diff --git a/group_vars/all/vault_loki.yml b/group_vars/all/vault_loki.yml
index 4c1ee88c45afd0694c9528639095cfb3805ebe6e..fa63846e75c607e98b0173fdddcf0b46e9dc68cf 100644
--- a/group_vars/all/vault_loki.yml
+++ b/group_vars/all/vault_loki.yml
@@ -1,10 +1,8 @@
$ANSIBLE_VAULT;1.1;AES256
-32393361373264633531353264623563303635643964323839616366656632363933626233386538
-3037343264613038613164303261626232333761336534340a313033636232643864663033656563
-32313164646232663663343235316361336163373265313639313032623239646339383530343039
-3236613365643235650a333066633439633964303532396466613464623166383162373161656566
-66666336623138363266393034376532313465633032363433383731613133656437323563346334
-34623433613437333861376638396461373439376463383830343531626666333935393262323636
-39343566336266316630373463633562643761353932613163663836613761383565373230326361
-34333433343330353831303233613236343132303239396666626437633832363433656532376236
-3062
+37643130346638613539323431666164623435666264346231643964626232343534666338646335
+3834376365383264306438316137313163613262323630370a666637316461396132383864633539
+37653062643062663563353635376462396237616634626633633762366334373665306563643366
+3139316239303165380a653166623863366130346231313465336666383365646264396337303334
+30383231653734613230376139326137306137333037616636336663656532316637633531313538
+63643330643031663563643430666165323933633933363436306334643166313231616664666664
+653339626466616537613738636465346538
diff --git a/roles/loki/defaults/main.yml b/roles/loki/defaults/main.yml
deleted file mode 100644
index 0534d2e19a87ace6cbc429aec7bd9538960cbda6..0000000000000000000000000000000000000000
--- a/roles/loki/defaults/main.yml
+++ /dev/null
@@ -1 +0,0 @@
-loki_nginx_htpasswd: /etc/nginx/auth/loki
diff --git a/roles/loki/tasks/main.yml b/roles/loki/tasks/main.yml
index bd9c4cdf36a9accf4c7df5aee333377cec345d8f..36aa6eebc9a3fab7950adbfd6a274a351ea8fa09 100644
--- a/roles/loki/tasks/main.yml
+++ b/roles/loki/tasks/main.yml
@@ -6,23 +6,11 @@
copy: src=loki.yaml dest=/etc/loki/ owner=root group=root mode=0644
notify: restart loki
-- name: install python-passlib
- pacman: name=python-passlib
-
-- name: create htpasswd for nginx loki endpoint
- htpasswd:
- path: "{{ loki_nginx_htpasswd }}"
- name: "{{ vault_loki_nginx_user }}"
- password: "{{ vault_loki_nginx_passwd }}"
- owner: root
- group: http
- mode: 0640
-
- name: make nginx log dir
file: path=/var/log/nginx/loki state=directory owner=root group=root mode=0755
- name: set up nginx
- template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/logging.conf" owner=root group=root mode=644
+ template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/logging.conf" owner=root group=root mode=640
notify: reload nginx
tags: ['nginx']
diff --git a/roles/loki/templates/nginx.d.conf.j2 b/roles/loki/templates/nginx.d.conf.j2
index a3f90fffc03060293a66f57bc061a6eab0de426d..07473276a4176e62e972ee7da8c0273a176fa299 100644
--- a/roles/loki/templates/nginx.d.conf.j2
+++ b/roles/loki/templates/nginx.d.conf.j2
@@ -12,8 +12,9 @@ server {
error_log /var/log/nginx/loki/error.log;
location = /loki/api/v1/push {
- auth_basic "Loki :)";
- auth_basic_user_file {{ loki_nginx_htpasswd }};
+ if ($http_authorization != "Bearer {{ vault_loki_token }}") {
+ return 403;
+ }
proxy_pass http://127.0.0.1:3100$request_uri;
}
diff --git a/roles/promtail/templates/promtail.yaml.j2 b/roles/promtail/templates/promtail.yaml.j2
index 23ec2d390f03afbc94e0c6147a2637e417c7a7cc..9b7115668c9f3e62c32bc55383173f7dc4ca3dff 100644
--- a/roles/promtail/templates/promtail.yaml.j2
+++ b/roles/promtail/templates/promtail.yaml.j2
@@ -9,9 +9,7 @@ positions:
clients:
- url: http://{{ hostvars['monitoring.archlinux.org']['wireguard_address'] }}/loki/api/v1/push
- basic_auth:
- username: '{{ vault_loki_nginx_user }}'
- password: '{{ vault_loki_nginx_passwd }}'
+ bearer_token: '{{ vault_loki_token }}'
scrape_configs:
- job_name: journal