diff --git a/.agent/skills/security_check/SKILL.md b/.agent/skills/security_check/SKILL.md new file mode 100644 index 0000000..486f5d4 --- /dev/null +++ b/.agent/skills/security_check/SKILL.md @@ -0,0 +1,37 @@ +--- +name: Security Check +description: Verify repository security and check for secrets using gitleaks +--- + +# Security Check Skill + +This skill provides instructions for ensuring the repository is secure and free of secrets. + +## Gitleaks Detection + +To verify that the repository contains no secrets, run the following command in the repository root: + +```bash +gitleaks detect -v +``` + +### If leaks are found: + +1. **Identify the secret**: The output will show the file path, line number, and the secret string. +2. **Scrub the secret**: + * If the file is tracked, replace the secret with a placeholder (e.g., `your-secret-key`) in the file. + * Commit the changes: `git commit -am "Scrub secrets"` +3. **Historical Clean-up** (if necessary): + * If the secret exists in previous commits, you must rewrite history. + * Use `git filter-repo --invert-paths --path --force` to completely remove the file if possible. + * Or use thorough scrubbing techniques. + * **Force Push**: `git push --force` is required after rewriting history. + +### Verification + +Run `gitleaks detect -v` again to confirm no leaks remain. + +## Regular Maintenance + +* Run this check before every push or pull request. +* Update `.gitignore` to exclude sensitivity files like `.env` (unless they are example files with placeholders). diff --git a/README.md b/README.md index e92e8fa..7ec5179 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ And gather the synergistic superpowers of all [**444+ PostgreSQL Extensions**](h [**Prepare**](https://pigsty.io/docs/deploy/prepare) a fresh `x86_64` / `aarch64` node runs any [**compatible**](https://pigsty.io/docs/ref/linux) **Linux** OS Distros, then [**Install**](https://pigsty.io/docs/setup/install#install) **Pigsty** with: ```bash -curl -fsSL https://repo.pigsty.io/get | bash; cd ~/pigsty; +curl -fsSL https://raw.githubusercontent.com/cloud-neutral-toolkit/observability.svc.plus/main/scripts/install.sh | bash ``` Then [**configure**](https://pigsty.io/docs/concept/iac/configure) and run the [**`deploy.yml`**](https://pigsty.io/docs/setup/playbook) playbook with an [**admin user**](https://pigsty.io/docs/deploy/admin) (**nopass** `ssh` & `sudo`): @@ -99,65 +99,22 @@ pig sty deploy # run the deploy.yml playbook -
Install with get script
+## 🚀 快速开始 + +### 一键安装 (默认) +默认安装最新稳定版 , 默认使用当前主机名作为域名 ```bash -[root@pg-meta ~]# curl -fsSL https://repo.pigsty.io/get | bash -s v4.0.0 -[v4.0.0] =========================================== -$ curl -fsSL https://repo.pigsty.io/get | bash -[Docs] https://pigsty.io/docs -[Demo] https://demo.pigsty.io -[Repo] https://github.com/pgsty/pigsty -[Download] =========================================== -[ OK ] version = v4.0.0 (from arg) -curl -fSL https://repo.pigsty.io/src/pigsty-v4.0.0.tgz -o /tmp/pigsty-v4.0.0.tgz -######################################################################## 100.0% -[ OK ] md5sums = 53cb5980f999f661fbb832d7ee2fc93a /tmp/pigsty-v4.0.0.tgz -[Install] =========================================== -[WARN] os user = root , it's recommended to use a non-root sudo-able admin -[ OK ] install = /root/pigsty, from /tmp/pigsty-v4.0.0.tgz - -[Bootstrap] =========================================== -[WARN] ansible = not found, bootstrap -bootstrap pigsty v4.0.0 begin -[ OK ] region = china -[ OK ] kernel = Linux -[ OK ] machine = x86_64 -[ OK ] package = rpm,dnf -[ OK ] vendor = rocky (Rocky Linux) -[ OK ] version = 10 (10.0) -[ OK ] sudo = root ok -[WARN] ssh = root@127.0.0.1 fixed -[WARN] old repos = moved to /etc/yum.repos.d/backup -[ OK ] repo file = add el10.x86_64 china upstream -[WARN] rpm cache = updating, may take a while -Pigsty PGSQL 10 - x86_64 364 kB/s | 251 kB 00:00 -EL 10 BaseOS 10 - x86_64 32 MB/s | 6.4 MB 00:00 -EL 10 AppStream 10 - x86_64 11 MB/s | 2.1 MB 00:00 -EL 10 CRB 10 - x86_64 1.8 MB/s | 492 kB 00:00 -EL 10 EPEL 10.0 - x86_64 27 MB/s | 4.8 MB 00:00 -Metadata cache created. -[ OK ] repo cache = created -[ OK ] install el10 utils -Last metadata expiration check: 0:00:02 ago on Wed 07 Jan 2026 05:58:22 PM CST. -..... - -Installed: - ansible-2.16.14-1.el10.noarch ansible-collection-ansible-posix-2.0.0-1.el10_0.noarch ansible-collection-community-crypto-2.15.0-1PIGSTY.el10.noarch ansible-collection-community-general-10.2.0-1.el10_0.noarch - ansible-core-1:2.16.14-1.el10.noarch git-core-2.47.3-1.el10.x86_64 python3-cffi-1.16.0-7.el10.x86_64 python3-cryptography-43.0.0-4.el10.x86_64 - python3-jmespath-1.0.1-8.el10.noarch python3-ply-3.11-25.el10.noarch python3-pycparser-2.20-16.el10.noarch python3-resolvelib-1.0.1-6.el10.noarch - -Complete! -[ OK ] ansible = ansible [core 2.16.14] -[ OK ] boostrap pigsty complete -proceed with ./configure +curl -fsSL https://raw.githubusercontent.com/cloud-neutral-toolkit/observability.svc.plus/main/scripts/install.sh | bash ``` -> HINT: To install a specific version, pass the version string as the first parameter: -> -> ```bash -> curl -fsSL https://repo.pigsty.io/get | bash -s v4.0.0 -> ``` +### 指定版本与域名 (安装建议) + +```bash +# bash -s -- <版本> <域名> +curl -fsSL https://raw.githubusercontent.com/cloud-neutral-toolkit/observability.svc.plus/main/scripts/install.sh \ + | bash -s -- observability.svc.plus +```
diff --git a/roles/infra/templates/alloy/config.alloy b/roles/infra/templates/alloy/config.alloy new file mode 100644 index 0000000..4fc0ed7 --- /dev/null +++ b/roles/infra/templates/alloy/config.alloy @@ -0,0 +1,23 @@ +// Victoria套件配置 - 简化版本 +// 解决initial load错误 + +// VictoriaMetrics配置 +prometheus.remote_write "victoriametrics" { + endpoint { + url = "http://10.146.0.6:8428/api/v1/write" + } +} + +// VictoriaLogs配置 +loki.write "victorialogs" { + endpoint { + url = "http://10.146.0.6:9428/loki/api/v1/push" + headers = {"X-Scope-OrgID" = "default"} + } +} + +// 指标收集 +prometheus.scrape "local" { + targets = [{"job" = "alloy", "instance" = "localhost"}] + forward_to = [prometheus.remote_write.victoriametrics.receiver] +} diff --git a/roles/infra/templates/caddy/Caddyfile b/roles/infra/templates/caddy/Caddyfile new file mode 100644 index 0000000..ef3f14e --- /dev/null +++ b/roles/infra/templates/caddy/Caddyfile @@ -0,0 +1,141 @@ +{ + # debug +} + +infra.svc.plus { + encode gzip zstd + + # ---- Alloy unified ingest endpoints ---- + + # Prometheus remote_write + handle_path /ingest/metrics/* { + # 可选:加 basic auth / IP 白名单 + reverse_proxy 127.0.0.1:12345 + } + + # Loki push (expects /loki/api/v1/push) + handle_path /ingest/logs/* { + reverse_proxy 127.0.0.1:12346 + } + + # OTLP HTTP (POST /v1/traces, /v1/metrics, /v1/logs) + handle_path /ingest/otlp/* { + reverse_proxy 127.0.0.1:4318 + } + + # ------------------------- + # Grafana: /ui/ 与 /ui/api/live/ + # ------------------------- + @ui path /ui/* + handle @ui { + reverse_proxy 127.0.0.1:3000 { + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up Origin {scheme}://{host} + } + } + + @ui_live path /ui/api/live/* + handle @ui_live { + reverse_proxy 127.0.0.1:3000 { + header_up Host {host} + } + } + + @ui_rewrite path_regexp ui_rewrite ^/ui/(vmetrics|vlogs|vtraces|vmalert|haproxy|alertmgr)(.*)$ + redir @ui_rewrite /{re.ui_rewrite.1}{re.ui_rewrite.2} 301 + + # ------------------------- + # Victoria* / alert / blackbox + # ------------------------- + handle_path /vmetrics/* { + reverse_proxy 127.0.0.1:8428 + } + + handle_path /vlogs/* { + reverse_proxy 127.0.0.1:9428 + } + + handle_path /vtraces/* { + reverse_proxy 127.0.0.1:10428 + } + + handle_path /vmalert/* { + reverse_proxy 127.0.0.1:8880 + } + + handle_path /alertmgr/* { + reverse_proxy 127.0.0.1:9059 + } + + handle_path /blackbox/* { + reverse_proxy 127.0.0.1:9115 + } + + # ------------------------- + # code-server: /code/ + # ------------------------- + handle_path /code/* { + reverse_proxy 127.0.0.1:8443 { + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up Accept-Encoding gzip + + transport http { + read_timeout 86400s + write_timeout 86400s + dial_timeout 5s + } + } + } + + # ------------------------- + # jupyter lab: /jupyter/ + # ------------------------- + handle_path /jupyter/* { + reverse_proxy 127.0.0.1:8888 { + header_up Host {host} + header_up X-Real-IP {remote_host} + + transport http { + read_timeout 86400s + write_timeout 86400s + dial_timeout 5s + } + } + } + + # ------------------------- + # HAProxy admin: /haproxy/pg-meta-1/ + # ------------------------- + handle_path /haproxy/pg-meta-1/* { + reverse_proxy 10.146.0.6:9101 { + transport http { + dial_timeout 1s + } + } + } + + # ------------------------- + # Liveness probe (/nginx) + # ------------------------- + respond /nginx "ok\n" 200 + + # ------------------------- + # Static site (/www) + directory listing + # ------------------------- + root * /www + file_server browse + + @zh path /zh + rewrite @zh /zh.html + + @pev path /pev + rewrite @pev /pev.html + + handle_errors { + @404 expression {http.error.status_code} == 404 + rewrite @404 /404.html + file_server + } +} diff --git a/scripts/install.sh b/scripts/install.sh new file mode 100644 index 0000000..74bb37a --- /dev/null +++ b/scripts/install.sh @@ -0,0 +1,67 @@ +#!/bin/bash +#==============================================================# +# File : install.sh +# Mtime : 2026-02-01 +# Desc : Install observability.svc.plus +# Usage : curl ... | bash -s +#==============================================================# + +# Default parameters +VERSION="${1:-main}" +DOMAIN="${2:-$(hostname)}" +REPO_URL="https://github.com/cloud-neutral-toolkit/observability.svc.plus.git" +INSTALL_DIR="${HOME}/pigsty" + +# Colors +RED='\033[0;31m' +GREEN='\033[0;32m' +BLUE='\033[0;34m' +NC='\033[0m' + +echo -e "${BLUE}Installing observability.svc.plus...${NC}" +echo -e "${BLUE}Version : ${VERSION}${NC}" +echo -e "${BLUE}Domain : ${DOMAIN}${NC}" +echo -e "${BLUE}Repo : ${REPO_URL}${NC}" +echo -e "${BLUE}Dir : ${INSTALL_DIR}${NC}" + +# Check for git +if ! command -v git &> /dev/null; then + echo -e "${RED}Error: git is not installed.${NC}" + echo "Please install git first (yum install git / apt install git)" + exit 1 +fi + +# Clone or Update +if [ -d "${INSTALL_DIR}" ]; then + echo -e "${BLUE}Directory ${INSTALL_DIR} already exists.${NC}" + read -p "Overwrite? (y/N) " -n 1 -r + echo + if [[ $REPLY =~ ^[Yy]$ ]]; then + rm -rf "${INSTALL_DIR}" + git clone -b "${VERSION}" "${REPO_URL}" "${INSTALL_DIR}" + else + echo -e "${BLUE}Updating existing repo...${NC}" + cd "${INSTALL_DIR}" + git fetch origin + git checkout "${VERSION}" || echo -e "${RED}Version ${VERSION} not found${NC}" + git pull origin "${VERSION}" + fi +else + git clone -b "${VERSION}" "${REPO_URL}" "${INSTALL_DIR}" +fi + +cd "${INSTALL_DIR}" + +# Run Bootstrap +if [ -f "./bootstrap" ]; then + echo -e "${BLUE}Running bootstrap...${NC}" + ./bootstrap +else + echo -e "${RED}bootstrap script not found!${NC}" +fi + +echo -e "${GREEN}Installation successful!${NC}" +echo -e "Next steps:" +echo -e " cd ${INSTALL_DIR}" +echo -e " ./configure # Generate config" +echo -e " ./deploy.yml # Install"