docker-apps/prometheus/stacks/compose.yml

name: prometheus

secrets:
  prometheus_metrics_password:
    file: ${STACKSDIR}/secrets/prometheus_metrics_password

networks:
  backend:
    name: prometheus-net
    driver: bridge
    ipam:
      config:
        - subnet: 10.255.223.0/27 # Range: 10.255.223.1 - 10.255.223.30
    driver_opts:
      com.docker.network.bridge.name: "br-prometheus"
    internal: true

  traefik-net:
    external: true

services:
  prometheus:
    image: prom/prometheus:latest #v2.54.1
    command:
      - '--config.file=/etc/prometheus/prometheus.yml'
    networks:
      - traefik-net
      - backend
    restart: unless-stopped
    user: "${PUID}:${PGID}"
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - "${DATADIR}/config:/etc/prometheus"
      - "${DATADIR}/appdata:/prometheus"
    secrets:
      - prometheus_metrics_password
    environment:
      - PROMETHEUS_METRICS_PASSWORD
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      #
      # http service
      # ------------
      - "traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}"
      #
      # http middlewares
      # ----------------
      - "traefik.http.middlewares.${APPLICATION_NAME}-auth.basicauth.usersfile=/mnt/users/${APPLICATION_NAME}.txt"
      #
      # http routers
      # ------------
      # http://appname.domainname/
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web"
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
      - "traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc"
      # https://appname.domainname/
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/`)"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=${APPLICATION_NAME}-auth"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc"
      # https://appname.domainname/-/healthy  (for status check)
      - "traefik.http.routers.${APPLICATION_NAME}-secure-status-rtr.entrypoints=websecure"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-status-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&& PathPrefix(`/-/healthy`)"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-status-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-status-rtr.tls=true"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-status-rtr.tls.options=tls-options@file"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-status-rtr.tls.certresolver=solver-dns"
      - "traefik.http.routers.${APPLICATION_NAME}-secure-status-rtr.service=${APPLICATION_NAME}-svc"

  node-exporter:
    image: prom/node-exporter:v1.8.2
    hostname: node-exporter
    networks:
      - backend
    ports:
      - 9100:9100
    restart: unless-stopped

  alert-manager:
    image: prom/alertmanager:v0.27.0
    command: --config.file=/config/alertmanager.yml # --log.level=debug
    volumes:
      - "${STACKSDIR}/alertmanager:/config"
      - "${DATADIR}/alertmgr:/data"
    networks:
      - backend
    ports:
      - 9093:9093
    restart: unless-stopped

# to enable profiling of cadvisor
# https://github.com/google/cadvisor/issues/2523
# iwankgb
# add argument -profiling to your cadvisor invocation and navigate to IP:PORT/debug/pprof/profile?seconds=300. It will generate profile for 300 seconds of cAdvisor execution. After 300 seconds a file will be sent to you - download it and then navigate to the directory where the file is saved and execute: go tool pprof profile (profile is default name for the downloaded file). It will open profiling console. Type web and hit enter. After some time a browser should be opened on your system and you should execution profile for your instance.
# http://docker.sthome.org:8080/debug/pprof/profile?seconds=300 to get results   
  cadvisor:
    image: gcr.io/cadvisor/cadvisor:v0.49.1
#    command: -profiling # setting for profiling cadvisor
    volumes:
      - /:/rootfs:ro
      - /var/run:/var/run:ro
      - /sys:/sys:ro
      - /var/lib/docker/:/var/lib/docker:ro
      - /dev/disk/:/dev/disk:ro
    privileged: true
    devices:
      - /dev/kmsg
    networks:
      - backend
#      - traefik-net # setting for profiling cadvisor
    ports:
      - 8080:8080
    restart: unless-stopped

  frigate-exporter: 
    image: rhysbailey/prometheus-frigate-exporter
    hostname: frigate-exporter
    restart: unless-stopped
    networks:
      - traefik-net  # to reach frigate externally
      - backend
    ports:
      - 10.255.223.1:9200:9200  # restrict the port to backend network
    environment:
      - PORT=9200
      - FRIGATE_STATS_URL=http://10.0.0.51:5000/api/stats