tigor/NixOS
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

loki: now exposed to inernet with basic auth

Browse source
This commit is contained in:
Tigor Hutasuhut 2024-08-29 13:19:48 +07:00
parent 224c83fe82
commit 0972de6d7b
2 changed files with 48 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
secrets/telemetry.yaml
View file

@ -3,6 +3,12 @@ grafana:
admin_password: ENC[AES256_GCM,data:EFJfC78YtBLF5CIxLLhN9deZYcSL7/EfS4w=,iv:qrNi3WsRD26W5L67Fxch7qasEUh9vTj6HUWZs5PGz4o=,tag:bxW1CJyXOcz/pgN39ncQ+w==,type:str]
admin_email: ENC[AES256_GCM,data:2cvoq65K2/mdDuykkPVZryDJeNCK,iv:rU4jUYm+3dcvx1KooN9mWQDoovn7t+V7z1eU1m7VagE=,tag:Bhdbiq4BXO3nDwG9StUOkQ==,type:str]
secret_key: ENC[AES256_GCM,data:f4f1YF27VU/893HASHmCVL8vnsJEaHD33GOdFVpMj81MOutXqb7d03Hb1DYkDV3aMVmEdpvBcFK3SpZdFma3,iv:q6d59H1PniaVhw6tbd1maCelEGlAC4y2i38jMZ9Jn/Q=,tag:uSbCRstKy7C4Vwp+/FxF/Q==,type:str]
loki:
caddy:
basic_auth:
username: ENC[AES256_GCM,data:MRwky3O8LGS/4w==,iv:CUHjGRNc8NU5FqhqvpqbATmVE3Kg9Z0jMBFlzsAwON0=,tag:uZlxw9skd0VNLfZTJ/6ZSQ==,type:str]
#ENC[AES256_GCM,data:t+u4g7nvpq2U27CHgmu1xi2Ppwv7cJf1s6Et,iv:LtwoPoxsQn1MujHRoD6SqDLm8uN4uBpuIVmn23DDgjI=,tag:PKOHF5vcQzHszpp1sfuU0Q==,type:comment]
password: ENC[AES256_GCM,data:GcQ6x8ewxInmAcQwhhwJgXMHxd/ygkscsp2vg7PILEeaOv1heBX0fTHb0sRyAfhLxwKDH84LtGb37656,iv:UEQ7dgqNEKisalpPXFffsVzn6kXDt9DmJP6ec3LOHRE=,tag:CyPPqG2Vf8eeSVzAASintQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -18,8 +24,8 @@ sops:
bzYzSEQrRkN6WVVmN254a2NCcUxGVFkK4aHv8tiFiNEnd7I5LB0Jd/4upkEEEXis
9A5hdTn20EqL62QuHeYRav1TRu42dp+R4iZAlVl9cRzThkzZKJdHlg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-28T13:04:02Z"
mac: ENC[AES256_GCM,data:b0F+YQZI7lVoOarse5dNBU6WQfnGRMgSlw/SaEE4ZuANXaL8zK1vY+zztB/MMEd5Y2mrNn/rBZt/9V9RXkMp49Bns0tCtUzAghOT8vIRjVk+hjYVuTiET5o5JokGOiT3vrSWIAo1zFuASq4lUlgXaWX3rX57EVvq7iFb7Lye53Q=,iv:xAtK6HMC8rt+OtnYYq6u3eOYhxV2PjfYB7yf0KmY9eg=,tag:++XgTe4zvEeAehCj2KsqYw==,type:str]
lastmodified: "2024-08-29T05:57:46Z"
mac: ENC[AES256_GCM,data:JGrZUe8PLjlcHULvVa8Yi8ORAW5bMKOMxSGbJ2UFji9byRGu+JHaU7gdF45lrR5XKxJZLmZesWI9fRjsnlEd9WDTEroiwFo965mYFcdmbrJb37BIRO6Thy6C77GXMNcOVW2hBgcVDckNIbAk3qgvVG2QOZ5VKwxPLVQPsfWfCFs=,iv:Do05RY+cgahdv8/Nk6RIOxBA6x28GxyErrgSQRoIR80=,tag:HoqhdhZmcS3QxXGfZyxfFw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

41
system/services/telemetry/loki.nix
View file

@ -2,9 +2,43 @@
let
cfg = config.profile.services.telemetry.loki;
inherit (lib) mkIf;
lokiDomain = "loki.tigor.web.id";
in
{
config = mkIf cfg.enable {
sops =
let
usernameKey = "loki/caddy/basic_auth/username";
passwordKey = "loki/caddy/basic_auth/password";
in
{
secrets =
let
opts = { sopsFile = ../../../secrets/telemetry.yaml; owner = "grafana"; };
in
{
${usernameKey} = opts;
${passwordKey} = opts;
};
templates = {
"loki/caddy/basic_auth".content = /*sh*/ ''
LOKI_USERNAME=${config.sops.placeholder.${usernameKey}}
LOKI_PASSWORD=${config.sops.placeholder.${passwordKey}}
'';
};
};
systemd.services."caddy".serviceConfig = {
EnvironmentFile = config.sops.templates."loki/caddy/basic_auth".path;
};
services.caddy.virtualHosts.${lokiDomain}.extraConfig = /*caddy*/ ''
basicauth {
{$LOKI_USERNAME} {$LOKI_PASSWORD}
}
reverse_proxy ${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}
'';
services.loki =
let
dataDir = config.services.loki.dataDir;
@ -13,7 +47,7 @@ in
enable = true;
configuration = {
# https://grafana.com/docs/loki/latest/configure/examples/configuration-examples/
auth_enabled = false; # Loki will not be exposed to the public internet
auth_enabled = false;
server = {
http_listen_address = "0.0.0.0";
http_listen_port = 3100;
@ -58,10 +92,15 @@ in
type = "loki";
access = "proxy";
url = "http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}";
basicAuth = true;
basicAuthUser = "$__file{${config.sops.secrets."loki/caddy/basic_auth/username".path}}";
jsonData = {
timeout = 60;
maxLines = 1000;
};
secureJsonData = {
basicAuthPassword = "$__file{${config.sops.secrets."loki/caddy/basic_auth/password".path}}";
};
}
];
};