r/loki-caddy: Caddy reverse proxy for Loki

Caddy handles TLS termination for Loki, automatically requesting and renewing its certificate via ACME.
2024-10-19 10:10:45 -05:00 · 2024-10-19 10:10:45 -05:00 · 39d9985fbd
parent 010f652060
commit 39d9985fbd
6 changed files with 81 additions and 0 deletions
--- a/group_vars/loki.yml
+++ b/group_vars/loki.yml
@ -2,3 +2,20 @@ data_volumes:
 - dev: /dev/vdb
  fstype: btrfs
  mountpoint: /var/lib/loki
+
+loki_caddy_acme:
+  email: loki@pyrocufflink.blue
+  url: https://ca.pyrocufflink.blue/acme/acme/directory
+
+loki_caddy_client_ca: |+
+  -----BEGIN CERTIFICATE-----
+  MIIBlDCCAUagAwIBAgIUGNZ/ASP8F2ytev3YplTk4jA5a2EwBQYDK2VwMEgxCzAJ
+  BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxDTALBgNVBAsMBExv
+  a2kxEDAOBgNVBAMMB0xva2kgQ0EwHhcNMjQwMjIwMTUwMTQxWhcNMzQwMjIwMTUw
+  MTQxWjBIMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMQ0w
+  CwYDVQQLDARMb2tpMRAwDgYDVQQDDAdMb2tpIENBMCowBQYDK2VwAyEAnmMawEIo
+  WfzFaLgpSiaPD+DHg28NHknMFcs7XpyTM9CjQjBAMB0GA1UdDgQWBBTFth3c4S/f
+  y0BphQy9SucnKN2pLzASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjAF
+  BgMrZXADQQCn0JWERsXdJA4kMM45ZXhVgAciwLNQ8ikoucsJcbWBp7bSMjcMVi51
+  I+slotQvQES/vfqp/zZFNl7KKyeeQ0sD
+  -----END CERTIFICATE-----
--- a/loki.yml
+++ b/loki.yml
@ -3,3 +3,6 @@
  - role: loki
    tags:
    - loki
+  - role: loki-caddy
+    tags:
+    - loki-caddy
--- a/roles/loki-caddy/defaults/main.yml
+++ b/roles/loki-caddy/defaults/main.yml
@ -0,0 +1 @@
+loki_caddy_server_name: loki.{{ ansible_domain }}
--- a/roles/loki-caddy/meta/main.yml
+++ b/roles/loki-caddy/meta/main.yml
@ -0,0 +1,3 @@
+dependencies:
+- role: caddy
+  tags: caddy
--- a/roles/loki-caddy/tasks/main.yml
+++ b/roles/loki-caddy/tasks/main.yml
@ -0,0 +1,24 @@
+- name: ensure caddy is configured to proxy for loki
+  template:
+    src: Caddyfile.j2
+    dest: /etc/caddy/Caddyfile.d/loki.caddyfile
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload caddy
+  tags:
+  - config
+
+- name: ensure client ca is configured
+  copy:
+    dest: /etc/caddy/loki-client-ca.crt
+    content: >-
+      {{ loki_caddy_client_ca|d('') }}
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload caddy
+  tags:
+  - cert
--- a/roles/loki-caddy/templates/Caddyfile.j2
+++ b/roles/loki-caddy/templates/Caddyfile.j2
@ -0,0 +1,33 @@
+{# vim: set sw=4 ts=4 sts=4 et : #}
+{{ loki_caddy_server_name }} {
+    tls {
+        client_auth {
+            mode verify_if_given
+            trusted_ca_cert_file /etc/caddy/loki-client-ca.crt
+        }
+    }
+    @anonymous {
+        expression {tls_client_subject} == null
+    }
+    @grafana {
+        header X-Grafana-User *
+    }
+    handle @anonymous {
+        route /loki/api/v1/push {
+            reverse_proxy 127.0.0.1:3100
+        }
+        route /metrics {
+            reverse_proxy 127.0.0.1:3100
+        }
+        route /ready {
+            reverse_proxy 127.0.0.1:3100
+        }
+        respond 403
+    }
+    handle @grafana {
+        reverse_proxy 127.0.0.1:3100
+    }
+    tls {{ loki_caddy_acme.email }} {
+        ca {{ loki_caddy_acme.url }}
+    }
+}
				`@ -0,0 +1 @@`
				`loki_caddy_server_name: loki.{{ ansible_domain }}`