Merge pull request #6837 from Grotax/prometheus-nextcloud-exporter

add Prometheus Node Exporter as community container

community-containers/caddy/caddy.json

@@ -23,7 +23,8 @@
             "environment": [
                 "TZ=%TIMEZONE%",
                 "NC_DOMAIN=%NC_DOMAIN%",
-                "APACHE_PORT=%APACHE_PORT%"
+                "APACHE_PORT=%APACHE_PORT%",
+                "NEXTCLOUD_EXPORTER_CADDY_PASSWORD=%NEXTCLOUD_EXPORTER_CADDY_PASSWORD%"
             ],
             "volumes": [
                 {
@@ -37,6 +38,9 @@
                     "writeable": false
                 }
             ],
+            "secrets": [
+                "NEXTCLOUD_EXPORTER_CADDY_PASSWORD"
+            ],
             "aio_variables": [
                 "apache_ip_binding=@INTERNAL",
                 "apache_port=11000"

community-containers/caddy/readme.md

@@ -1,5 +1,5 @@
 ## Caddy with geoblocking
-This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [jellyseerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed.
+This container bundles caddy and auto-configures it for you. It also covers [vaultwarden](https://github.com/nextcloud/all-in-one/tree/main/community-containers/vaultwarden) by listening on `bw.$NC_DOMAIN`, if installed. It also covers [stalwart](https://github.com/nextcloud/all-in-one/tree/main/community-containers/stalwart) by listening on `mail.$NC_DOMAIN`, if installed. It also covers [jellyfin](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyfin) by listening on `media.$NC_DOMAIN`, if installed. It also covers [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap) by listening on `ldap.$NC_DOMAIN`, if installed. It also covers [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb) by listening on `tables.$NC_DOMAIN`, if installed. It also covers [jellyseerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr) by listening on `requests.$NC_DOMAIN`, if installed. It also covers [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter) by listening on `metrics.$NC_DOMAIN`, if installed.
 
 ### Notes
 - This container is incompatible with the [npmplus](https://github.com/nextcloud/all-in-one/tree/main/community-containers/npmplus) community container. So make sure that you do not enable both at the same time!
@@ -10,6 +10,7 @@ This container bundles caddy and auto-configures it for you. It also covers [vau
 - If you want to use this with [lldap](https://github.com/nextcloud/all-in-one/tree/main/community-containers/lldap), make sure that you point `ldap.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for lldap.
 - If you want to use this with [nocodb](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nocodb), make sure that you point `tables.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nocodb.
 - If you want to use this with [jellyseerr](https://github.com/nextcloud/all-in-one/tree/main/community-containers/jellyseerr), make sure that you point `requests.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for jellyseerr.
+- If you want to use this with [nextcloud-exporter](https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter), make sure that you point `metrics.your-nc-domain.com` to your server using a cname record so that caddy can get a certificate automatically for nextcloud-exporter.
 - After the container was started the first time, you should see a new `nextcloud-aio-caddy` folder and inside there an `allowed-countries.txt` file when you open the files app with the default `admin` user. In there you can adjust the allowed country codes for caddy by adding them to the first line, e.g. `IT FR` would allow access from italy and france. Private ip-ranges are always allowed. Additionally, in order to activate this config, you need to get an account at https://dev.maxmind.com/geoip/geolite2-free-geolocation-data and download the `GeoLite2-Country.mmdb` and upload it with this exact name into the `nextcloud-aio-caddy` folder. Afterwards restart all containers from the AIO interface and your new config should be active!
 - You can add your own Caddy configurations in `/data/caddy-imports/` inside the Caddy container (`sudo docker exec -it nextcloud-aio-caddy bash`). These will be imported on container startup. **Please note:** If you do not have CLI access to the server, you can now run docker commands via a web session by using this community container: https://github.com/nextcloud/all-in-one/tree/main/community-containers/container-management
 - See https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers how to add it to the AIO stack

community-containers/nextcloud-exporter/nextcloud-exporter.json

@@ -0,0 +1,35 @@
+{
+    "aio_services_v1": [
+        {
+            "container_name": "nextcloud-aio-nextcloud-exporter",
+            "display_name": "Prometheus Nextcloud Exporter",
+            "documentation": "https://github.com/nextcloud/all-in-one/tree/main/community-containers/nextcloud-exporter",
+            "image": "ghcr.io/xperimental/nextcloud-exporter",
+            "image_tag": "0.8.0",
+            "internal_port": "9205",
+            "restart": "unless-stopped",
+            "ports": [
+                {
+                  "ip_binding": "127.0.0.1",
+                  "port_number": "9205",
+                  "protocol": "tcp"
+                }
+            ],
+            "environment": [
+                "TZ=%TIMEZONE%",
+                "NEXTCLOUD_SERVER=https://%NC_DOMAIN%",
+                "NEXTCLOUD_AUTH_TOKEN=%NEXTCLOUD_EXPORTER_TOKEN%",
+                "NEXTCLOUD_LISTEN_ADDRESS=0.0.0.0:9205",
+                "NEXTCLOUD_TIMEOUT=5s"
+            ],
+            "ui_secret": "NEXTCLOUD_EXPORTER_CADDY_PASSWORD",
+            "secrets": [
+                "NEXTCLOUD_EXPORTER_TOKEN",
+                "NEXTCLOUD_EXPORTER_CADDY_PASSWORD"
+            ],
+            "nextcloud_exec_commands": [
+                "php /var/www/html/occ config:app:set serverinfo token --value %NEXTCLOUD_EXPORTER_TOKEN%"
+            ]
+        }
+    ]
+}

community-containers/nextcloud-exporter/readme.md

@@ -0,0 +1,72 @@
+## Prometheus Nextcloud Exporter
+
+A Prometheus exporter that collects metrics from your Nextcloud instance for monitoring and alerting.
+
+### How to install
+
+See the [Community Containers documentation](https://github.com/nextcloud/all-in-one/tree/main/community-containers#community-containers) for instructions on how to install this in your Nextcloud All-in-One setup.
+
+### Security & Access
+
+**Important:** This container is configured to bind only to `127.0.0.1` (localhost) for security reasons. Prometheus exporters typically don't include authentication, so direct network exposure is not recommended.
+
+#### Access Options
+
+1. **With Caddy Container (Recommended)**: If you also install the [Caddy community container](https://github.com/nextcloud/all-in-one/tree/main/community-containers/caddy), it will automatically configure secure HTTPS access to your metrics with authentication at `metrics.your-domain.com`
+
+   **Getting Authentication Credentials**: 
+   - **Username**: Always `metrics`
+   - **Password**: After deploying the nextcloud-exporter container, the automatically generated password will be displayed in the AIO interface. Look for it in the container section below the container name "Prometheus Nextcloud Exporter". 
+
+2. **Custom Reverse Proxy**: Set up your own reverse proxy (nginx, Apache, etc.) to provide HTTPS and authentication. See configuration guides:
+   - [NGINX Authentication](https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html) + [Reverse Proxy](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/)
+   - [Apache Authentication](https://httpd.apache.org/docs/2.4/howto/auth.html) + [Reverse Proxy](https://httpd.apache.org/docs/2.4/mod/mod_proxy.html)
+   - [Traefik BasicAuth](https://doc.traefik.io/traefik/middlewares/http/basicauth/)
+   - [Prometheus Security Best Practices](https://prometheus.io/docs/operating/security/)
+
+3. **Direct Local Access**: Access metrics directly from the server at `http://127.0.0.1:9205/metrics` (no authentication)
+
+### What it monitors
+- User activity (active users hourly, daily)
+- File counts and storage usage
+- System health and database size
+- App statistics and update availability
+- Nextcloud performance metrics
+
+### Prometheus Configuration
+
+For **local server access** (if Prometheus runs on the same server):
+```yaml
+scrape_configs:
+  - job_name: 'nextcloud'
+    scrape_interval: 90s
+    static_configs:
+      - targets: ['127.0.0.1:9205']
+    metrics_path: /metrics
+    scheme: http
+```
+
+For **Caddy integration** (secure external access):
+```yaml
+scrape_configs:
+  - job_name: 'nextcloud'
+    scrape_interval: 90s
+    static_configs:
+      - targets: ['metrics.your-domain.com']
+    metrics_path: /
+    scheme: https
+    basic_auth:
+      username: 'metrics'
+      password: 'your-generated-password'
+```
+
+### Visualization
+
+Compatible with Grafana for creating monitoring dashboards:
+- Pre-built dashboard available: [Grafana Dashboard #20716](https://grafana.com/grafana/dashboards/20716-nextcloud/)
+
+### Repository
+https://github.com/xperimental/nextcloud-exporter
+
+### Maintainer
+https://github.com/grotax

php/containers-schema.json

@@ -81,7 +81,7 @@
 							"properties": {
 								"ip_binding": {
 									"type": "string",
-									"pattern": "^(%[A-Z_]+%)?$"
+									"pattern": "^((%[A-Z_]+%)|127\\.0\\.0\\.1)?$"
 								},
 								"port_number": {
 									"type": "string",