From 66579fa8616ad59e17623ca4838df8d5a12461ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= <valknar@pivoine.art>
Date: Sat, 8 Nov 2025 18:28:47 +0100
Subject: [PATCH] feat: add Netdata monitoring stack
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added Netdata real-time monitoring system at netdata.pivoine.art:
- Real-time infrastructure and container monitoring
- Auto-discovers all Docker containers
- Tracks CPU, memory, disk, network usage per service
- Low overhead monitoring (~1-3% CPU)
- Self-hosted with web dashboard on port 19999

Configuration:
- Created netdata/compose.yaml with full Traefik integration
- Added to main compose.yaml include list
- Added environment variables to arty.yml
- Mounted Docker socket for container metrics
- Mounted system directories for host metrics (/proc, /sys, /var/log)
- Three persistent volumes: config, lib, cache
- Required capabilities: SYS_PTRACE, SYS_ADMIN for system monitoring
- Watchtower enabled for automatic updates

Benefits for infrastructure:
- Monitor 20+ running services in real-time
- Track PostgreSQL, Redis, Traefik performance
- Watch backup processes (Backrest/Restic)
- Monitor Jellyfin transcoding load
- Alert on resource issues before they become critical
- Historical data for capacity planning

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 arty.yml             |  6 +++++
 compose.yaml         |  1 +
 netdata/compose.yaml | 60 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 67 insertions(+)
 create mode 100644 netdata/compose.yaml

diff --git a/arty.yml b/arty.yml
index 9e6b711..4df3a03 100644
--- a/arty.yml
+++ b/arty.yml
@@ -135,6 +135,12 @@ envs:
     DROP_TRAEFIK_ENABLED: true
     DROP_COMPOSE_PROJECT_NAME: drop
     DROP_TRAEFIK_HOST: drop.pivoine.art
+    # Netdata
+    NETDATA_TRAEFIK_ENABLED: true
+    NETDATA_COMPOSE_PROJECT_NAME: netdata
+    NETDATA_IMAGE: netdata/netdata:latest
+    NETDATA_TRAEFIK_HOST: netdata.pivoine.art
+    NETDATA_HOSTNAME: netdata.pivoine.art
     # Proxy
     PROXY_COMPOSE_PROJECT_NAME: proxy
     PROXY_DOCKER_IMAGE: traefik:latest
diff --git a/compose.yaml b/compose.yaml
index dfdfb9b..2d5f0a3 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -14,6 +14,7 @@ include:
   - jelly/compose.yaml
   - drop/compose.yaml
   - restic/compose.yaml
+  - netdata/compose.yaml
   - umami/compose.yaml
   - sablier/compose.yaml
   - proxy/compose.yaml
diff --git a/netdata/compose.yaml b/netdata/compose.yaml
new file mode 100644
index 0000000..d068fca
--- /dev/null
+++ b/netdata/compose.yaml
@@ -0,0 +1,60 @@
+services:
+  netdata:
+    image: ${NETDATA_IMAGE:-netdata/netdata:latest}
+    container_name: ${NETDATA_COMPOSE_PROJECT_NAME}_app
+    restart: unless-stopped
+    hostname: ${NETDATA_HOSTNAME:-netdata.pivoine.art}
+    cap_add:
+      - SYS_PTRACE
+      - SYS_ADMIN
+    security_opt:
+      - apparmor:unconfined
+    volumes:
+      - netdata_config:/etc/netdata
+      - netdata_lib:/var/lib/netdata
+      - netdata_cache:/var/cache/netdata
+      - /etc/passwd:/host/etc/passwd:ro
+      - /etc/group:/host/etc/group:ro
+      - /etc/localtime:/etc/localtime:ro
+      - /proc:/host/proc:ro
+      - /sys:/host/sys:ro
+      - /etc/os-release:/host/etc/os-release:ro
+      - /var/log:/host/var/log:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - NETDATA_CLAIM_TOKEN=${NETDATA_CLAIM_TOKEN:-}
+      - NETDATA_CLAIM_URL=${NETDATA_CLAIM_URL:-}
+      - NETDATA_CLAIM_ROOMS=${NETDATA_CLAIM_ROOMS:-}
+    networks:
+      - compose_network
+    labels:
+      - 'traefik.enable=${NETDATA_TRAEFIK_ENABLED}'
+      # HTTP to HTTPS redirect
+      - 'traefik.http.middlewares.${NETDATA_COMPOSE_PROJECT_NAME}-redirect-web-secure.redirectscheme.scheme=https'
+      - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web.middlewares=${NETDATA_COMPOSE_PROJECT_NAME}-redirect-web-secure'
+      - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web.rule=Host(`${NETDATA_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web.entrypoints=web'
+      # HTTPS router
+      - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web-secure.rule=Host(`${NETDATA_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver'
+      - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure'
+      - 'traefik.http.middlewares.${NETDATA_COMPOSE_PROJECT_NAME}-compress.compress=true'
+      - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web-secure.middlewares=${NETDATA_COMPOSE_PROJECT_NAME}-compress,security-headers@file'
+      # Service
+      - 'traefik.http.services.${NETDATA_COMPOSE_PROJECT_NAME}.loadbalancer.server.port=19999'
+      - 'traefik.docker.network=${NETWORK_NAME}'
+      # Watchtower
+      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
+
+volumes:
+  netdata_config:
+    name: ${NETDATA_COMPOSE_PROJECT_NAME}_config
+  netdata_lib:
+    name: ${NETDATA_COMPOSE_PROJECT_NAME}_lib
+  netdata_cache:
+    name: ${NETDATA_COMPOSE_PROJECT_NAME}_cache
+
+networks:
+  compose_network:
+    name: ${NETWORK_NAME}
+    external: true