Agent Setup

Self-Hosted Agent — Docker

Run the MonPG collector in Docker so credentials never leave your network.

Agent mode runs the MonPG collector inside your own infrastructure. The collector connects to PostgreSQL over localhost, VPN, or a peered VNet — wherever your DB lives — and pushes metrics to MonPG's ingest API over HTTPS using a short-lived agent token. Your DB credentials never leave your network.

This is the right choice when compliance forbids handing DB credentials to a third party, when your DB isn't reachable from the public internet, or when you're in an air-gapped or VPN-only environment. If none of those apply, the hosted setup is less work.

Generate an agent token

In the MonPG UI, Settings → Agent Tokens → Generate new token. The mpa_* value shows once. Copy it into your secret store now — there's no way to retrieve it later, and rotating means generating a new one and revoking the old.

Run the collector

docker run -d --name monpg-collector   --restart unless-stopped   -e MONPG_AGENT_TOKEN="mpa_..."   -e MONPG_API_ENDPOINT="https://api.monpg.app"   -e MONPG_DB_HOST="your-postgres.internal"   -e MONPG_DB_PORT=5432   -e MONPG_DB_USER="monpg_monitor"   -e MONPG_DB_PASSWORD="..."   -e MONPG_DB_NAME="postgres"   -e MONPG_DB_SSLMODE="require"   monpgacr4wjl3deb.azurecr.io/monpg-collector:latest

The image runs as non-root, doesn't need any host volumes, and exits cleanly on SIGTERM if Docker tries to restart it.

Provision the monitor role

This is the one-time SQL setup on your PostgreSQL, run as a superuser:

CREATE ROLE monpg_monitor WITH LOGIN PASSWORD 'strong-password' CONNECTION LIMIT 10;
GRANT pg_monitor TO monpg_monitor;
CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
-- Helper schema for SECURITY DEFINER functions (copy from MonPG repo or ask support)

The connection limit is there so a runaway collector can't eat your connection slots — you really don't need more than 10 even on a 16-database cluster.

Verify

Container logs should show [collector] POST /api/v1/ingest/cycle returned 200 roughly every 30 seconds. In the MonPG UI, the server appears with status=online within about a minute.

Upgrading

Tags follow a semver-ish convention: sha-<gitsha> for reproducibility, latest for tip-of-main. Pin to a SHA in production. latest is fine in dev where you don't mind a restart picking up whatever shipped this morning.