[refactor(infra)] Restructure Grafana dashboards and harden production compose

Makefile

@@ -187,10 +187,12 @@ tf: ## use this to spawn a loaded shell
 		export TF_VAR_GRAFANA_DATASOURCE_URL=\$$(aws s3 presign \"s3://\$$AWS_S3_BUCKET_NAME/terraform/data/grafana_datasource.yml\" --endpoint-url \"\$$AWS_ENDPOINT_URL_S3\" --expires-in 3600 | tr -d '\r') && \
 		aws s3 cp infra/common/grafana/provisioning/dashboards/default.yml \"s3://\$$AWS_S3_BUCKET_NAME/terraform/data/grafana_provider.yml\" --endpoint-url \"\$$AWS_ENDPOINT_URL_S3\" && \
 		export TF_VAR_GRAFANA_PROVIDER_URL=\$$(aws s3 presign \"s3://\$$AWS_S3_BUCKET_NAME/terraform/data/grafana_provider.yml\" --endpoint-url \"\$$AWS_ENDPOINT_URL_S3\" --expires-in 3600 | tr -d '\r') && \
-		aws s3 cp infra/common/grafana/provisioning/dashboards/ytdlp-health.json \"s3://\$$AWS_S3_BUCKET_NAME/terraform/data/ytdlp-health.json\" --endpoint-url \"\$$AWS_ENDPOINT_URL_S3\" && \
-		export TF_VAR_YTDLP_DASHBOARD_URL=\$$(aws s3 presign \"s3://\$$AWS_S3_BUCKET_NAME/terraform/data/ytdlp-health.json\" --endpoint-url \"\$$AWS_ENDPOINT_URL_S3\" --expires-in 3600 | tr -d '\\r') && \
-		aws s3 cp infra/common/grafana/provisioning/dashboards/captcha-security.json \"s3://\$$AWS_S3_BUCKET_NAME/terraform/data/captcha-security.json\" --endpoint-url \"\$$AWS_ENDPOINT_URL_S3\" && \
-		export TF_VAR_CAPTCHA_SECURITY_DASHBOARD_URL=\$$(aws s3 presign \"s3://\$$AWS_S3_BUCKET_NAME/terraform/data/captcha-security.json\" --endpoint-url \"\$$AWS_ENDPOINT_URL_S3\" --expires-in 3600 | tr -d '\\r') && \
+		aws s3 cp infra/common/grafana/provisioning/dashboards/api-health.json \"s3://\$$AWS_S3_BUCKET_NAME/terraform/data/api-health.json\" --endpoint-url \"\$$AWS_ENDPOINT_URL_S3\" && \
+		export TF_VAR_API_HEALTH_DASHBOARD_URL=\$$(aws s3 presign \"s3://\$$AWS_S3_BUCKET_NAME/terraform/data/api-health.json\" --endpoint-url \"\$$AWS_ENDPOINT_URL_S3\" --expires-in 3600 | tr -d '\\r') && \
+		aws s3 cp infra/common/grafana/provisioning/dashboards/security-overview.json \"s3://\$$AWS_S3_BUCKET_NAME/terraform/data/security-overview.json\" --endpoint-url \"\$$AWS_ENDPOINT_URL_S3\" && \
+		export TF_VAR_SECURITY_OVERVIEW_DASHBOARD_URL=\$$(aws s3 presign \"s3://\$$AWS_S3_BUCKET_NAME/terraform/data/security-overview.json\" --endpoint-url \"\$$AWS_ENDPOINT_URL_S3\" --expires-in 3600 | tr -d '\\r') && \
+		aws s3 cp infra/common/grafana/provisioning/dashboards/domain-services.json \"s3://\$$AWS_S3_BUCKET_NAME/terraform/data/domain-services.json\" --endpoint-url \"\$$AWS_ENDPOINT_URL_S3\" && \
+		export TF_VAR_DOMAIN_SERVICES_DASHBOARD_URL=\$$(aws s3 presign \"s3://\$$AWS_S3_BUCKET_NAME/terraform/data/domain-services.json\" --endpoint-url \"\$$AWS_ENDPOINT_URL_S3\" --expires-in 3600 | tr -d '\\r') && \
 		export MSYS_NO_PATHCONV=1 && \
 		cd $(TF_STACK_DIR) && \
 		unset PROMPT_COMMAND && \

docker-compose.yml

@@ -1,4 +1,6 @@
-# Integrated WARP Proxy.
+
+# Production docker-compose file: refer to infra/common/cloud-init.template
+
 name: nadzu
 services:
   warp:
@@ -18,7 +20,7 @@ services:
     depends_on:
       - warp
     volumes:
-      - "${MOUNT_PATH}:/home/app/downloads"
+      - "./production/downloads:/home/app/downloads"
     env_file:
       - .env
     environment:
@@ -34,10 +36,10 @@ services:
       - "80:80"
       - "443:443"
     volumes:
-      - /opt/app/Caddyfile:/etc/caddy/Caddyfile:ro
-      - /opt/app/certs:/etc/caddy/certs:ro
-      - /opt/app/browse.html:/etc/caddy/browse.html:ro
-      - "${MOUNT_PATH}:/home/app/downloads:ro"
+      - Caddyfile:/etc/caddy/Caddyfile:ro
+      - ./infra/common/certs:/etc/caddy/certs:ro
+      - ./infra/common/browse.html:/etc/caddy/browse.html:ro
+      - "./production/downloads:/home/app/downloads:ro"
     depends_on:
       - app
 
@@ -62,4 +64,4 @@ services:
       - <grafana-provisioning-folder>:/etc/grafana/provisioning
     depends_on:
       - prometheus
-
+

infra/common/cloud-init.template

@@ -248,8 +248,9 @@ write_files:
       fetch_url "${PROMETHEUS_CONFIG_URL}" /opt/app/prometheus/prometheus.yml
       fetch_url "${GRAFANA_DATASOURCE_URL}" /opt/app/grafana/provisioning/datasources/prometheus.yml
       fetch_url "${GRAFANA_PROVIDER_URL}" /opt/app/grafana/provisioning/dashboards/default.yml
-      fetch_url "${YTDLP_DASHBOARD_URL}" /opt/app/grafana/provisioning/dashboards/ytdlp-health.json
-      fetch_url "${CAPTCHA_SECURITY_DASHBOARD_URL}" /opt/app/grafana/provisioning/dashboards/captcha-security.json
+      fetch_url "${API_HEALTH_DASHBOARD_URL}" /opt/app/grafana/provisioning/dashboards/api-health.json
+      fetch_url "${SECURITY_OVERVIEW_DASHBOARD_URL}" /opt/app/grafana/provisioning/dashboards/security-overview.json
+      fetch_url "${DOMAIN_SERVICES_DASHBOARD_URL}" /opt/app/grafana/provisioning/dashboards/domain-services.json
 
       # APP_PORT: Dynamic
       sed -i "s/app:[0-9]*/app:${APP_PORT}/g" /opt/app/prometheus/prometheus.yml

infra/common/grafana/provisioning/dashboards/api-health.json

@@ -0,0 +1,88 @@
+{
+  "title": "API & System Health",
+  "uid": "api-health",
+  "timezone": "browser",
+  "refresh": "5s",
+  "panels": [
+    {
+      "title": "Global Traffic (RPS)",
+      "type": "timeseries",
+      "gridPos": { "h": 8, "w": 12, "x": 0, "y": 0 },
+      "datasource": "Prometheus",
+      "targets": [
+        {
+          "expr": "sum by (status) (rate(http_requests_total[1m]))",
+          "legendFormat": "{{status}}"
+        }
+      ],
+      "options": {
+        "tooltip": { "mode": "multi" }
+      },
+      "fieldConfig": {
+        "defaults": {
+          "custom": { "stacking": { "mode": "normal", "group": "A" } }
+        }
+      }
+    },
+    {
+      "title": "Latency Percentiles",
+      "type": "timeseries",
+      "gridPos": { "h": 8, "w": 12, "x": 12, "y": 0 },
+      "datasource": "Prometheus",
+      "targets": [
+        {
+          "expr": "histogram_quantile(0.99, sum by (le) (rate(http_request_duration_seconds_bucket[5m])))",
+          "legendFormat": "P99"
+        },
+        {
+          "expr": "histogram_quantile(0.95, sum by (le) (rate(http_request_duration_seconds_bucket[5m])))",
+          "legendFormat": "P95"
+        },
+        {
+          "expr": "histogram_quantile(0.50, sum by (le) (rate(http_request_duration_seconds_bucket[5m])))",
+          "legendFormat": "P50"
+        }
+      ]
+    },
+    {
+      "title": "Traffic by Route",
+      "type": "piechart",
+      "gridPos": { "h": 8, "w": 12, "x": 0, "y": 8 },
+      "datasource": "Prometheus",
+      "targets": [
+        {
+          "expr": "sum by (path) (increase(http_requests_total[1h]))",
+          "legendFormat": "{{path}}"
+        }
+      ],
+      "options": {
+        "pieType": "donut"
+      }
+    },
+    {
+      "title": "Error Rate (%)",
+      "type": "stat",
+      "gridPos": { "h": 8, "w": 12, "x": 12, "y": 8 },
+      "datasource": "Prometheus",
+      "targets": [
+        {
+          "expr": "sum(rate(http_requests_total{status=~\"5..\"}[5m])) / sum(rate(http_requests_total[5m])) * 100",
+          "legendFormat": "5xx Error Rate"
+        }
+      ],
+      "fieldConfig": {
+        "defaults": {
+          "unit": "percent",
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              { "color": "green", "value": null },
+              { "color": "orange", "value": 1 },
+              { "color": "red", "value": 5 }
+            ]
+          }
+        }
+      }
+    }
+  ]
+}