dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity

r/loki-caddy: Caddy reverse proxy for Loki 

Caddy handles TLS termination for Loki, automatically requesting and
renewing its certificate via ACME.
dynamic-inventory
Dustin 2024-10-19 10:10:45 -05:00
parent 010f652060
commit 39d9985fbd
6 changed files with 81 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
group_vars/loki.yml
View File

@ -2,3 +2,20 @@ data_volumes:
- dev: /dev/vdb - dev: /dev/vdb
fstype: btrfs fstype: btrfs
mountpoint: /var/lib/loki mountpoint: /var/lib/loki
loki_caddy_acme:
email: loki@pyrocufflink.blue
url: https://ca.pyrocufflink.blue/acme/acme/directory
loki_caddy_client_ca: |+
-----BEGIN CERTIFICATE-----
MIIBlDCCAUagAwIBAgIUGNZ/ASP8F2ytev3YplTk4jA5a2EwBQYDK2VwMEgxCzAJ
BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxDTALBgNVBAsMBExv
a2kxEDAOBgNVBAMMB0xva2kgQ0EwHhcNMjQwMjIwMTUwMTQxWhcNMzQwMjIwMTUw
MTQxWjBIMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMQ0w
CwYDVQQLDARMb2tpMRAwDgYDVQQDDAdMb2tpIENBMCowBQYDK2VwAyEAnmMawEIo
WfzFaLgpSiaPD+DHg28NHknMFcs7XpyTM9CjQjBAMB0GA1UdDgQWBBTFth3c4S/f
y0BphQy9SucnKN2pLzASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjAF
BgMrZXADQQCn0JWERsXdJA4kMM45ZXhVgAciwLNQ8ikoucsJcbWBp7bSMjcMVi51
I+slotQvQES/vfqp/zZFNl7KKyeeQ0sD
-----END CERTIFICATE-----

3
loki.yml
View File

@ -3,3 +3,6 @@
- role: loki - role: loki
tags: tags:
- loki - loki
- role: loki-caddy
tags:
- loki-caddy

1
roles/loki-caddy/defaults/main.yml Normal file
View File

@ -0,0 +1 @@
loki_caddy_server_name: loki.{{ ansible_domain }}

3
roles/loki-caddy/meta/main.yml Normal file
View File

@ -0,0 +1,3 @@
dependencies:
- role: caddy
tags: caddy

24
roles/loki-caddy/tasks/main.yml Normal file
View File

@ -0,0 +1,24 @@
- name: ensure caddy is configured to proxy for loki
template:
src: Caddyfile.j2
dest: /etc/caddy/Caddyfile.d/loki.caddyfile
owner: root
group: root
mode: u=rw,go=r
notify:
- reload caddy
tags:
- config
- name: ensure client ca is configured
copy:
dest: /etc/caddy/loki-client-ca.crt
content: >-
{{ loki_caddy_client_ca|d('') }}
owner: root
group: root
mode: u=rw,go=r
notify:
- reload caddy
tags:
- cert

33
roles/loki-caddy/templates/Caddyfile.j2 Normal file
View File

@ -0,0 +1,33 @@
{# vim: set sw=4 ts=4 sts=4 et : #}
{{ loki_caddy_server_name }} {
tls {
client_auth {
mode verify_if_given
trusted_ca_cert_file /etc/caddy/loki-client-ca.crt
}
}
@anonymous {
expression {tls_client_subject} == null
}
@grafana {
header X-Grafana-User *
}
handle @anonymous {
route /loki/api/v1/push {
reverse_proxy 127.0.0.1:3100
}
route /metrics {
reverse_proxy 127.0.0.1:3100
}
route /ready {
reverse_proxy 127.0.0.1:3100
}
respond 403
}
handle @grafana {
reverse_proxy 127.0.0.1:3100
}
tls {{ loki_caddy_acme.email }} {
ca {{ loki_caddy_acme.url }}
}
}