feat: add optional basic auth support for Loki client

Some Loki deployments (e.g., behind a reverse proxy or Grafana Cloud)
require HTTP Basic Authentication. This adds optional --loki-username
and --loki-password flags (and corresponding env vars) to the
lab-monitoring server, along with NixOS module options for secure
credential management via systemd LoadCredential.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/monitoring/loki.go

@@ -11,16 +11,27 @@ import (
 	"time"
 )
 
+// LokiClientOptions configures the Loki client.
+type LokiClientOptions struct {
+	BaseURL  string
+	Username string
+	Password string
+}
+
 // LokiClient is an HTTP client for the Loki API.
 type LokiClient struct {
 	baseURL    string
+	username   string
+	password   string
 	httpClient *http.Client
 }
 
 // NewLokiClient creates a new Loki API client.
-func NewLokiClient(baseURL string) *LokiClient {
+func NewLokiClient(opts LokiClientOptions) *LokiClient {
 	return &LokiClient{
-		baseURL: strings.TrimRight(baseURL, "/"),
+		baseURL:  strings.TrimRight(opts.BaseURL, "/"),
+		username: opts.Username,
+		password: opts.Password,
 		httpClient: &http.Client{
 			Timeout: 30 * time.Second,
 		},
@@ -94,6 +105,10 @@ func (c *LokiClient) get(ctx context.Context, path string, params url.Values) (j
 		return nil, fmt.Errorf("failed to create request: %w", err)
 	}
 
+	if c.username != "" {
+		req.SetBasicAuth(c.username, c.password)
+	}
+
 	resp, err := c.httpClient.Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("request failed: %w", err)