diff --git a/services/loki/default.nix b/services/loki/default.nix index b73456e..f50a6e0 100644 --- a/services/loki/default.nix +++ b/services/loki/default.nix @@ -1,7 +1,47 @@ -{ ... }: +{ config, lib, pkgs, ... }: +let + # Script to generate bcrypt hash from Vault password for Caddy basic_auth + generateCaddyAuth = pkgs.writeShellApplication { + name = "generate-caddy-loki-auth"; + runtimeInputs = [ config.services.caddy.package ]; + text = '' + PASSWORD=$(cat /run/secrets/loki-push-auth) + HASH=$(caddy hash-password --plaintext "$PASSWORD") + echo "LOKI_PUSH_HASH=$HASH" > /run/secrets/caddy-loki-auth.env + chmod 0400 /run/secrets/caddy-loki-auth.env + ''; + }; +in { - # Caddy reverse proxy for Loki + # Fetch Loki push password from Vault + vault.secrets.loki-push-auth = { + secretPath = "shared/loki/push-auth"; + extractKey = "password"; + services = [ "caddy" ]; + }; + + # Generate bcrypt hash for Caddy before it starts + systemd.services.caddy-loki-auth = { + description = "Generate Caddy basic auth hash for Loki"; + after = [ "vault-secret-loki-push-auth.service" ]; + requires = [ "vault-secret-loki-push-auth.service" ]; + before = [ "caddy.service" ]; + requiredBy = [ "caddy.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = lib.getExe generateCaddyAuth; + }; + }; + + # Load the bcrypt hash as environment variable for Caddy + services.caddy.environmentFile = "/run/secrets/caddy-loki-auth.env"; + + # Caddy reverse proxy for Loki with basic auth services.caddy.virtualHosts."loki.home.2rjus.net".extraConfig = '' + basic_auth { + promtail {env.LOKI_PUSH_HASH} + } reverse_proxy http://127.0.0.1:3100 ''; @@ -11,6 +51,7 @@ auth_enabled = false; server = { + http_listen_address = "127.0.0.1"; http_listen_port = 3100; }; common = { diff --git a/system/monitoring/logs.nix b/system/monitoring/logs.nix index 68d9cac..d3fad59 100644 --- a/system/monitoring/logs.nix +++ b/system/monitoring/logs.nix @@ -16,6 +16,14 @@ in SystemKeepFree=1G ''; }; + + # Fetch Loki push password from Vault (only on hosts with Vault enabled) + vault.secrets.promtail-loki-auth = lib.mkIf config.vault.enable { + secretPath = "shared/loki/push-auth"; + extractKey = "password"; + services = [ "promtail" ]; + }; + # Configure promtail services.promtail = { enable = true; @@ -31,6 +39,14 @@ in { url = "http://monitoring01.home.2rjus.net:3100/loki/api/v1/push"; } + ] ++ lib.optionals config.vault.enable [ + { + url = "https://loki.home.2rjus.net/loki/api/v1/push"; + basic_auth = { + username = "promtail"; + password_file = "/run/secrets/promtail-loki-auth"; + }; + } ]; scrape_configs = [ diff --git a/terraform/vault/approle.tf b/terraform/vault/approle.tf index 8542812..f262f49 100644 --- a/terraform/vault/approle.tf +++ b/terraform/vault/approle.tf @@ -26,6 +26,17 @@ path "secret/data/shared/nixos-exporter/*" { EOT } +# Shared policy for Loki push authentication (all hosts push logs) +resource "vault_policy" "loki_push" { + name = "loki-push" + + policy = <