loki: add basic auth for log push and dual-ship promtail

- Loki bound to localhost, Caddy reverse proxy with basic_auth - Vault secret (shared/loki/push-auth) for password, bcrypt hash generated at boot for Caddy environment - Promtail dual-ships to monitoring01 (direct) and loki.home.2rjus.net (with basic auth), conditional on vault.enable - Terraform: new shared loki-push policy added to all AppRoles Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-17 20:00:08 +01:00
parent 2903873d52
commit c13921d302
4 changed files with 77 additions and 3 deletions
--- a/system/monitoring/logs.nix
+++ b/system/monitoring/logs.nix
@@ -16,6 +16,14 @@ in
      SystemKeepFree=1G
    '';
  };
+
+  # Fetch Loki push password from Vault (only on hosts with Vault enabled)
+  vault.secrets.promtail-loki-auth = lib.mkIf config.vault.enable {
+    secretPath = "shared/loki/push-auth";
+    extractKey = "password";
+    services = [ "promtail" ];
+  };
+
  # Configure promtail
  services.promtail = {
    enable = true;
@@ -31,6 +39,14 @@ in
        {
          url = "http://monitoring01.home.2rjus.net:3100/loki/api/v1/push";
        }
+      ] ++ lib.optionals config.vault.enable [
+        {
+          url = "https://loki.home.2rjus.net/loki/api/v1/push";
+          basic_auth = {
+            username = "promtail";
+            password_file = "/run/secrets/promtail-loki-auth";
+          };
+        }
      ];

      scrape_configs = [