doc: monitoring-ng sets its own token

feat: support scrape discovery
Merge pull request 'monitoring' (#15 ) from monitoring into main
2026-06-16 22:50:16 -03:00 · 2026-06-16 20:03:56 -03:00 · 2026-05-21 18:12:45 +00:00 · 2026-05-21 18:12:08 +00:00 · 2026-05-15 23:39:29 +00:00 · 2026-05-15 20:32:10 +00:00
5 changed files with 81 additions and 2 deletions
--- a/.env.sample
+++ b/.env.sample
@ -6,6 +6,11 @@ LETS_ENCRYPT_ENV=production
 COMPOSE_FILE="compose.yml"

 SECRET_RPC_SECRET_VERSION=v1 # length=64 charset=hex
+SECRET_ADMIN_TOKEN_SECRET_VERSION=v1 # length=64 charset=hex
+SECRET_METRICS_TOKEN_SECRET_VERSION=v1 # length=64 charset=hex
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
+#MONITORING_ENABLED=true

 # Changing the replication factor after initial deployment is not 
 # supported and requires deleting the existing cluster layout metadata.
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-# garage
+# Garage

 > An open-source distributed object storage service tailored for selfhosting at a small-to-medium scale.

@ -10,7 +10,7 @@
 * **Healthcheck**: No
 * **Backups**: No
 * **Email**: N/A
-* **Tests**: No
+* **Tests**: Yes
 * **SSO**: N/A

 <!-- endmetadata -->
@ -52,7 +52,43 @@ You can optionally add this alias to your `.bashrc` (or similar) file to avoid h
 ### Garage Quick Start Guide
 Once `garage status` works, you can follow the guide here: https://garagehq.deuxfleurs.fr/documentation/quick-start/#checking-that-garage-runs-correctly

+## Monitoring

+### Enabling
+
+By default monitoring is disabled and must be enabled in your config.
+
+To enable, set `MONITORING` to `true` and uncomment the line `#COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"`.
+
+> If you've deployed garage before ver `0.0.2+v2.3.0` then you will need to add the following lines to your config:
+> ```
+> MONITORING_DOMAIN=monitoring.garage.example.com
+> SECRET_ADMIN_TOKEN_SECRET_VERSION=v1 # length=64 charset=hex
+> SECRET_METRICS_TOKEN_SECRET_VERSION=v1 # length=64 charset=hex
+> 
+> #COMPOSE_FILE="$COMPOSE_FILE:compose.monitoring.yml"
+> MONITORING="true"
+> ```
+
+If you're using the
+[monitoring-ng](https://recipes.coopcloud.tech/monitoring-ng) recipe,
+insert the `metrics_token` with the value of `basic_auth`:
+
+```sh
+abra app secret insert garage.example.coop v1 metrics_token BASIC_AUTH
+```
+
+### Deploying
+
+Now, undeploy the service, generate the new secrets, and finally re-deploy:
+```
+abra app undeploy <app-domain>
+abra app secret generate --all <app-domain>
+abra app deploy <app-domain>
+```
+### Utilizing metrics
+
+Within your chosen monitoring software (ie. Telegraf, Prometheus, etc.), you'll need to make sure it interprets the correct scheme (https), and point it at <app-domain>/metrics as the monitoring endpoint. The secret you copied earlier called metrics_token will be used to authenticate the request.

 ## Backups

--- a/compose.monitoring.yml
+++ b/compose.monitoring.yml
@ -0,0 +1,29 @@
+---
+version: "3.8"
+
+services:
+  app:
+    secrets:
+      - source: metrics_token
+        mode: 0600
+      - source: admin_token
+        mode: 0600
+    deploy:
+      labels:
+        - "traefik.http.routers.${STACK_NAME}-metrics.rule=Host(`${DOMAIN}`) && Path(`/metrics`)"
+        - "traefik.http.routers.${STACK_NAME}-metrics.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}-metrics.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}-metrics.service=${STACK_NAME}-metrics"
+        - "traefik.http.services.${STACK_NAME}-metrics.loadbalancer.server.port=3903"
+        - "prometheus.io/scrape=true"
+        - "prometheus.io/port=3903"
+        - "prometheus.io/path=/metrics"
+        - "prometheus.io/auth=bearer"
+
+secrets:
+  admin_token:
+    name: ${STACK_NAME}_admin_token_${SECRET_ADMIN_TOKEN_SECRET_VERSION}
+    external: true
+  metrics_token:
+    name: ${STACK_NAME}_metrics_token_${SECRET_METRICS_TOKEN_SECRET_VERSION}
+    external: true
--- a/compose.yml
+++ b/compose.yml
@ -23,6 +23,7 @@ services:
        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}.service=${STACK_NAME}"
        - "traefik.tcp.routers.${STACK_NAME}-rpc.rule=HostSNI(`*`)"
        - "traefik.tcp.routers.${STACK_NAME}-rpc.entrypoints=garage-rpc"
        - "traefik.tcp.services.${STACK_NAME}-rpc.loadbalancer.server.port=3901"
--- a/garage.toml.tmpl
+++ b/garage.toml.tmpl
@ -27,3 +27,11 @@ bootstrap_peers = [
 s3_region = "garage"
 api_bind_addr = "[::]:3900"
 root_domain = ".s3.garage"
+
+{{ if eq (env "MONITORING_ENABLED") "true" }}
+[admin]
+api_bind_addr = "[::]:3903"
+admin_token_file = "/run/secrets/admin_token"
+metrics_require_token = true
+metrics_token_file = "/run/secrets/metrics_token"
+{{ end }}
Author	SHA1	Message	Date
f	7cd5a6f5dc	doc: monitoring-ng sets its own token Some checks failed continuous-integration/drone/pr Build is failing Details	2026-06-16 22:50:16 -03:00
f	c3334ab580	feat: support scrape discovery Some checks failed continuous-integration/drone/pr Build is failing Details	2026-06-16 20:03:56 -03:00
Brooke	796ee6c2d4	Merge pull request 'monitoring' (#15 ) from monitoring into main Some checks failed continuous-integration/drone/push Build is failing Details Reviewed-on: #15	2026-05-21 18:12:45 +00:00
Brooke	b484236fea	Merge branch 'main' into monitoring Some checks failed continuous-integration/drone/pr Build is failing Details	2026-05-21 18:12:08 +00:00
Brooke	680e3850c5	Update README.md Some checks failed continuous-integration/drone/push Build is failing Details	2026-05-15 23:39:29 +00:00
Brooke	dfb679b1c0	Merge branch 'main' into monitoring Some checks failed continuous-integration/drone/pr Build is failing Details	2026-05-15 20:32:10 +00:00
Brooke	6e94e67109	Merge pull request 'Healthcheck & CI' (#17 ) from healthcheck into main Some checks failed continuous-integration/drone/push Build is failing Details Reviewed-on: #17	2026-05-15 20:29:49 +00:00
Brooke	37dbb6caa8	update readme for clarity Some checks failed continuous-integration/drone/pr Build is failing Details	2026-05-15 16:11:39 -04:00
Brooke	04463dffe8	scrap monitoring domain as it was too much of a headache to configure, use /metrics endpoint which seems fairly standard(?)	2026-05-15 16:09:13 -04:00
Brooke	97e96ed1d3	move monitoring_enabled to .env file	2026-05-15 15:09:28 -04:00
Brooke	88d46b767e	set unique stack name Some checks failed continuous-integration/drone/pr Build is failing Details	2026-05-08 20:54:02 -04:00
Brooke	baa4167a89	no idea if this actually works, pushing so that I can test later Some checks failed continuous-integration/drone/pr Build is failing Details	2026-05-08 16:58:37 -04:00
Brooke	3741560b13	move secrets to compose.monitoring.yml Some checks failed continuous-integration/drone/pr Build is failing Details	2026-05-08 16:54:30 -04:00
Brooke	46ba380e45	use compose_file env instead of a conditional in the .env file. Some checks failed continuous-integration/drone/pr Build is failing Details	2026-05-08 16:10:15 -04:00
Brooke	ff778eab62	update readme with basic configuration Some checks failed continuous-integration/drone/pr Build is failing Details	2026-05-08 15:59:40 -04:00
Brooke	aeb6675be4	setup conditional for garage.toml, set require metrics token to true	2026-05-08 15:59:27 -04:00
Brooke	7d1b4ddc77	add monitoring conditional and secrets to .env	2026-05-08 15:59:09 -04:00
Brooke	7e8571306a	add secrets	2026-05-08 15:58:33 -04:00