loki: add basic auth for log push and dual-ship promtail

- Loki bound to localhost, Caddy reverse proxy with basic_auth - Vault secret (shared/loki/push-auth) for password, bcrypt hash generated at boot for Caddy environment - Promtail dual-ships to monitoring01 (direct) and loki.home.2rjus.net (with basic auth), conditional on vault.enable - Terraform: new shared loki-push policy added to all AppRoles Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-17 20:00:08 +01:00
parent 2903873d52
commit c13921d302
4 changed files with 77 additions and 3 deletions
--- a/terraform/vault/secrets.tf
+++ b/terraform/vault/secrets.tf
@@ -153,6 +153,12 @@ locals {
      auto_generate   = true
      password_length = 64
    }
+
+    # Loki push authentication (used by Promtail on all hosts)
+    "shared/loki/push-auth" = {
+      auto_generate   = true
+      password_length = 32
+    }
  }
 }