adding loki

resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf

@@ -0,0 +1,71 @@
+server {
+    # Wieske
+    allow 172.31.17.128/25;
+    allow 212.12.51.128/28;
+    allow 2a00:14b0:42:100::/56;
+    # Z9
+    allow 2a07:c480:0:100::/56;
+    allow 2a07:c481:1::/48;
+    deny all;
+
+    listen [2a00:14b0:4200:3380:0000:5a5f:1dbc:6a39]:9099 ssl http2;
+    listen 172.31.17.145:9099 ssl http2;
+
+    server_name loki.hamburg.ccc.de;
+
+    ssl_certificate /etc/letsencrypt/live/loki.hamburg.ccc.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/loki.hamburg.ccc.de/privkey.pem;
+
+    auth_basic  "loki";
+    auth_basic_user_file loki.htpasswd;
+    location / {
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Port 9099;
+        # This is https in any case.
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Scope-OrgID $remote_user;
+        grpc_pass grpc://localhost:19009;
+    }
+}
+
+server {
+    # Wieske
+    allow 172.31.17.128/25;
+    allow 212.12.51.128/28;
+    allow 2a00:14b0:42:100::/56;
+    # Z9
+    allow 2a07:c480:0:100::/56;
+    allow 2a07:c481:1::/48;
+    deny all;
+
+    listen [2a00:14b0:4200:3380:0000:5a5f:1dbc:6a39]:3100 ssl http2;
+    listen 172.31.17.145:3100 ssl http2;
+
+    server_name loki.hamburg.ccc.de;
+
+    ssl_certificate /etc/letsencrypt/live/loki.hamburg.ccc.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/loki.hamburg.ccc.de/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/loki.hamburg.ccc.de/chain.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    auth_basic  "loki";
+    auth_basic_user_file loki.htpasswd;
+
+    location / {
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Port 3100;
+        # This is https in any case.
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Scope-OrgID $remote_user;
+        proxy_pass http://127.0.0.1:13100;
+    }
+}

resources/chaosknoten/grafana/nginx/loki.htpasswd.j2

@@ -0,0 +1 @@
+chaos:{{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/grafana/loki_chaos_basic_auth", create=false, missing="error") }}

resources/chaosknoten/grafana/nginx/redirect.conf

@@ -0,0 +1,14 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+
+    location /.well-known/acme-challenge/ {
+        proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
+    }
+}