feat(deploy): Grafana infra alerts + blackbox cert probe + admin-alert wiring

Grafana: GF_SMTP from the shared relay (STARTTLS host:port) + alerting provisioning
(contact point → SERVICE_EMAIL, route-all policy, and rules for scrape-target down,
gateway internal-error rate + p99 latency, host mem/disk/cpu, postgres connections, and
TLS cert < 20 days). All rules noDataState=OK so an absent metric never false-alerts.
blackbox_exporter probes the edge caddy's TLS (probe_ssl_earliest_cert_expiry) — effective
on prod (caddy terminates TLS; contour caddy is HTTP-only so the metric is absent).
Wires the new env through compose (backend admin From/To, Grafana SMTP), ci.yaml (TEST_),
prod-deploy (PROD_ + env.sh), .env.example and the README var table.
This commit is contained in:
Ilia Denisov
2026-07-03 15:08:09 +02:00
parent 8d2cd97e17
commit 55f6176538
10 changed files with 346 additions and 1 deletions
+18
View File
@@ -23,3 +23,21 @@ scrape_configs:
- job_name: node
static_configs:
- targets: ["node_exporter:9100"]
# TLS certificate expiry of the edge caddy (probe_ssl_earliest_cert_expiry), for the
# certificate-renewal-failure alert. Effective on prod, where caddy terminates TLS on
# :443; on the test contour caddy is HTTP-only, so the probe finds nothing and the metric
# is absent (the alert rule is absent-safe). The exporter probes the target passed as a
# scrape parameter and answers on its own :9115.
- job_name: blackbox_tls
metrics_path: /probe
params:
module: [tls_cert]
static_configs:
- targets: ["caddy:443"]
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: blackbox_exporter:9115