Add tls_config support to alloy server

[everton-dematos]

Description of Changes

Enable mTLS support for the Alloy log forwarder when sending logs to Loki. Improvements can be listed as follows:

• Supports per-target mTLS profiles (custom CA, SNI, min TLS version, and client cert/key), enabling easy personalization for different SIEMs or gateways with their own PKI and policy requirements.
• Allows using a custom CA (internal PKI), which is typical in SIEM environments and zero-trust networks.
• Client identity available (mTLS-ready).
• Transport is TLS-encrypted with explicit policy (no silent downgrade).

Type of Change

• New Feature
• Bug Fix
• Improvement / Refactor

Related Issues / Tickets

Checklist

• Clear summary in PR description
• Detailed and meaningful commit message(s)
• Commits are logically organized and squashed if appropriate
• Contribution guidelines followed
• Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
• Author has run make-checks and it passes
• All automatic GitHub Action checks pass - see actions
• Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

• Orin AGX aarch64
• Orin NX aarch64
• Lenovo X1 x86_64
• Dell Latitude x86_64
• System 76 x86_64

Installation Method

• Requires full re-installation
• Can be updated with nixos-rebuild ... switch
• Other:

Test Steps To Verify:

1. Check if the logs are being uploaded to remote server (e.g., Grafana)
2. On admin-vm, run the following command to dump a live graph of all running Alloy components: curl -s http://127.0.0.1:12345/api/v0/web/components
3. Look for the loki.write block labeled remote. You should see: referencesTo includes local.file.tls_cert and local.file.tls_key (and local.file.tls_ca if you set a custom CA). This confirms the tls_config is wired in.

[vunnyso]

Overall good, few minor comments.

[milva-unikie]

Tested on Darter Pro (nixos-rebuild switch)

• Grafana displays logs normally
• loki.write block has correct references