r/loki-caddy: Caddy reverse proxy for Loki

Caddy handles TLS termination for Loki, automatically requesting and
renewing its certificate via ACME.

roles/loki-caddy/templates/Caddyfile.j2

@@ -0,0 +1,33 @@
+{# vim: set sw=4 ts=4 sts=4 et : #}
+{{ loki_caddy_server_name }} {
+    tls {
+        client_auth {
+            mode verify_if_given
+            trusted_ca_cert_file /etc/caddy/loki-client-ca.crt
+        }
+    }
+    @anonymous {
+        expression {tls_client_subject} == null
+    }
+    @grafana {
+        header X-Grafana-User *
+    }
+    handle @anonymous {
+        route /loki/api/v1/push {
+            reverse_proxy 127.0.0.1:3100
+        }
+        route /metrics {
+            reverse_proxy 127.0.0.1:3100
+        }
+        route /ready {
+            reverse_proxy 127.0.0.1:3100
+        }
+        respond 403
+    }
+    handle @grafana {
+        reverse_proxy 127.0.0.1:3100
+    }
+    tls {{ loki_caddy_acme.email }} {
+        ca {{ loki_caddy_acme.url }}
+    }
+}