{ config, lib, pkgs, ... }:
let
  # Script to generate bcrypt hash from Vault password for Caddy basic_auth
  generateCaddyAuth = pkgs.writeShellApplication {
    name = "generate-caddy-loki-auth";
    runtimeInputs = [ config.services.caddy.package ];
    text = ''
      PASSWORD=$(cat /run/secrets/loki-push-auth)
      HASH=$(caddy hash-password --plaintext "$PASSWORD")
      echo "LOKI_PUSH_HASH=$HASH" > /run/secrets/caddy-loki-auth.env
      chmod 0400 /run/secrets/caddy-loki-auth.env
    '';
  };
in
{
  # Fetch Loki push password from Vault
  vault.secrets.loki-push-auth = {
    secretPath = "shared/loki/push-auth";
    extractKey = "password";
    services = [ "caddy" ];
  };

  # Generate bcrypt hash for Caddy before it starts
  systemd.services.caddy-loki-auth = {
    description = "Generate Caddy basic auth hash for Loki";
    after = [ "vault-secret-loki-push-auth.service" ];
    requires = [ "vault-secret-loki-push-auth.service" ];
    before = [ "caddy.service" ];
    requiredBy = [ "caddy.service" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = lib.getExe generateCaddyAuth;
    };
  };

  # Load the bcrypt hash as environment variable for Caddy
  services.caddy.environmentFile = "/run/secrets/caddy-loki-auth.env";

  # Caddy reverse proxy for Loki with basic auth
  services.caddy.virtualHosts."loki.home.2rjus.net".extraConfig = ''
    basic_auth {
      promtail {env.LOKI_PUSH_HASH}
    }
    reverse_proxy http://127.0.0.1:3100
  '';

  services.loki = {
    enable = true;
    configuration = {
      auth_enabled = false;

      server = {
        http_listen_address = "127.0.0.1";
        http_listen_port = 3100;
      };
      common = {
        ring = {
          instance_addr = "127.0.0.1";
          kvstore = {
            store = "inmemory";
          };
        };
        replication_factor = 1;
        path_prefix = "/var/lib/loki";
      };
      schema_config = {
        configs = [
          {
            from = "2024-01-01";
            store = "tsdb";
            object_store = "filesystem";
            schema = "v13";
            index = {
              prefix = "loki_index_";
              period = "24h";
            };
          }
        ];
      };
      storage_config = {
        filesystem = {
          directory = "/var/lib/loki/chunks";
        };
      };
      compactor = {
        working_directory = "/var/lib/loki/compactor";
        compaction_interval = "10m";
        retention_enabled = true;
        retention_delete_delay = "2h";
        retention_delete_worker_count = 150;
        delete_request_store = "filesystem";
      };
      limits_config = {
        retention_period = "30d";
        ingestion_rate_mb = 10;
        ingestion_burst_size_mb = 20;
        max_streams_per_user = 10000;
        max_query_series = 500;
        max_query_parallelism = 8;
      };
    };
  };
}