loki: Use fetchcert to manage server certificate

Before going into production with Grafana Loki, I want to set it up to
use TLS.  To that end, I have configured _cert-manager_ to issue it a
certificate, signed by _DCH CA_.  In order to use said certificate,
we need to configure `fetchcert` to run on the Loki server.

env/prod/fetchcert.cue

@@ -27,3 +27,14 @@ fetchcert: base: f.#Fetchcert & {
 	kubernetes_url: "https://kubernetes.pyrocufflink.blue:6443"
 	namespace:      "dch-ca"
 }
+
+fetchcert: loki: fetchcert.base & {
+	secret: "loki"
+	cert:   "loki.cer"
+	key:    "loki.key"
+	postupdate: """
+		install -v -o root -g 10001 -m ugo=r /etc/fetchcert/certs/loki.cer /etc/loki/server.cer
+		install -v -o root -g 10001 -m ug=r,o= /etc/fetchcert/certs/loki.key /etc/loki/server.key
+		systemctl reload loki
+		"""
+}

host/loki0.pyrocufflink.blue.cue

@@ -4,3 +4,33 @@ import (
 
 ssh:  prod.ssh
 sudo: prod.sudo
+
+fetchcert: prod.fetchcert.loki & {
+	token: """
+		-----BEGIN AGE ENCRYPTED FILE-----
+		YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNTZzeW9XeWoycVdQa092
+		N0VYL2grR0lLY1c4QXl2VHI3NmsxM253UlNVCmZLbFZWakJGVG9WakkyYmpJL1VR
+		YmVQQXRCTlhrQk9UYUE5UkRFZUlwNlkKLS0tIGg4R25ZaVhUU1BFVjdac2NqMVpQ
+		QmZRTndBalZndVF0VFpxdHBRemhNS1EKrNZG179fh2aS/3FOaM1xCHRG4uOt5jyx
+		1m5h3Q9y2u7EbcbZHLIZR3wkQfsfscK1PS0+H0NiYAgh9u2L2kdhcLcesb3fhmSy
+		svHzW2q1ZkJ8DSwH3xCRBuKmH4Q172NcVUPzI39CgsI5SkqZdKjWnK9JJAs43Ihr
+		cM90hUN+5t50byUSzwTCmNY4xVW3N/pWMfrethCYk9E8cXts/L3A3EpgpIi3qrKn
+		gj2VfrvpHAWVcggX1rZVFlQwBg4LnPWMNztl5VRYIvwfJghykEjMlzkysLm3Q2is
+		/w+kthpBzYAvI4c1Tfx3/uMRVcWnmUgz15viKlqohVaAl9PHQ2y/te9w9D5ZtcYs
+		D33hfA7Aux9t18WJ/ru09rEJl649Al7ZxQd73upf9QrWGzkX4luHO85n8CBmcsuh
+		+ZcM1HMLiuxGCW6xyq66Eg6t/1pfPWGZtLCsFh4SRgJ6Uuq14FyU32Pkulq+yEMg
+		Sq2ZRUXU+e3M6/HcUhb+QQUTQF1wPHyEukUlecLGDd3i+xpjOrL5Eg7LjKVAv8Yj
+		8U1yiYjgRHfdkvT27RJC/rxuf674vU8H8na3jGXrPARMqq4L4B0XkUzclJZMzSPC
+		cSTaEIgb5OpfWmMb4uC0p76vHYhr4XX3iIVpivfxaDLAgyx06D4/oXALcgjcCHWY
+		/7m5t8MbIGqluqcJLYRhSQ+G/aWiyZG3zlgRfpOIyVzQHwQwGf2CLh6ygv9n5cWP
+		Gr0ZfcyVps734gVsDNqZ3vTy4nxjTueUiUpNqRaznzxT/z7Mq9/i0s1aoWBef0PV
+		MZL0jxyMeQUfRf0DdP/iPqkTU5hxw8/yqwuu2i3TJImVQ8ga8O3InyvN577mPihE
+		EqFjRl1jZr+Uip0+SPz+CSLIgBJ8rpAo/HTpue6Oe88rYtC0437YQtcWpB3rnARD
+		uggtP70SfvS7FWFCbYy7nxZrUcDMloD5gcIYNobkWQZhGdGvXDGVxB/FT8Rg6tAU
+		EOpaSSc3wOmHpnB6qCyCJ45mb6HwRCGoZmxaG/5uWreys0R8AJsMIq8vFVAS3sDo
+		EONNYMWtlAZg8XOZcSgSnKpUF5VWlt+3HLkpwQkTBq3SvjvMd6shybPVGVNxMwbU
+		a2gey9Kv4lq8Suvvrn31DeYErGwUYy0qMwTL1a4Q8I08kMg6lqqaPotIC63RSlUu
+		SEoarQ==
+		-----END AGE ENCRYPTED FILE-----
+		"""
+}

host/loki0.pyrocufflink.blue.post.sh

@@ -1 +1,2 @@
 . scripts/no-coreos-default-sudo.sh
+. scripts/loki-cert.sh

instructions/loki0.pyrocufflink.blue.cue

@@ -2,12 +2,14 @@ import (
 	"list"
 
 	"du5t1n.me/cfg/app/collectd"
+	"du5t1n.me/cfg/app/fetchcert"
 	"du5t1n.me/cfg/app/loki"
 	"du5t1n.me/cfg/env/prod"
 )
 
 render: list.Concat([
-	collectd.templates,
-	loki.templates,
 	prod.templates,
+	collectd.templates,
+	fetchcert.templates,
+	loki.templates,
 ])

scripts/loki-cert.sh

@@ -0,0 +1,3 @@
+if [ ! -f /host/etc/loki/server.cer ] || [ ! -f /host/etc/loki/server.key ]; then
+    systemctl start fetchcert
+fi

templates/loki/config.yml

@@ -2,6 +2,9 @@ auth_enabled: false
 
 server:
   http_listen_port: 3100
+  http_tls_config:
+    cert_file: /etc/loki/server.cer
+    key_file: /etc/loki/server.key
   grpc_listen_port: 9096
 
 common: