diff --git a/group_vars/loki.yml b/group_vars/loki.yml
index 308db8f..c4ef8b3 100644
--- a/group_vars/loki.yml
+++ b/group_vars/loki.yml
@@ -2,3 +2,20 @@ data_volumes:
 - dev: /dev/vdb
   fstype: btrfs
   mountpoint: /var/lib/loki
+
+loki_caddy_acme:
+  email: loki@pyrocufflink.blue
+  url: https://ca.pyrocufflink.blue/acme/acme/directory
+
+loki_caddy_client_ca: |+
+  -----BEGIN CERTIFICATE-----
+  MIIBlDCCAUagAwIBAgIUGNZ/ASP8F2ytev3YplTk4jA5a2EwBQYDK2VwMEgxCzAJ
+  BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxDTALBgNVBAsMBExv
+  a2kxEDAOBgNVBAMMB0xva2kgQ0EwHhcNMjQwMjIwMTUwMTQxWhcNMzQwMjIwMTUw
+  MTQxWjBIMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMQ0w
+  CwYDVQQLDARMb2tpMRAwDgYDVQQDDAdMb2tpIENBMCowBQYDK2VwAyEAnmMawEIo
+  WfzFaLgpSiaPD+DHg28NHknMFcs7XpyTM9CjQjBAMB0GA1UdDgQWBBTFth3c4S/f
+  y0BphQy9SucnKN2pLzASBgNVHRMBAf8ECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjAF
+  BgMrZXADQQCn0JWERsXdJA4kMM45ZXhVgAciwLNQ8ikoucsJcbWBp7bSMjcMVi51
+  I+slotQvQES/vfqp/zZFNl7KKyeeQ0sD
+  -----END CERTIFICATE-----
diff --git a/loki.yml b/loki.yml
index beb8764..3d1e1ba 100644
--- a/loki.yml
+++ b/loki.yml
@@ -3,3 +3,6 @@
   - role: loki
     tags:
     - loki
+  - role: loki-caddy
+    tags:
+    - loki-caddy
diff --git a/roles/loki-caddy/defaults/main.yml b/roles/loki-caddy/defaults/main.yml
new file mode 100644
index 0000000..8968204
--- /dev/null
+++ b/roles/loki-caddy/defaults/main.yml
@@ -0,0 +1 @@
+loki_caddy_server_name: loki.{{ ansible_domain }}
diff --git a/roles/loki-caddy/meta/main.yml b/roles/loki-caddy/meta/main.yml
new file mode 100644
index 0000000..e278138
--- /dev/null
+++ b/roles/loki-caddy/meta/main.yml
@@ -0,0 +1,3 @@
+dependencies:
+- role: caddy
+  tags: caddy
diff --git a/roles/loki-caddy/tasks/main.yml b/roles/loki-caddy/tasks/main.yml
new file mode 100644
index 0000000..ad87edf
--- /dev/null
+++ b/roles/loki-caddy/tasks/main.yml
@@ -0,0 +1,24 @@
+- name: ensure caddy is configured to proxy for loki
+  template:
+    src: Caddyfile.j2
+    dest: /etc/caddy/Caddyfile.d/loki.caddyfile
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload caddy
+  tags:
+  - config
+
+- name: ensure client ca is configured
+  copy:
+    dest: /etc/caddy/loki-client-ca.crt
+    content: >-
+      {{ loki_caddy_client_ca|d('') }}
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload caddy
+  tags:
+  - cert
diff --git a/roles/loki-caddy/templates/Caddyfile.j2 b/roles/loki-caddy/templates/Caddyfile.j2
new file mode 100644
index 0000000..8c675b9
--- /dev/null
+++ b/roles/loki-caddy/templates/Caddyfile.j2
@@ -0,0 +1,33 @@
+{# vim: set sw=4 ts=4 sts=4 et : #}
+{{ loki_caddy_server_name }} {
+    tls {
+        client_auth {
+            mode verify_if_given
+            trusted_ca_cert_file /etc/caddy/loki-client-ca.crt
+        }
+    }
+    @anonymous {
+        expression {tls_client_subject} == null
+    }
+    @grafana {
+        header X-Grafana-User *
+    }
+    handle @anonymous {
+        route /loki/api/v1/push {
+            reverse_proxy 127.0.0.1:3100
+        }
+        route /metrics {
+            reverse_proxy 127.0.0.1:3100
+        }
+        route /ready {
+            reverse_proxy 127.0.0.1:3100
+        }
+        respond 403
+    }
+    handle @grafana {
+        reverse_proxy 127.0.0.1:3100
+    }
+    tls {{ loki_caddy_acme.email }} {
+        ca {{ loki_caddy_acme.url }}
+    }
+}