r/loki-caddy: Caddy reverse proxy for Loki

Caddy handles TLS termination for Loki, automatically requesting and
renewing its certificate via ACME.

roles/loki-caddy/defaults/main.yml

@@ -0,0 +1 @@
+loki_caddy_server_name: loki.{{ ansible_domain }}

roles/loki-caddy/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+- role: caddy
+  tags: caddy

roles/loki-caddy/tasks/main.yml

@@ -0,0 +1,24 @@
+- name: ensure caddy is configured to proxy for loki
+  template:
+    src: Caddyfile.j2
+    dest: /etc/caddy/Caddyfile.d/loki.caddyfile
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload caddy
+  tags:
+  - config
+
+- name: ensure client ca is configured
+  copy:
+    dest: /etc/caddy/loki-client-ca.crt
+    content: >-
+      {{ loki_caddy_client_ca|d('') }}
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload caddy
+  tags:
+  - cert

roles/loki-caddy/templates/Caddyfile.j2

@@ -0,0 +1,33 @@
+{# vim: set sw=4 ts=4 sts=4 et : #}
+{{ loki_caddy_server_name }} {
+    tls {
+        client_auth {
+            mode verify_if_given
+            trusted_ca_cert_file /etc/caddy/loki-client-ca.crt
+        }
+    }
+    @anonymous {
+        expression {tls_client_subject} == null
+    }
+    @grafana {
+        header X-Grafana-User *
+    }
+    handle @anonymous {
+        route /loki/api/v1/push {
+            reverse_proxy 127.0.0.1:3100
+        }
+        route /metrics {
+            reverse_proxy 127.0.0.1:3100
+        }
+        route /ready {
+            reverse_proxy 127.0.0.1:3100
+        }
+        respond 403
+    }
+    handle @grafana {
+        reverse_proxy 127.0.0.1:3100
+    }
+    tls {{ loki_caddy_acme.email }} {
+        ca {{ loki_caddy_acme.url }}
+    }
+}