Here’s a comprehensive guide to deploy full monitoring stack on Debian VPS, including:
- ✅ Prometheus – Metrics collection
- ✅ Node Exporter – System metrics
- ✅ Grafana – Visualization
- ✅ Alertmanager – Alert notifications
- ✅ Loki – Log aggregation
- ✅ Promtail – Log shipping to Loki
🎯 Goal
A production-ready observability stack for logs, metrics, dashboards, and alerts.
🚀 Deploy Full Monitoring Stack on Debian VPS
To deploy full monitoring stack on Debian VPS, follow the steps below:
-
📦 System Prep
sudo apt update && sudo apt install -y curl wget unzip apt-transport-https software-properties-common
-
🔧 Install Prometheus
Create user and folders:
sudo useradd --no-create-home --shell /usr/sbin/nologin prometheus sudo mkdir /etc/prometheus /var/lib/prometheus
Download & install:
cd /tmp wget https://github.com/prometheus/prometheus/releases/download/v2.52.0/prometheus-2.52.0.linux-amd64.tar.gz tar -xzf prometheus-2.52.0.linux-amd64.tar.gz cd prometheus-2.52.0.linux-amd64 sudo cp prometheus promtool /usr/local/bin/ sudo cp -r consoles console_libraries /etc/prometheus/ sudo cp prometheus.yml /etc/prometheus/ sudo chown -R prometheus:prometheus /etc/prometheus /var/lib/prometheus /usr/local/bin/prometheus /usr/local/bin/promtool
Create service:
sudo nano /etc/systemd/system/prometheus.service
[Unit] Description=Prometheus Wants=network-online.target After=network-online.target [Service] User=prometheus ExecStart=/usr/local/bin/prometheus \ --config.file=/etc/prometheus/prometheus.yml \ --storage.tsdb.path=/var/lib/prometheus \ --web.listen-address=:9090 [Install] WantedBy=multi-user.target
sudo systemctl daemon-reexec sudo systemctl daemon-reload sudo systemctl enable --now prometheus
-
📊 Install Node Exporter
See: 🚀 How to Install and Configure Node Exporter on Debian VPS
-
📺 Install Grafana (Visual Dashboards)
See: 🚀 How to Install Grafana on Debian VPS and Connect to Node Exporter
-
🚨 Install Alertmanager
Create user:
sudo useradd --no-create-home --shell /usr/sbin/nologin alertmanager
Download and install:
cd /tmp wget https://github.com/prometheus/alertmanager/releases/download/v0.27.0/alertmanager-0.27.0.linux-amd64.tar.gz tar -xzf alertmanager-0.27.0.linux-amd64.tar.gz cd alertmanager-0.27.0.linux-amd64 sudo cp alertmanager amtool /usr/local/bin/ sudo mkdir /etc/alertmanager /var/lib/alertmanager sudo cp alertmanager.yml /etc/alertmanager/ sudo chown -R alertmanager:alertmanager /etc/alertmanager /var/lib/alertmanager
Create systemd service:
sudo nano /etc/systemd/system/alertmanager.service
[Unit] Description=Alertmanager After=network.target [Service] User=alertmanager ExecStart=/usr/local/bin/alertmanager \ --config.file=/etc/alertmanager/alertmanager.yml \ --storage.path=/var/lib/alertmanager [Install] WantedBy=multi-user.target
sudo systemctl daemon-reexec sudo systemctl daemon-reload sudo systemctl enable --now alertmanager
To configure email/SMS/Slack alerts, edit
/etc/alertmanager/alertmanager.yml
-
📚 Install Loki (Log Aggregation)
cd /tmp wget https://github.com/grafana/loki/releases/download/v2.9.4/loki-linux-amd64.zip unzip loki-linux-amd64.zip chmod +x loki-linux-amd64 sudo mv loki-linux-amd64 /usr/local/bin/loki
Default config:
sudo nano /etc/loki-local-config.yaml
Paste:
auth_enabled: false server: http_listen_port: 3100 ingester: lifecycler: ring: kvstore: store: inmemory replication_factor: 1 chunk_idle_period: 5m chunk_retain_period: 30s schema_config: configs: - from: 2022-01-01 store: boltdb-shipper object_store: filesystem schema: v11 index: prefix: index_ period: 24h storage_config: boltdb_shipper: active_index_directory: /tmp/loki/index cache_location: /tmp/loki/cache shared_store: filesystem filesystem: directory: /tmp/loki/chunks limits_config: enforce_metric_name: false reject_old_samples: true reject_old_samples_max_age: 168h chunk_store_config: max_look_back_period: 0s table_manager: retention_deletes_enabled: true retention_period: 120h
Create systemd service:
sudo nano /etc/systemd/system/loki.service
[Unit] Description=Loki Log Aggregator After=network.target [Service] ExecStart=/usr/local/bin/loki -config.file=/etc/loki-local-config.yaml Restart=always [Install] WantedBy=multi-user.target
sudo systemctl daemon-reexec sudo systemctl daemon-reload sudo systemctl enable --now loki
-
📤 Install Promtail (Log Shipper for Loki)
cd /tmp wget https://github.com/grafana/loki/releases/download/v2.9.4/promtail-linux-amd64.zip unzip promtail-linux-amd64.zip chmod +x promtail-linux-amd64 sudo mv promtail-linux-amd64 /usr/local/bin/promtail
Promtail config:
sudo nano /etc/promtail-local-config.yaml
Paste:
server: http_listen_port: 9080 grpc_listen_port: 0 positions: filename: /tmp/positions.yaml clients: - url: http://localhost:3100/loki/api/v1/push scrape_configs: - job_name: system static_configs: - targets: - localhost labels: job: varlogs __path__: /var/log/*.log
Service file:
sudo nano /etc/systemd/system/promtail.service
[Unit] Description=Promtail Log Shipper After=network.target [Service] ExecStart=/usr/local/bin/promtail -config.file=/etc/promtail-local-config.yaml Restart=always [Install] WantedBy=multi-user.target
sudo systemctl daemon-reexec sudo systemctl daemon-reload sudo systemctl enable --now promtail
-
📈 Connect Everything in Grafana
Data Sources:
- Go to Grafana > Settings > Data Sources
- Add:
- Prometheus:
http://localhost:9090
- Loki:
http://localhost:3100
Dashboards:
- Node Exporter: Import dashboard ID 1860
- Loki Logs: Use built-in “Logs” panel or import dashboard ID 13633
✅ You Now Have a Full Observability Stack
Component | Purpose | Port |
---|---|---|
Prometheus | Metrics collection | 9090 |
Node Exporter | System metrics | 9100 |
Grafana | Dashboards | 3000 |
Alertmanager | Alert delivery | 9093 |
Loki | Log storage | 3100 |
Promtail | Log shipper to Loki | — |
🔐 Secure Full Monitoring Stack with HTTPS + Basic Auth
After you deploy full monitoring stack on Debian VPS, secure it with HTTPS and basic authentication. Here’s how to secure each component of your monitoring stack (Prometheus, Grafana, Loki, Alertmanager, Node Exporter) behind HTTPS and Basic Authentication using NGINX reverse proxy + Let’s Encrypt TLS + htpasswd on a Debian VPS.
📦 Tools We’ll Use
- NGINX: Reverse proxy for TLS and auth
- Certbot: Free Let’s Encrypt SSL
- htpasswd: Apache tool for basic auth
- Separate subdomains for each service:
grafana.example.com
prometheus.example.com
loki.example.com
alertmanager.example.com
metrics.example.com
(Node Exporter)
To secure full monitoring stack with HTTPS + Basic Auth, follow the steps below:
-
✅ Install NGINX and Certbot
sudo apt update sudo apt install nginx certbot python3-certbot-nginx apache2-utils -y
-
🧪 Create Basic Auth Credentials
sudo htpasswd -c /etc/nginx/.htpasswd yourusername
Replace
yourusername
with desired username. You’ll be prompted for a password. -
🌍 Setup NGINX Reverse Proxies
For each service, create a file in
/etc/nginx/sites-available/
:🔧 Example: Grafana Reverse Proxy
sudo nano /etc/nginx/sites-available/grafana
server { listen 80; server_name grafana.example.com; location / { auth_basic "Restricted Access"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://localhost:3000/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } }
Link and test:
sudo ln -s /etc/nginx/sites-available/grafana /etc/nginx/sites-enabled/ sudo nginx -t && sudo systemctl reload nginx
Repeat for each service by changing:
server_name
proxy_pass
(port)
⚡ Prometheus
server_name prometheus.example.com
proxy_pass http://localhost:9090
⚡ Alertmanager
server_name alertmanager.example.com
proxy_pass http://localhost:9093
⚡ Loki
server_name loki.example.com
proxy_pass http://localhost:3100
⚡ Node Exporter
server_name metrics.example.com
proxy_pass http://localhost:9100
-
🔒 Enable HTTPS with Certbot
Run this for each domain:
sudo certbot --nginx -d grafana.example.com sudo certbot --nginx -d prometheus.example.com sudo certbot --nginx -d alertmanager.example.com sudo certbot --nginx -d loki.example.com sudo certbot --nginx -d metrics.example.com
Choose redirect to enforce HTTPS.
-
🔄 Test Everything
- Visit
https://grafana.example.com
→ You should see a login prompt - Enter credentials set with
htpasswd
- Access should be proxied securely to Grafana
Repeat for each secured domain.
- Visit
-
🔁 Auto-Renew SSL
Certbot auto-creates a systemd timer, but verify:
sudo systemctl list-timers | grep certbot sudo certbot renew --dry-run
✅ Summary
Service | Subdomain | Local Port | HTTPS Proxy Port |
---|---|---|---|
Grafana | grafana.example.com | 3000 |
443 via NGINX |
Prometheus | prometheus.example.com | 9090 |
443 |
Alertmanager | alertmanager.example.com | 9093 |
443 |
Loki | loki.example.com | 3100 |
443 |
Node Exporter | metrics.example.com | 9100 |
443 |
Each is now:
- 🔒 Protected by HTTPS
- 🧱 Restricted with Basic Auth
Conclusion
You now know how to deploy full monitoring stack on Debian VPS and secure full monitoring stack with HTTPS + Basic Auth!