Dev 1 push

.githooks/pre-commit

@@ -0,0 +1,48 @@
+#!/bin/sh
+echo "Running Gitleaks pre-commit scan on staged changes (Server Settings)..."
+
+mkdir -p .gitleaks_out
+touch .gitleaks_out/gitleaks-precommit.json
+
+# Prefer local gitleaks if available, fallback to Docker
+if command -v gitleaks >/dev/null 2>&1; then
+  echo "⚡ Using local gitleaks binary"
+  SCAN_CMD="gitleaks detect \
+    --pipe \
+    --config=gitleaks.toml \
+    --report-format=json \
+    --report-path=.gitleaks_out/gitleaks-precommit.json \
+    --no-banner"
+else
+  echo "Local gitleaks not found, using Docker fallback"
+  SCAN_CMD="docker run --rm -i -v \"$(pwd)\":/repo ghcr.io/gitleaks/gitleaks:v8.28.0 detect \
+    --pipe \
+    --config=/repo/gitleaks.toml \
+    --report-format=json \
+    --report-path=/repo/.gitleaks_out/gitleaks-precommit.json \
+    --no-banner"
+fi
+
+# Run scan on staged diff only
+git diff --cached --unified=0 --no-color \
+  | grep '^+' \
+  | grep -v '^+++' \
+  | sh -c "$SCAN_CMD"
+status=$?
+if [ $status -ne 0 ]; then
+  echo "Possible secrets detected in staged changes!"
+  echo "   See .gitleaks_out/gitleaks-precommit.json for details."
+  echo ""
+  echo "Commit aborted."
+  echo ""
+  echo "Reminder: Do NOT bypass with 'git commit --no-verify'."
+  echo "CI will still block your PR even if you bypass locally."
+  echo ""
+  echo "If this secret is actually required in the repo (false positive or approved usage),"
+  echo "you MUST meet with the CTO / Team Lead / DevOps to approve"
+  echo "and add it to the gitleaks ignore list."
+  exit 1
+fi
+
+echo "No secrets found. Commit allowed."
+exit 0

.github/workflows/security.yml

@@ -0,0 +1,18 @@
+name: Security Scan
+
+on:
+  pull_request:
+    branches:
+      - Dev
+      - dev-1
+  push:
+    branches:
+      - Dev
+      - dev-1
+
+jobs:
+  gitleaks:
+    name: Run Gitleaks Scan
+    uses: peer-network/peer_global_security/.github/workflows/gitleaks.yml@main
+    with:
+      config: gitleaks.toml

.gitignore

@@ -0,0 +1,7 @@
+secrets.tfvars
+secrets.auto.tfvars
+clouds.yaml
+*.tfstate
+peer_network.yaml
+terraform.tfstate*
+.gitleaks_out/

Loki-Grafana/alloy-config-monitor.yaml

@@ -0,0 +1,55 @@
+server:
+  log_level: info
+
+clients:
+  - url: http://80.158.41.189/loki/api/v1/push
+
+positions:
+  filename: /tmp/positions.yaml
+
+scrape_configs:
+  - job_name: system-logs
+    static_configs:
+      - targets: [localhost]
+        labels:
+          job: "syslog"
+          host: "monitoring-server"
+          __path__: /var/log/syslog
+
+  - job_name: auth-logs
+    static_configs:
+      - targets: [localhost]
+        labels:
+          job: "auth"
+          host: "monitoring-server"
+          __path__: /var/log/auth.log
+
+  - job_name: cron-monitor-logs
+    static_configs:
+      - targets: [localhost]
+        labels:
+          job: "auth"
+          host: "monitoring-server"
+          __path__: /var/log/postman_logs/cron.log
+
+  - job_name: crom-mintbot-var-logs
+    static_configs:
+      - targets: [localhost]
+        labels:
+          job: "auth"
+          host: "monitoring-server" 
+          __path__: /var/log/mintlog/mint.log 
+
+  - job_name: mintbot-logs
+    static_configs:
+      - targets: [localhost]
+        labels:
+          job: gem_monitor
+          component: stdout
+          __path__: /home/ubuntu/mintbot/logs/mint_*/*.txt
+
+      - targets: [localhost]
+        labels:
+          job: gem_monitor
+          component: nested_logs
+          __path__: /home/ubuntu/mintbot/logs/mint_*/**/*.log

Loki-Grafana/config.alloy

@@ -0,0 +1,27 @@
+// Sample config for Alloy.
+//
+// For a full configuration reference, see https://grafana.com/docs/alloy
+logging {
+  level = "warn"
+}
+
+prometheus.exporter.unix "default" {
+  include_exporter_metrics = true
+  disable_collectors       = ["mdadm"]
+}
+
+prometheus.scrape "default" {
+  targets = array.concat(
+    prometheus.exporter.unix.default.targets,
+    [{
+      // Self-collect metrics
+      job         = "alloy",
+      __address__ = "127.0.0.1:12345",
+    }],
+  )
+
+  forward_to = [
+  // TODO: components to forward metrics to (like prometheus.remote_write or
+  // prometheus.relabel).
+  ]
+}

Loki-Grafana/config.monitor.alloy

@@ -0,0 +1,93 @@
+// Beta_Testing Monitor config file for Alloy (Grafana)
+// Enable logging
+logging {
+  level = "debug"
+  format = "logfmt"
+}
+
+// Loki client (Writer)
+loki.write "default" {
+  endpoint {
+    url = "http://10.50.1.150:3100/loki/api/v1/push"
+  }
+}
+
+// System syslog file (simplified for testing)
+loki.source.file "syslog" {
+  targets = [
+    {
+      "__path__" = "/var/log/syslog",
+      job = "syslog",
+    },
+  ]
+  forward_to = [loki.write.default.receiver]
+}
+
+// Auth logs
+loki.source.file "auth" {
+  targets = [
+    {
+      "__path__" = "/var/log/auth.log",
+      job = "auth",
+      host = "monitoring-server",
+    },
+  ]
+  forward_to = [loki.write.default.receiver]
+}
+
+// JournalD logs
+loki.source.journal "systemd" {
+  labels = {
+    job = "systemd",
+    host = "monitoring-server",
+  }
+  forward_to = [loki.write.default.receiver]
+}
+
+// Postman cron logs
+loki.source.file "cron_monitor" {
+  targets = [
+    {
+      "__path__" = "/var/log/postman_logs/cron.log",
+      job = "cron-monitor",
+      host = "monitoring-server",
+    },
+  ]
+  forward_to = [loki.write.default.receiver]
+}
+
+// Mintbot log in var log
+loki.source.file "crom_mintbot_var_logs" {
+  targets = [
+    {
+      "__path__" = "/var/log/mintlog/mint.log",
+      job = "gem_mintbot",
+      host = "monitoring-server",
+    },
+  ]
+  forward_to = [loki.write.default.receiver]
+}
+
+// Mintbot flat logs
+loki.source.file "mintbot_txt" {
+  targets = [
+    {
+      "__path__" = "/home/ubuntu/mintbot/logs/mint_*/*.txt",
+      job = "gem_monitor",
+      component = "stdout",
+    },
+  ]
+  forward_to = [loki.write.default.receiver]
+}
+
+// Mintbot nested logs
+loki.source.file "mintbot_nested_logs" {
+  targets = [
+    {
+      "__path__" = "/home/ubuntu/mintbot/logs/mint_*/**/*.log",
+      job = "gem_monitor",
+      component = "nested_logs",
+    },
+  ]
+  forward_to = [loki.write.default.receiver]
+}