: grafolean-netflow-bot depends_on: db: condition: service_healthy environment: - BACKEND_URL=http://grafolean/api - BOT_TOKEN_FROM_FILE=/shared-secrets/tokens/netflow-bot.token - JOBS_REFRESH_INTERVAL=${JOBS_REFRESH_INTERVAL:-60} - DB_HOST=db - DB_DATABASE=${DB_NAME:-grafolean} - DB_USERNAME=${DB_USER:-admin} - DB_PASSWORD=${DB_PASS:-admin} restart: always volumes: - shared-secrets:/shared-secrets networks: - grafolean netflowcollector: # This process collects NetFlow data and writes it to a shared named pipe. The # reason is that there is a Docker bug which causes UDP packets to change the source # IP if processed within the Docker network. To avoid that, we have a collector # listening on host network interface, then transferring the data to a "writer" # process within the network, which writes it to a DB. image: grafolean/grafolean-netflow-bot container_name: grafolean-netflow-collector depends_on: db: condition: service_healthy environment: - NAMED_PIPE_FILENAME=/shared-grafolean/netflow.pipe # listen on UDP port: (2055 by default) - NETFLOW_PORT=2055 restart: always # NetFlow collector uses the same docker image as bot (grafolean/grafolean-netflow-bot), # but specifies a different entrypoint: entrypoint: - python - -m - netflowcollector volumes: - shared-grafolean:/shared-grafolean # this is the only NetFlow process that listens on the host network interface: network_mode: "host" netflowwriter: # Reads netflow data from named pipe and writes it to DB. image: grafolean/grafolean-netflow-bot container_name: grafolean-netflow-writer depends_on: db: condition: service_healthy environment: - NAMED_PIPE_FILENAME=/shared-grafolean/netflow.pipe - DB_HOST=db - DB_DATABASE=${DB_NAME:-grafolean} - DB_USERNAME=${DB_USER:-admin} - DB_PASSWORD=${DB_PASS:-admin} restart: always # NetFlow collector uses the same docker image as bot (grafolean/grafolean-netflow-bot), # but specifies a different entrypoint: entrypoint: - python - -m - netflowwriter volumes: - shared-grafolean:/shared-grafolean # To use py-spy: # - $ docker exec -ti grafolean-netflow-writer bash # - # pip install py-spy # - # py-spy record -n -o /tmp/prof/out.svg --pid 1 # But first, these 3 lines below must be enabled, to add a volume and capabilities: (be careful with indentation!) # - /tmp/prof/:/tmp/prof/ #cap_add: # - SYS_PTRACE networks: - grafolean # End of NetFlow bot services. autoheal: # This container automatically restarts any container that fails its health check: image: willfarrell/autoheal container_name: grafolean-autoheal environment: - AUTOHEAL_CONTAINER_LABEL=all volumes: - /var/run/docker.sock:/var/run/docker.sock restart: always networks: - grafolean networks: grafolean: volumes: shared-secrets: shared-grafolean: