From c1406a32f1a749bf27d436d553b0e9d8ee084d05 Mon Sep 17 00:00:00 2001 From: Marcel Date: Fri, 15 May 2026 02:25:34 +0200 Subject: [PATCH] devops(observability): fix C4 diagram, security comment, and add Loki compactor block Co-Authored-By: Claude Sonnet 4.6 --- docker-compose.observability.yml | 5 +---- docs/architecture/c4/l2-containers.puml | 4 +++- infra/observability/loki/loki-config.yml | 8 ++++++++ 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/docker-compose.observability.yml b/docker-compose.observability.yml index 9e186dec..82025222 100644 --- a/docker-compose.observability.yml +++ b/docker-compose.observability.yml @@ -100,10 +100,7 @@ services: volumes: - ./infra/observability/promtail/promtail-config.yml:/etc/promtail/promtail-config.yml:ro - /var/lib/docker/containers:/var/lib/docker/containers:ro - # /var/run/docker.sock gives Promtail container-name discovery. Trade-off: any - # process that can write to this socket can control the Docker daemon (container - # escape). Acceptable on a single-operator archive; review if multi-user access - # to the host is ever introduced. + # :ro restricts file-system access but NOT Docker API permissions — a compromised Promtail has full daemon access. Accepted risk on single-operator self-hosted archive. - /var/run/docker.sock:/var/run/docker.sock:ro - promtail_positions:/tmp # persists positions.yaml across restarts — avoids duplicate log ingestion command: -config.file=/etc/promtail/promtail-config.yml diff --git a/docs/architecture/c4/l2-containers.puml b/docs/architecture/c4/l2-containers.puml index f27eda69..56968766 100644 --- a/docs/architecture/c4/l2-containers.puml +++ b/docs/architecture/c4/l2-containers.puml @@ -19,7 +19,8 @@ System_Boundary(archiv, "Familienarchiv (Docker Compose)") { System_Boundary(observability, "Observability Stack (docker-compose.observability.yml / archiv-net)") { Container(prometheus, "Prometheus", "prom/prometheus", "Scrapes metrics from backend management port 8081 (/actuator/prometheus). Retention and alert rules TBD — see issue #581.") - Container(loki, "Loki", "grafana/loki", "Log aggregation. Receives structured logs from the stack. Wiring TBD — see issue #581.") + Container(loki, "Loki", "grafana/loki:3.4.2", "Stores log streams from all containers.") + Container(promtail, "Promtail", "grafana/promtail:3.4.2", "Ships Docker container logs to Loki via Docker SD") Container(grafana, "Grafana", "grafana/grafana", "Dashboards and alerting UI. Data sources: Prometheus + Loki. Wiring TBD — see issue #581.") } @@ -34,5 +35,6 @@ Rel(backend, ocr, "OCR job requests with presigned MinIO URL", "HTTP / REST / JS Rel(backend, mail, "Sends notification and password-reset emails (optional)", "SMTP") Rel(ocr, storage, "Fetches PDF via presigned URL", "HTTP / S3 presigned") Rel(mc, storage, "Bootstraps bucket + service account on startup", "MinIO Client CLI") +Rel(promtail, loki, "Pushes log streams", "HTTP/Loki push API") @enduml diff --git a/infra/observability/loki/loki-config.yml b/infra/observability/loki/loki-config.yml index 36abdd07..b5d84796 100644 --- a/infra/observability/loki/loki-config.yml +++ b/infra/observability/loki/loki-config.yml @@ -28,5 +28,13 @@ schema_config: limits_config: retention_period: 720h # 30 days — low-volume family archive; revisit if log volume grows +compactor: + working_directory: /loki/compactor + compaction_interval: 10m + retention_enabled: true + retention_delete_delay: 2h + retention_delete_worker_count: 150 + delete_request_store: filesystem + analytics: reporting_enabled: false # no telemetry sent to Grafana Labs