From 2d271c9c65f2a73a1f4a005f15d3f847756bc52f Mon Sep 17 00:00:00 2001
From: Dominik Rys <dominik.j.rys@gmail.com>
Date: Fri, 4 Dec 2020 15:36:46 +0000
Subject: [PATCH] Tidy repo and add LE email to .env

---
 .env               |  5 +++++
 README.md          | 19 ++++++++++---------
 docker-compose.yml |  8 +++-----
 3 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/.env b/.env
index 5e588fd..972efe4 100755
--- a/.env
+++ b/.env
@@ -1,16 +1,21 @@
 COMPOSE_PROJECT_NAME=monitoring
 
+# Grafana
 GRAFANA_DOCKER_CONTAINER_NAME=grafana
 GRAFANA_ADMIN_USER=admin
 GRAFANA_ADMIN_PASSWORD=grafana-admin
 
+# InfluxDB
 INFLUXDB_DOCKER_CONTAINER_NAME=influxdb
 INFLUXDB_PORT=8086
 INFLUXDB_ADMIN_USER=admin
 INFLUXDB_ADMIN_PASSWORD=influxdb-admin
 
+# Traefik
 MONITORING_DOMAIN=monitoring.docker.localhost # Local deployment
 #MONITORING_DOMAIN=yourwebsite.com
 
 CA_SERVER=https://acme-staging-v02.api.letsencrypt.org/directory # Staging
 #CA_SERVER=https://acme-v02.api.letsencrypt.org/directory # Production
+
+LETS_ENCRYPT_EMAIL=YOUR-EMAIL@website.com
\ No newline at end of file
diff --git a/README.md b/README.md
index 7699b5e..8f2b991 100644
--- a/README.md
+++ b/README.md
@@ -26,11 +26,13 @@ Deploy the application:
 sudo docker-compose up -d
 ```
 
-You can then access Grafana at [monitoring.docker.localhost](http://monitoring.docker.localhost). InfluxDB will be listening on port `8086`.
+- You can then access Grafana at [monitoring.docker.localhost](http://monitoring.docker.localhost). InfluxDB will be listening on port `8086`.
+
+- Grafana is accessible from the HTTP and HTTPS ports (`80` and `443` respectively), with redirection from HTTP to HTTPS using Traefik [routers](https://doc.traefik.io/traefik/routing/routers/).
 
 > Note that when accessing Grafana or InfluxDB that have been deployed locally, your browser and other apps will complain about invalid or self-signed TLS certificates. This is expected as localhost domains don't end with a valid top-level domain, and therefore Traefik won't attempt to request a certificate for them.
 
-Stop a running application:
+Stop a running deployment:
 
 ```bash
 sudo docker-compose down
@@ -38,9 +40,7 @@ sudo docker-compose down
 
 ## General info
 
-- Most settings that can be tweaked are provided in `.env`.
-
-  - Make sure to set a secure password for Grafana and InfluxDB! This can also be managed with [Docker secrets](https://docs.docker.com/engine/swarm/secrets/).
+- Most settings that should be tweaked are provided in `.env`.
 
 - After the initial deployment, the containers are set to restart automatically if they stop e.g. on a machine reboot. They can be stopped completely using `docker-compose down`.
 
@@ -48,15 +48,16 @@ sudo docker-compose down
 
 - InfluxDB will run shell scripts in `docker-entrypoint-initdb.d` on startup.
 
-- Traefik has been set up to redirect HTTP to HTTPS using [routers](https://doc.traefik.io/traefik/routing/routers/).
-
-- If testing locally and an application which you want to send data to InfluxDB can't be set to ignore TLS certificates, change the `traefik.http.routers.influxdb-ssl.tls` label to `false` for the InfluxDB container inside `docker-compose.yml`.
+- If you're testing locally, and an application which you want to use to send data to InfluxDB can't be set to ignore TLS certificates, change the `traefik.http.routers.influxdb-ssl.tls` label to `false` for the InfluxDB container inside `docker-compose.yml`.
 
 ## Deploying in production
 
+- Make sure to set a secure password for Grafana and InfluxDB!
+  - For extra security, passwords can be managed with e.g. [Docker secrets](https://docs.docker.com/engine/swarm/secrets/) or [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html).
+
 - Change the `MONITORING_DOMAIN` environment variable in `.env` to the domain where the application will be hosted.
 
-- Set the `certificatesResolvers.lets-encrypt-ssl.acme.email` label in `docker-compose.yml` to a valid email that you wish to receive emails about [certificates issues to](https://cert-manager.io/docs/configuration/acme/#creating-a-basic-acme-issuer).
+- Set the `LETS_ENCRYPT_EMAIL` environment variable in `.env` to a valid email that you wish to receive emails about [certificates issues to](https://cert-manager.io/docs/configuration/acme/#creating-a-basic-acme-issuer).
 
 - Uncomment the appropriate `CA_SERVER` environment variable in `.env` to use [Let's Encrypt's](https://letsencrypt.org/) production API.
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 8e1587c..062a32e 100755
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -24,7 +24,6 @@ services:
         env_file:
             - ./.env
         environment:
-            # InfluxDB settings: https://docs.influxdata.com/influxdb/v1.8/administration/config/
             INFLUXDB_META_DIR: /var/lib/influxdb/meta
 
             INFLUXDB_DATA_DIR: /var/lib/influxdb/data
@@ -64,13 +63,12 @@ services:
         env_file:
             - ./.env
         environment:
-            # Grafana settings: https://grafana.com/docs/grafana/latest/administration/configuration/
             GF_PATHS_DATA: /var/lib/grafana
             GF_PATHS_PLUGINS: /var/lib/grafana/plugins
             GF_PATHS_PROVISIONING: /etc/grafana/provisioning
             
             GF_SERVER_HTTP_PORT: 3000
-            GF_SERVER_DOMAIN: ${MONITORING_DOMAIN}
+            GF_SERVER_MONITORING_DOMAIN: ${MONITORING_DOMAIN}
             GF_SERVER_ROOT_URL: https://${MONITORING_DOMAIN}
 
             GF_SECURITY_ADMIN_USER: ${GRAFANA_ADMIN_USER}
@@ -93,7 +91,6 @@ services:
             - "traefik.http.middlewares.grafana-redirect.redirectScheme.scheme=https"
             - "traefik.http.middlewares.grafana-redirect.redirectScheme.permanent=true"
 
-            # SSL endpoint
             - "traefik.http.routers.grafana-ssl.entryPoints=port443"
             - "traefik.http.routers.grafana-ssl.rule=host(`$MONITORING_DOMAIN`)"
             - "traefik.http.routers.grafana-ssl.tls=true"
@@ -131,7 +128,8 @@ services:
             - "--certificatesResolvers.lets-encrypt-ssl.acme.tlsChallenge=true"
             - "--certificatesResolvers.lets-encrypt-ssl.acme.storage=/letsencrypt/acme.json"
             - "--certificatesresolvers.lets-encrypt-ssl.acme.caServer=${CA_SERVER}"
-            # Let's Encrypt may use this email to contact you about expiring certificates and issues related to your account. More info: https://cert-manager.io/docs/configuration/acme/#creating-a-basic-acme-issuer
+            # Let's Encrypt may use this email to contact you about expiring certificates and issues related to your account.
+            # More info: https://cert-manager.io/docs/configuration/acme/#creating-a-basic-acme-issuer
             - "--certificatesResolvers.lets-encrypt-ssl.acme.email=YOUR-EMAIL@website.com"
 
 networks: