infra: add remaining observability config files

- infra/nginx/fieldtrack.conf: updated reverse proxy config
- infra/prometheus/alerts.yml: Prometheus alerting rules
- infra/promtail/promtail.yml: Promtail log scrape config for Loki
- infra/tempo/tempo.yml: Grafana Tempo config (OTLP HTTP+gRPC receivers)

Author: rajashish147

infra/nginx/fieldtrack.conf

@@ -1,81 +1,90 @@
-# FieldTrack 2.0 — Nginx Reverse Proxy Configuration
-#
+# ============================================================================
+# FieldTrack 2.0 — Nginx Reverse Proxy
 # Domain: fieldtrack.meowsician.tech
-#
-# SETUP:
-#   1. Symlink to /etc/nginx/sites-enabled/fieldtrack
-#   2. Run: sudo certbot --nginx -d fieldtrack.meowsician.tech
-#   3. Test: sudo nginx -t && sudo systemctl reload nginx
-#
-# DEPLOYMENT:
-#   The deploy-bluegreen.sh script swaps the upstream server definition
-#   between 127.0.0.1:3001 and 127.0.0.1:3002 using sed.
-#   Only ONE line needs to change — the "server" directive in the upstream block.
-#
-# PUBLIC ROUTES:
-#   /            → root status JSON
-#   /health      → backend health check
-#   /api/*       → backend API (prefix stripped)
-#   /monitor     → Grafana dashboard
-#
-# BLOCKED (403):
-#   /metrics, /internal/, /prometheus, /node-exporter
-
-# ── Backend upstream ──────────────────────────────────────────────────────────
-# Single source of truth for the active backend container.
-# deploy-bluegreen.sh changes ONLY this line during deployment.
+# ============================================================================
+
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Backend upstream (blue/green deployment target)
+# deploy-bluegreen.sh switches this port between 3001 and 3002
+# ─────────────────────────────────────────────────────────────────────────────
 upstream fieldtrack_backend {
     server 127.0.0.1:3001;
+    keepalive 32;
 }
 
-# ── Rate limiting zones ────────────────────────────────────────────────────────
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Rate limiting
+# ─────────────────────────────────────────────────────────────────────────────
 limit_req_zone $binary_remote_addr zone=fieldtrack_api:10m rate=30r/s;
 limit_req_zone $binary_remote_addr zone=fieldtrack_health:10m rate=5r/s;
 
-# ── HTTP → HTTPS redirect ─────────────────────────────────────────────────────
+
+# ─────────────────────────────────────────────────────────────────────────────
+# HTTP → HTTPS redirect
+# ─────────────────────────────────────────────────────────────────────────────
 server {
+
     listen 80;
     listen [::]:80;
+
     server_name fieldtrack.meowsician.tech;
 
-    # Allow ACME challenge for Certbot renewals
     location /.well-known/acme-challenge/ {
         root /var/www/certbot;
-        allow all;
     }
 
     location / {
         return 301 https://$host$request_uri;
     }
 }
 
-# ── HTTPS server ───────────────────────────────────────────────────────────────
+
+# ─────────────────────────────────────────────────────────────────────────────
+# HTTPS server
+# ─────────────────────────────────────────────────────────────────────────────
 server {
+
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
+
     server_name fieldtrack.meowsician.tech;
 
-    # ── SSL (Certbot will manage these after first run) ────────────────────────
-    # ssl_certificate     /etc/letsencrypt/live/fieldtrack.meowsician.tech/fullchain.pem;
-    # ssl_certificate_key /etc/letsencrypt/live/fieldtrack.meowsician.tech/privkey.pem;
-    # include             /etc/letsencrypt/options-ssl-nginx.conf;
-    # ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
-
-    # ── Security headers ───────────────────────────────────────────────────────
-    add_header X-Frame-Options        "SAMEORIGIN"       always;
-    add_header X-Content-Type-Options "nosniff"           always;
-    add_header X-XSS-Protection       "1; mode=block"     always;
-    add_header Referrer-Policy        "strict-origin-when-cross-origin" always;
+
+    # ── SSL (managed by Certbot) ─────────────────────────────────────────────
+    ssl_certificate     /etc/letsencrypt/live/fieldtrack.meowsician.tech/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/fieldtrack.meowsician.tech/privkey.pem;
+    include             /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
+
+
+    # ── Real client IP ───────────────────────────────────────────────────────
+    real_ip_header X-Forwarded-For;
+    set_real_ip_from 127.0.0.1;
+    real_ip_recursive on;
+
+
+    # ── Security headers ─────────────────────────────────────────────────────
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
-    # ── Logging ────────────────────────────────────────────────────────────────
+
+    # ── Logging ──────────────────────────────────────────────────────────────
     access_log /var/log/nginx/fieldtrack_access.log;
     error_log  /var/log/nginx/fieldtrack_error.log;
 
-    # ── Client limits ─────────────────────────────────────────────────────────
+
+    # ── Limits ───────────────────────────────────────────────────────────────
     client_max_body_size 10M;
 
-    # ── BLOCKED: Internal/monitoring endpoints (return 403) ─────────────────────
+
+    # ─────────────────────────────────────────────────────────────────────────
+    # BLOCKED endpoints
+    # ─────────────────────────────────────────────────────────────────────────
     location /metrics {
         return 403;
     }
@@ -92,81 +101,90 @@ server {
         return 403;
     }
 
-    # ── Root — bare domain status ──────────────────────────────────────────────
+
+    # ─────────────────────────────────────────────────────────────────────────
+    # Root status
+    # ─────────────────────────────────────────────────────────────────────────
     location = / {
         default_type application/json;
         return 200 '{"service":"FieldTrack 2.0","status":"online"}';
     }
 
-    # ── Health check (deployment verification + external monitors) ─────────────
+
+    # ─────────────────────────────────────────────────────────────────────────
+    # Health endpoint
+    # ─────────────────────────────────────────────────────────────────────────
     location = /health {
+
         limit_req zone=fieldtrack_health burst=10 nodelay;
 
         proxy_pass http://fieldtrack_backend;
-        proxy_set_header Host              $host;
-        proxy_set_header X-Real-IP         $remote_addr;
-        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
     }
 
-    # ── API route (production backend — strips /api prefix) ────────────────────
+
+    # ─────────────────────────────────────────────────────────────────────────
+    # API
+    # strips /api prefix
+    # ─────────────────────────────────────────────────────────────────────────
     location /api/ {
+
         limit_req zone=fieldtrack_api burst=50 nodelay;
 
-        # Strip /api prefix: /api/users → /users
         rewrite ^/api/(.*) /$1 break;
 
         proxy_pass http://fieldtrack_backend;
 
-        # Standard proxy headers
-        proxy_set_header Host              $host;
-        proxy_set_header X-Real-IP         $remote_addr;
-        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Request-ID      $request_id;
+        proxy_set_header X-Request-ID $request_id;
 
-        # WebSocket support
         proxy_http_version 1.1;
-        proxy_set_header Upgrade    $http_upgrade;
+
+        proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
 
-        # Timeouts
         proxy_connect_timeout 10s;
-        proxy_send_timeout    30s;
-        proxy_read_timeout    30s;
+        proxy_send_timeout 30s;
+        proxy_read_timeout 30s;
 
-        # Buffering
         proxy_buffering on;
         proxy_buffer_size 4k;
         proxy_buffers 8 16k;
     }
 
-    # ── Grafana dashboard (/monitor) ───────────────────────────────────────────
-    # Grafana runs with GF_SERVER_SERVE_FROM_SUB_PATH=true and
-    # GF_SERVER_ROOT_URL=https://fieldtrack.meowsician.tech/monitor
-    # so it handles the /monitor subpath internally. We proxy everything
-    # under /monitor/ to Grafana's root — Grafana does the rest.
+
+    # ─────────────────────────────────────────────────────────────────────────
+    # Grafana dashboard
+    # ─────────────────────────────────────────────────────────────────────────
     location /monitor/ {
+
         proxy_pass http://127.0.0.1:3333/monitor/;
 
-        proxy_set_header Host              $host;
-        proxy_set_header X-Real-IP         $remote_addr;
-        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
 
-        # WebSocket support (Grafana live features)
         proxy_http_version 1.1;
-        proxy_set_header Upgrade    $http_upgrade;
+
+        proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
 
-        # Longer timeouts for dashboard queries
         proxy_connect_timeout 10s;
-        proxy_send_timeout    60s;
-        proxy_read_timeout    60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
     }
 
-    # Redirect /monitor (no trailing slash) → /monitor/
+
     location = /monitor {
         return 301 $scheme://$host/monitor/;
     }
+
 }

infra/prometheus/alerts.yml

@@ -0,0 +1,48 @@
+groups:
+  - name: fieldtrack-backend-alerts
+    rules:
+
+      - alert: BackendDown
+        expr: sum(up{job=~"fieldtrack-backend.*"}) == 0
+        for: 1m
+        labels:
+          severity: critical
+        annotations:
+          summary: "Backend unavailable"
+          description: "All FieldTrack backend instances are down."
+
+      - alert: HighAPIErrorRate
+        expr: rate(http_requests_total{status_code=~"5.."}[5m]) > 0.05
+        for: 2m
+        labels:
+          severity: warning
+        annotations:
+          summary: "High API error rate"
+          description: "More than 5% of requests are failing."
+
+      - alert: HighAPILatency
+        expr: histogram_quantile(0.95, rate(http_request_duration_seconds_bucket[5m])) > 1
+        for: 2m
+        labels:
+          severity: warning
+        annotations:
+          summary: "High API latency"
+          description: "p95 latency above 1 second."
+
+      - alert: HighMemoryUsage
+        expr: node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes < 0.1
+        for: 2m
+        labels:
+          severity: warning
+        annotations:
+          summary: "High memory usage"
+          description: "System memory usage above 90%."
+
+      - alert: DiskAlmostFull
+        expr: (node_filesystem_size_bytes{mountpoint="/"} - node_filesystem_free_bytes{mountpoint="/"}) / node_filesystem_size_bytes{mountpoint="/"} > 0.9
+        for: 5m
+        labels:
+          severity: warning
+        annotations:
+          summary: "Disk almost full"
+          description: "Root filesystem usage above 90%."

infra/promtail/promtail.yml

@@ -0,0 +1,19 @@
+server:
+  http_listen_port: 9080
+
+positions:
+  filename: /tmp/positions.yaml
+
+clients:
+  - url: http://loki:3100/loki/api/v1/push
+
+scrape_configs:
+
+  - job_name: docker-containers
+
+    static_configs:
+      - targets:
+          - localhost
+        labels:
+          job: docker
+          __path__: /var/lib/docker/containers/*/*.log

infra/tempo/tempo.yml

@@ -0,0 +1,15 @@
+server:
+  http_listen_port: 3200
+
+distributor:
+  receivers:
+    otlp:
+      protocols:
+        http:
+        grpc:
+
+storage:
+  trace:
+    backend: local
+    local:
+      path: /tmp/tempo/traces