You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add 3 metrics services behind Docker Compose profiles (off by default).
Enable with ENABLE_METRICS=true on bootstrap or COMPOSE_PROFILES=metrics
in .env. Includes Prometheus config, Grafana datasource, and a 12-panel
Resource Metrics dashboard. Configs are written unconditionally so
enabling later doesn't require re-bootstrap.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1.**Bootstrap the server** — Run `sudo bash infrastructure/bootstrap-server.sh` on a fresh Debian machine. This creates the directory layout above, installs Docker, creates the `deploy` user, generates platform credentials, starts the 7 platform services, copies infrastructure scripts, and installs cron jobs.
55
+
1.**Bootstrap the server** — Run `sudo bash infrastructure/bootstrap-server.sh` on a fresh Debian machine. This creates the directory layout above, installs Docker, creates the `deploy` user, generates platform credentials, starts the 7 core platform services (plus 3 optional metrics services if enabled), copies infrastructure scripts, and installs cron jobs.
54
56
55
57
2.**Configure DNS** — Point app domains and `*.preview.<domain>` to the server IP.
56
58
@@ -115,7 +117,7 @@ The bootstrap script applies several security measures automatically. Self-hoste
115
117
116
118
**Credential isolation** — The platform `.env` file is mode 600 (readable only by its owner). Per-app credentials are generated by `create-app-credentials.sh` and stored in separate files under `/opt/platform/credentials/`, each also mode 600.
117
119
118
-
**Container resource limits** — Every platform service and every app container has explicit CPU and memory limits in its Docker Compose file. This prevents any single container from exhausting server resources.
120
+
**Container resource limits** — Every platform service and every app container has explicit CPU and memory limits in its Docker Compose file. This prevents any single container from exhausting server resources. The 7 core services use ~2.66G / 3.25 CPU. The 3 optional metrics services add 448M / 1.00 CPU when enabled.
119
121
120
122
**Mandatory Access Control (AppArmor)** — Debian 12 ships with AppArmor enabled by default. Docker automatically applies the `docker-default` AppArmor profile to all containers, which restricts capabilities like writing to `/proc` and `/sys`, mounting filesystems, and accessing raw sockets. No configuration is needed — this works out of the box.
121
123
@@ -194,3 +196,26 @@ fi
194
196
```
195
197
196
198
If no credentials file exists, the workflow falls back to whatever is already in `deploy/.env` and logs a warning.
199
+
200
+
## Resource Metrics (Optional)
201
+
202
+
Three additional services provide real-time resource visibility in Grafana. They are **off by default** and use Docker Compose profiles to control startup.
203
+
204
+
| Service | Image | Memory Limit | CPU Limit | Purpose |
**To enable** — add `COMPOSE_PROFILES=metrics` to `/opt/platform/.env`, then run `docker compose up -d` in `/opt/platform/`. Or bootstrap with `sudo ENABLE_METRICS=true bash bootstrap-server.sh`.
211
+
212
+
**To disable** — remove the `COMPOSE_PROFILES=metrics` line from `.env`, then stop the metrics services with `docker compose --profile metrics down`.
213
+
214
+
The Prometheus config (`/opt/platform/prometheus.yml`), Grafana datasource, and dashboard JSON are always created during bootstrap — they are harmless without running services and avoid needing to re-bootstrap to enable metrics later. Only the service startup is conditional.
215
+
216
+
The "Resource Metrics" dashboard in Grafana includes:
217
+
218
+
-**Host overview**: CPU %, memory %, disk %, uptime (stat panels)
219
+
-**Host time series**: CPU, memory, disk I/O, network I/O over time
220
+
-**Container overview**: table of all containers with CPU, memory, network
221
+
-**Per-container detail**: filterable CPU and memory time series per container
0 commit comments