From 0972de6d7ba9ff43e8937bf1592712f1e1e4b9aa Mon Sep 17 00:00:00 2001
From: Tigor Hutasuhut <tigor.hutasuhut@gmail.com>
Date: Thu, 29 Aug 2024 13:19:48 +0700
Subject: [PATCH] loki: now exposed to inernet with basic auth

---
 secrets/telemetry.yaml             | 10 ++++++--
 system/services/telemetry/loki.nix | 41 +++++++++++++++++++++++++++++-
 2 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/secrets/telemetry.yaml b/secrets/telemetry.yaml
index 52aa725..0a597bc 100644
--- a/secrets/telemetry.yaml
+++ b/secrets/telemetry.yaml
@@ -3,6 +3,12 @@ grafana:
     admin_password: ENC[AES256_GCM,data:EFJfC78YtBLF5CIxLLhN9deZYcSL7/EfS4w=,iv:qrNi3WsRD26W5L67Fxch7qasEUh9vTj6HUWZs5PGz4o=,tag:bxW1CJyXOcz/pgN39ncQ+w==,type:str]
     admin_email: ENC[AES256_GCM,data:2cvoq65K2/mdDuykkPVZryDJeNCK,iv:rU4jUYm+3dcvx1KooN9mWQDoovn7t+V7z1eU1m7VagE=,tag:Bhdbiq4BXO3nDwG9StUOkQ==,type:str]
     secret_key: ENC[AES256_GCM,data:f4f1YF27VU/893HASHmCVL8vnsJEaHD33GOdFVpMj81MOutXqb7d03Hb1DYkDV3aMVmEdpvBcFK3SpZdFma3,iv:q6d59H1PniaVhw6tbd1maCelEGlAC4y2i38jMZ9Jn/Q=,tag:uSbCRstKy7C4Vwp+/FxF/Q==,type:str]
+loki:
+    caddy:
+        basic_auth:
+            username: ENC[AES256_GCM,data:MRwky3O8LGS/4w==,iv:CUHjGRNc8NU5FqhqvpqbATmVE3Kg9Z0jMBFlzsAwON0=,tag:uZlxw9skd0VNLfZTJ/6ZSQ==,type:str]
+            #ENC[AES256_GCM,data:t+u4g7nvpq2U27CHgmu1xi2Ppwv7cJf1s6Et,iv:LtwoPoxsQn1MujHRoD6SqDLm8uN4uBpuIVmn23DDgjI=,tag:PKOHF5vcQzHszpp1sfuU0Q==,type:comment]
+            password: ENC[AES256_GCM,data:GcQ6x8ewxInmAcQwhhwJgXMHxd/ygkscsp2vg7PILEeaOv1heBX0fTHb0sRyAfhLxwKDH84LtGb37656,iv:UEQ7dgqNEKisalpPXFffsVzn6kXDt9DmJP6ec3LOHRE=,tag:CyPPqG2Vf8eeSVzAASintQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -18,8 +24,8 @@ sops:
             bzYzSEQrRkN6WVVmN254a2NCcUxGVFkK4aHv8tiFiNEnd7I5LB0Jd/4upkEEEXis
             9A5hdTn20EqL62QuHeYRav1TRu42dp+R4iZAlVl9cRzThkzZKJdHlg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-28T13:04:02Z"
-    mac: ENC[AES256_GCM,data:b0F+YQZI7lVoOarse5dNBU6WQfnGRMgSlw/SaEE4ZuANXaL8zK1vY+zztB/MMEd5Y2mrNn/rBZt/9V9RXkMp49Bns0tCtUzAghOT8vIRjVk+hjYVuTiET5o5JokGOiT3vrSWIAo1zFuASq4lUlgXaWX3rX57EVvq7iFb7Lye53Q=,iv:xAtK6HMC8rt+OtnYYq6u3eOYhxV2PjfYB7yf0KmY9eg=,tag:++XgTe4zvEeAehCj2KsqYw==,type:str]
+    lastmodified: "2024-08-29T05:57:46Z"
+    mac: ENC[AES256_GCM,data:JGrZUe8PLjlcHULvVa8Yi8ORAW5bMKOMxSGbJ2UFji9byRGu+JHaU7gdF45lrR5XKxJZLmZesWI9fRjsnlEd9WDTEroiwFo965mYFcdmbrJb37BIRO6Thy6C77GXMNcOVW2hBgcVDckNIbAk3qgvVG2QOZ5VKwxPLVQPsfWfCFs=,iv:Do05RY+cgahdv8/Nk6RIOxBA6x28GxyErrgSQRoIR80=,tag:HoqhdhZmcS3QxXGfZyxfFw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/system/services/telemetry/loki.nix b/system/services/telemetry/loki.nix
index 89e36b2..1216da0 100644
--- a/system/services/telemetry/loki.nix
+++ b/system/services/telemetry/loki.nix
@@ -2,9 +2,43 @@
 let
   cfg = config.profile.services.telemetry.loki;
   inherit (lib) mkIf;
+  lokiDomain = "loki.tigor.web.id";
 in
 {
   config = mkIf cfg.enable {
+
+    sops =
+      let
+        usernameKey = "loki/caddy/basic_auth/username";
+        passwordKey = "loki/caddy/basic_auth/password";
+      in
+      {
+        secrets =
+          let
+            opts = { sopsFile = ../../../secrets/telemetry.yaml; owner = "grafana"; };
+          in
+          {
+            ${usernameKey} = opts;
+            ${passwordKey} = opts;
+          };
+        templates = {
+          "loki/caddy/basic_auth".content = /*sh*/ ''
+            LOKI_USERNAME=${config.sops.placeholder.${usernameKey}}
+            LOKI_PASSWORD=${config.sops.placeholder.${passwordKey}}
+          '';
+        };
+      };
+
+    systemd.services."caddy".serviceConfig = {
+      EnvironmentFile = config.sops.templates."loki/caddy/basic_auth".path;
+    };
+    services.caddy.virtualHosts.${lokiDomain}.extraConfig = /*caddy*/ ''
+      basicauth {
+        {$LOKI_USERNAME} {$LOKI_PASSWORD}
+      }
+      reverse_proxy ${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}
+    '';
+
     services.loki =
       let
         dataDir = config.services.loki.dataDir;
@@ -13,7 +47,7 @@ in
         enable = true;
         configuration = {
           # https://grafana.com/docs/loki/latest/configure/examples/configuration-examples/
-          auth_enabled = false; # Loki will not be exposed to the public internet
+          auth_enabled = false;
           server = {
             http_listen_address = "0.0.0.0";
             http_listen_port = 3100;
@@ -58,10 +92,15 @@ in
         type = "loki";
         access = "proxy";
         url = "http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}";
+        basicAuth = true;
+        basicAuthUser = "$__file{${config.sops.secrets."loki/caddy/basic_auth/username".path}}";
         jsonData = {
           timeout = 60;
           maxLines = 1000;
         };
+        secureJsonData = {
+          basicAuthPassword = "$__file{${config.sops.secrets."loki/caddy/basic_auth/password".path}}";
+        };
       }
     ];
   };