Added Glances (#284)

* Added Glances

* corrected default image tag

* Update README.md

* change per discussion in PR#284

* update readme

* set default to makefile question as value of env var

* Update README.md

* corrected warning in readme

* Update README.md

---------

Co-authored-by: Ryan McGuire <[email protected]>
Co-authored-by: Ryan McGuire <[email protected]>

Author: mcmikemn

README.md

@@ -537,6 +537,7 @@ Install these other services at your leisure/preference:
 * [Ejabberd](ejabberd#readme) - an XMPP (Jabber) server
 * [Filestash](filestash#readme) - a web based file manager with customizable backend storage providers
 * [FreshRSS](freshrss#readme) - an RSS reader / proxy
+* [Glances](glances#readme) - a cross-platform system monitoring tool
 * [Grocy](grocy#readme) - a grocery & household management/chore solution
 * [Icecast](icecast#readme) - a SHOUTcast compatible streaming multimedia server
 * [Immich](immich#readme) - a photo gallery

glances/.env-dist

@@ -0,0 +1,59 @@
+# The docker image to use:
+GLANCES_IMAGE=nicolargo/glances:4.1.2.1
+
+# The domain name for the glances service:
+GLANCES_TRAEFIK_HOST=glances.example.com
+
+# The name of this instance. If there is only one instance, use 'default'.
+GLANCES_INSTANCE=
+
+# Filter access by IP address source range (CIDR):
+##Disallow all access: 0.0.0.0/32
+##Allow all access: 0.0.0.0/0
+GLANCES_IP_SOURCERANGE=0.0.0.0/0
+
+# HTTP Basic Authentication:
+# Use `make config` to fill this in properly, or set this to blank to disable.
+GLANCES_HTTP_AUTH=
+
+# OAUTH2
+# Set to `true` to use OpenID/OAuth2 authentication via the
+# traefik-forward-auth service in d.rymcg.tech.
+# Using OpenID/OAuth2 will require login to access your app,
+# but it will not affect what a successfully logged-in person can do in your
+# app. If your app has built-in authentication and can check the user
+# header that traefik-forward-auth sends, then your app can limit what the
+# logged-in person can do in the app. But if your app can't check the user
+# header, or if your app doesn't have built-in authentication at all, then
+# any person with an account on your Gitea server can log into your app and
+# have full access.
+GLANCES_OAUTH2=
+# In addition to Oauth2 authentication, you can configure basic authorization
+# by entering which authorization group can log into your app. You create
+# groups of email addresses in the `traefik` folder by running `make groups`. 
+GLANCES_OAUTH2_AUTHORIZED_GROUP=
+
+# Mutual TLS (mTLS):
+# Set true or false. If true, all clients must present a certificate signed by Step-CA:
+GLANCES_MTLS_AUTH=false
+# Enter a comma separated list of client domains allowed to connect via mTLS.
+# Wildcards are allowed and encouraged on a per-app basis:
+GLANCES_MTLS_AUTHORIZED_CERTS=*.clients.glances.example.com
+
+# Timezone (see: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones)
+GLANCES_TZ=America/New_York
+
+# Nvidia GPU support
+GLANCES_GPU=false
+
+# Set to "true" to allow Glances access to the host's Docker socket, which will
+# allow Glances to report on metrics for containers. Or set to "false" to
+# disallow access to the host's Docker socket. Be aware that allowing access to
+# the Docker socket is not safe because it effectively grants full control over
+# the Docker daemon, enabling a container or attacker to escalate privileges,
+# manipulate containers, and potentially compromise the host system.
+GLANCES_CONTAINER_METRICS=false
+
+# Glances server runtime options
+# See: https://glances.readthedocs.io/en/develop/cmds.html#command-line-options
+GLANCES_OPTIONS="-t 2"

glances/Makefile

@@ -0,0 +1,33 @@
+ROOT_DIR = ..
+include ${ROOT_DIR}/_scripts/Makefile.projects
+include ${ROOT_DIR}/_scripts/Makefile.instance
+
+.PHONY: config-hook
+config-hook:
+	@${BIN}/reconfigure_ask ${ENV_FILE} GLANCES_TRAEFIK_HOST "Enter the glances domain name" glances${INSTANCE_URL_SUFFIX}.${ROOT_DOMAIN}
+	@${BIN}/reconfigure ${ENV_FILE} GLANCES_INSTANCE=$${instance:-default}
+	@${BIN}/reconfigure_auth ${ENV_FILE} GLANCES
+	@echo
+	@${BIN}/confirm $$("$$(${BIN}/dotenv -f ${ENV_FILE} get GLANCES_GPU)" == "false" && echo 'yes' || echo 'no') "Do you want to enable Nvidia GPU support" "?" && ${BIN}/reconfigure ${ENV_FILE} GLANCES_GPU=true || ${BIN}/reconfigure ${ENV_FILE} GLANCES_GPU=false
+	@echo
+	@echo "Glances can report on container metrics if you allow it access to the host's Docker socket. Be aware that allowing access to the Docker socket is not safe because it effectively grants full control over the Docker daemon, enabling a container or attacker to escalate privileges, manipulate containers, and potentially compromise the host system."
+	@${BIN}/confirm $$("$$(${BIN}/dotenv -f ${ENV_FILE} get GLANCES_CONTAINER_METRICS)" == "false" && echo 'yes' || echo 'no') "Do you want to enable container metrics" "?" && ${BIN}/reconfigure ${ENV_FILE} GLANCES_CONTAINER_METRICS=true || ${BIN}/reconfigure ${ENV_FILE} GLANCES_CONTAINER_METRICS=false
+	@echo
+
+.PHONY: override-hook
+override-hook:
+#### This sets the override template variables for docker-compose.instance.yaml:
+#### The template dynamically renders to docker-compose.override_{DOCKER_CONTEXT}_{INSTANCE}.yaml
+#### These settings are used to automatically generate the service container labels, and traefik config, inside the template.
+#### The variable arguments have three forms: `=` `=:` `=@`
+####   name=VARIABLE_NAME    # sets the template 'name' field to the value of VARIABLE_NAME found in the .env file
+####                         # (this hardcodes the value into docker-compose.override.yaml)
+####   name=:VARIABLE_NAME   # sets the template 'name' field to the literal string 'VARIABLE_NAME'
+####                         # (this hardcodes the string into docker-compose.override.yaml)
+####   name=@VARIABLE_NAME   # sets the template 'name' field to the literal string '${VARIABLE_NAME}'
+####                         # (used for regular docker-compose expansion of env vars by name.)
+	@${BIN}/docker_compose_override ${ENV_FILE} project=:glances instance=@GLANCES_INSTANCE traefik_host=@GLANCES_TRAEFIK_HOST http_auth=GLANCES_HTTP_AUTH http_auth_var=@GLANCES_HTTP_AUTH ip_sourcerange=@GLANCES_IP_SOURCERANGE oauth2=GLANCES_OAUTH2 authorized_group=GLANCES_OAUTH2_AUTHORIZED_GROUP enable_mtls_auth=GLANCES_MTLS_AUTH mtls_authorized_certs=GLANCES_MTLS_AUTHORIZED_CERTS gpu_support=GLANCES_GPU container_metrics=GLANCES_CONTAINER_METRICS
+
+.PHONY: shell
+shell:
+	@make --no-print-directory docker-compose-shell SERVICE=glances

glances/README.md

@@ -0,0 +1,92 @@
+# glances
+
+[glances](https://github.com/nicolargo/glances) is an open-source system
+cross-platform monitoring tool. It allows real-time monitoring of various
+aspects of your system such as CPU, memory, disk, network usage etc. It also
+allows monitoring of running processes, logged in users, temperatures,
+voltages, fan speeds etc. It also supports container monitoring, it supports
+different container management systems such as Docker, LXC. The information
+is presented in an easy to read dashboard and can also be used for remote
+monitoring of systems via a web interface or command line interface. 
+
+## Warning
+
+This container uses the docker flag `network_mode: host`, which gives
+unlimited access to your host network. There is also configurable
+support for mounting the Docker socket, which provides full root
+access to your host. You should not install this unless you completely
+trust this service. To enforce the use of Traefik as your entrypoint,
+your external firewall should block TCP ports 61208 and 61209.
+
+## Config
+
+```
+make config
+```
+
+This will ask you to enter the domain name to use.
+It automatically saves your responses into the configuration file
+`.env_{INSTANCE}`.
+
+It will also ask you if you want Glances to be able to report on container
+metrics in addition to the metrics of the host you are installing it on.
+In order for Glances to report on container metrics, it requires access to
+the host's Docker socket. Be aware that allowing access to the Docker socket
+is not safe because it effectively grants full control over the Docker
+daemon, enabling a container or attacker to escalate privileges, manipulate
+containers, and potentially compromise the host system.
+
+### Authentication and Authorization
+
+Running `make config` will ask whether or not you want to configure
+authentication for your app (on top of any authentication your app provides).
+You can configure OpenID/OAuth2, mTLS, or HTTP Basic Authentication.
+
+OAuth2 uses traefik-forward-auth to delegate authentication to an external
+authority (eg. a self-deployed Gitea instance). Accessing this app will
+require all users to login through that external service first. Once
+authenticated, they may be authorized access only if their login id matches the
+member list of the predefined authorization group configured for the app
+(`GLANCES_OAUTH2_AUTHORIZED_GROUP`). Authorization groups are defined in the
+Traefik config (`TRAEFIK_HEADER_AUTHORIZATION_GROUPS`) and can be
+[created/modified](https://github.com/EnigmaCurry/d.rymcg.tech/blob/master/traefik/README.md#oauth2-authentication)
+by running `make groups` in the `traefik` directory.
+
+mTLS (Mutual TLS) is an extension of standard TLS where both the client and
+server authenticate each other using certificates. Accessing this app will
+require all users to have a client mTLS certificate installed in their browser,
+and this app must be configured to accept that certificate. You will be
+prompted to enter one or more CN (Common Name) in a comma-separated list (a CN
+is a field in a certificate that typically represents the domain name of the
+server or the person/organization to which the certificate is issued). Only
+certificates matching one of these CNs will be allowed access to the app, and
+users with a valid mTLS certificate will be ensured secure, two-way encrypted
+communication, providing enhanced security by verifying both parties'
+identities.
+
+For HTTP Basic Authentication, you will be prompted to enter username/password
+logins which are stored in that app's `.env_{INSTANCE}` file.
+
+## Install
+
+```
+make install
+```
+
+## Open
+
+```
+make open
+```
+
+This will automatically open the page in your web browser, and will
+prefill the HTTP Basic Authentication password if you enabled it
+(and chose to store it in `passwords.json`).
+
+## Destroy
+
+```
+make destroy
+```
+
+This completely removes the container and all its volumes.

glances/docker-compose.instance.yaml

@@ -0,0 +1,87 @@
+#! This is a ytt template file for docker-compose.override.yaml
+#! References:
+#!   https://carvel.dev/ytt
+#!   https://docs.docker.com/compose/extends/#adding-and-overriding-configuration
+#!   https://github.com/enigmacurry/d.rymcg.tech#overriding-docker-composeyaml-per-instance
+
+#! ### Standard project vars:
+#@ load("@ytt:data", "data")
+#@ project = data.values.project
+#@ instance = data.values.instance
+#@ context = data.values.context
+#@ traefik_host = data.values.traefik_host
+#@ ip_sourcerange = data.values.ip_sourcerange
+#@ enable_http_auth = len(data.values.http_auth.strip()) > 0
+#@ http_auth = data.values.http_auth_var
+#@ enable_oauth2 = data.values.oauth2 == "true"
+#@ authorized_group = data.values.authorized_group
+#@ enable_mtls_auth = data.values.enable_mtls_auth == "true"
+#@ mtls_authorized_certs = data.values.mtls_authorized_certs
+#@ enabled_middlewares = []
+
+#! ### Project-specific vars:
+#@ gpu_support = data.values.gpu_support == "true"
+#@ container_metrics = data.values.container_metrics == "true"
+
+#@yaml/text-templated-strings
+services:
+  glances:
+    #@ service = "glances"
+
+    #@ if gpu_support:
+    deploy:
+      resources:
+        reservations:
+          devices:
+            - driver: nvidia
+              count: 1
+              capabilities: [gpu]
+    #@ end
+    
+    volumes:
+      #@ if container_metrics:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      #@ end
+      #! The following line causes Glances to display host's OS detail instead of container's
+      - /etc/os-release:/etc/os-release:ro
+
+    labels:
+      #! Services must opt-in to be proxied by Traefik:
+      - "traefik.enable=true"
+
+      #! 'router' is the fully qualified key in traefik for this router/service: project + instance + service
+      #@ router = "{}-{}-{}".format(project,instance,service)
+
+      #! The host matching router rule:
+      - "traefik.http.routers.(@= router @).rule=Host(`(@= traefik_host @)`)"
+      - "traefik.http.routers.(@= router @).entrypoints=websecure"
+
+      #@ enabled_middlewares.append("{}-ipallowlist".format(router))
+      - "traefik.http.middlewares.(@= router @)-ipallowlist.ipallowlist.sourcerange=(@= ip_sourcerange @)"
+      #@ if enable_http_auth:
+      #@ enabled_middlewares.append("{}-basicauth".format(router))
+      - "traefik.http.middlewares.(@= router @)-basicauth.basicauth.users=(@= http_auth @)"
+      - "traefik.http.middlewares.(@= router @)-basicauth.basicauth.headerField=X-Forwarded-User"
+      #@ end
+
+      #@ if enable_oauth2:
+      #@ enabled_middlewares.append("traefik-forward-auth@docker")
+      #@ enabled_middlewares.append("header-authorization-group-{}@file".format(authorized_group))
+      #@ end
+
+      #@ if enable_mtls_auth:
+      - "traefik.http.routers.(@= router @).tls.options=step_ca_mTLS@file"
+        #@ if len(mtls_authorized_certs):
+      - "traefik.http.middlewares.mtlsauth-(@= router @).plugin.certauthz.domains=(@= mtls_authorized_certs @)"
+        #@ enabled_middlewares.append("mtlsauth-{}".format(router))
+        #@ end
+        #@ enabled_middlewares.append("mtls-header@file")
+      #@ end
+      
+      #! Override the default port that the app binds to:
+      #! You don't normally need to do this, as long as your image has
+      #! an EXPOSE directive in it, Traefik will autodetect it, but this is how you can override it:
+      - "traefik.http.services.(@= router @).loadbalancer.server.port=61208"
+
+      #! Apply all middlewares (do this at the end!)
+      - "traefik.http.routers.(@= router @).middlewares=(@= ','.join(enabled_middlewares) @)"

glances/docker-compose.yaml

@@ -0,0 +1,15 @@
+services:
+  glances:
+    image: ${GLANCES_IMAGE}
+    restart: unless-stopped
+    pid: host
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    network_mode: "host"
+    environment:
+      - TZ=${GLANCES_TZ}
+      - "GLANCES_OPT=-w ${GLANCES_OPTIONS}"
+    labels: []
+    volumes: []