From 563c3c5c19b4b792691001e5df80118a28d2bc68 Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Thu, 8 Jul 2021 02:57:15 +0200
Subject: [PATCH] loki/promtail: Use a bearer token instead of basic auth

It simplifies it a bit.
---
 group_vars/all/vault_loki.yml             | 16 +++++++---------
 roles/loki/defaults/main.yml              |  1 -
 roles/loki/tasks/main.yml                 | 14 +-------------
 roles/loki/templates/nginx.d.conf.j2      |  5 +++--
 roles/promtail/templates/promtail.yaml.j2 |  4 +---
 5 files changed, 12 insertions(+), 28 deletions(-)
 delete mode 100644 roles/loki/defaults/main.yml

diff --git a/group_vars/all/vault_loki.yml b/group_vars/all/vault_loki.yml
index 4c1ee88c4..fa63846e7 100644
--- a/group_vars/all/vault_loki.yml
+++ b/group_vars/all/vault_loki.yml
@@ -1,10 +1,8 @@
 $ANSIBLE_VAULT;1.1;AES256
-32393361373264633531353264623563303635643964323839616366656632363933626233386538
-3037343264613038613164303261626232333761336534340a313033636232643864663033656563
-32313164646232663663343235316361336163373265313639313032623239646339383530343039
-3236613365643235650a333066633439633964303532396466613464623166383162373161656566
-66666336623138363266393034376532313465633032363433383731613133656437323563346334
-34623433613437333861376638396461373439376463383830343531626666333935393262323636
-39343566336266316630373463633562643761353932613163663836613761383565373230326361
-34333433343330353831303233613236343132303239396666626437633832363433656532376236
-3062
+37643130346638613539323431666164623435666264346231643964626232343534666338646335
+3834376365383264306438316137313163613262323630370a666637316461396132383864633539
+37653062643062663563353635376462396237616634626633633762366334373665306563643366
+3139316239303165380a653166623863366130346231313465336666383365646264396337303334
+30383231653734613230376139326137306137333037616636336663656532316637633531313538
+63643330643031663563643430666165323933633933363436306334643166313231616664666664
+653339626466616537613738636465346538
diff --git a/roles/loki/defaults/main.yml b/roles/loki/defaults/main.yml
deleted file mode 100644
index 0534d2e19..000000000
--- a/roles/loki/defaults/main.yml
+++ /dev/null
@@ -1 +0,0 @@
-loki_nginx_htpasswd: /etc/nginx/auth/loki
diff --git a/roles/loki/tasks/main.yml b/roles/loki/tasks/main.yml
index bd9c4cdf3..36aa6eebc 100644
--- a/roles/loki/tasks/main.yml
+++ b/roles/loki/tasks/main.yml
@@ -6,23 +6,11 @@
   copy: src=loki.yaml dest=/etc/loki/ owner=root group=root mode=0644
   notify: restart loki
 
-- name: install python-passlib
-  pacman: name=python-passlib
-
-- name: create htpasswd for nginx loki endpoint
-  htpasswd:
-    path: "{{ loki_nginx_htpasswd }}"
-    name: "{{ vault_loki_nginx_user }}"
-    password: "{{ vault_loki_nginx_passwd }}"
-    owner: root
-    group: http
-    mode: 0640
-
 - name: make nginx log dir
   file: path=/var/log/nginx/loki state=directory owner=root group=root mode=0755
 
 - name: set up nginx
-  template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/logging.conf" owner=root group=root mode=644
+  template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/logging.conf" owner=root group=root mode=640
   notify: reload nginx
   tags: ['nginx']
 
diff --git a/roles/loki/templates/nginx.d.conf.j2 b/roles/loki/templates/nginx.d.conf.j2
index a3f90fffc..07473276a 100644
--- a/roles/loki/templates/nginx.d.conf.j2
+++ b/roles/loki/templates/nginx.d.conf.j2
@@ -12,8 +12,9 @@ server {
     error_log    /var/log/nginx/loki/error.log;
 
     location = /loki/api/v1/push {
-        auth_basic "Loki :)";
-        auth_basic_user_file {{ loki_nginx_htpasswd }};
+        if ($http_authorization != "Bearer {{ vault_loki_token }}") {
+            return 403;
+        }
 
         proxy_pass http://127.0.0.1:3100$request_uri;
     }
diff --git a/roles/promtail/templates/promtail.yaml.j2 b/roles/promtail/templates/promtail.yaml.j2
index 23ec2d390..9b7115668 100644
--- a/roles/promtail/templates/promtail.yaml.j2
+++ b/roles/promtail/templates/promtail.yaml.j2
@@ -9,9 +9,7 @@ positions:
 
 clients:
   - url: http://{{ hostvars['monitoring.archlinux.org']['wireguard_address'] }}/loki/api/v1/push
-    basic_auth:
-      username: '{{ vault_loki_nginx_user }}'
-      password: '{{ vault_loki_nginx_passwd }}'
+    bearer_token: '{{ vault_loki_token }}'
 
 scrape_configs:
   - job_name: journal
-- 
GitLab