diff --git a/inventories/chaosknoten/host_vars/grafana.yaml b/inventories/chaosknoten/host_vars/grafana.yaml
index 87cd328..2e8cb71 100644
--- a/inventories/chaosknoten/host_vars/grafana.yaml
+++ b/inventories/chaosknoten/host_vars/grafana.yaml
@@ -12,15 +12,28 @@ docker_compose__configuration_files:
     content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml') }}"
   - name: alertmanager_alert_templates.tmpl
     content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/docker_compose/alertmanager_alert_templates.tmpl') }}"
+  - name: loki.yaml
+    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/docker_compose/loki.yaml') }}"
 
 certbot__version_spec: ""
 certbot__acme_account_email_address: le-admin@hamburg.ccc.de
 certbot__certificate_domains:
   - "grafana.hamburg.ccc.de"
+  - "loki.hamburg.ccc.de"
+
 certbot__new_cert_commands:
   - "systemctl reload nginx.service"
 
 nginx__version_spec: ""
+nginx__deploy_redirect_conf: false
+nginx__deploy_htpasswds: true
+nginx__htpasswds:
+  - name: loki
+    content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/grafana/nginx/loki.htpasswd.j2') }}"
 nginx__configurations:
+  - name: redirectv6
+    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/redirect.conf') }}"
   - name: grafana.hamburg.ccc.de
     content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf') }}"
+  - name: loki.hamburg.ccc.de
+    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf') }}"
diff --git a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
index 3e994dc..cbe6e81 100644
--- a/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
+++ b/resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
@@ -55,7 +55,19 @@ services:
       - /dev/null:/etc/prometheus/pve.yml
 
 
+  loki:
+    image: grafana/loki:3
+    container_name: loki
+    ports:
+      - 13100:3100
+      - 19099:9099
+    restart: unless-stopped
+    volumes:
+      - ./configs/loki.yaml:/etc/loki/local-config.yaml
+      - loki_data:/var/loki
+
 volumes:
   graf_data: {}
   prom_data: {}
   alertmanager_data: {}
+  loki_data: {}
diff --git a/resources/chaosknoten/grafana/docker_compose/grafana-datasource.yml b/resources/chaosknoten/grafana/docker_compose/grafana-datasource.yml
index 44999d4..632ad1c 100644
--- a/resources/chaosknoten/grafana/docker_compose/grafana-datasource.yml
+++ b/resources/chaosknoten/grafana/docker_compose/grafana-datasource.yml
@@ -7,3 +7,15 @@ datasources:
     isDefault: true
     access: proxy
     editable: true
+  - name: Loki
+    type: loki
+    url: http://loki:3100
+    access: proxy
+    editable: true
+    jsonData:
+      timeout: 60
+      maxLines: 3000
+      httpHeaderName1: "X-Scope-OrgID"
+    secureJsonData:
+      httpHeaderValue1: "chaos"
+
diff --git a/resources/chaosknoten/grafana/docker_compose/loki.yaml b/resources/chaosknoten/grafana/docker_compose/loki.yaml
new file mode 100644
index 0000000..daf214f
--- /dev/null
+++ b/resources/chaosknoten/grafana/docker_compose/loki.yaml
@@ -0,0 +1,52 @@
+auth_enabled: true
+
+server:
+  http_listen_port: 3100
+  grpc_listen_port: 9099
+  log_level: warn
+
+limits_config:
+  retention_period: 14d
+
+common:
+  instance_addr: 127.0.0.1
+  path_prefix: /var/loki
+  storage:
+    filesystem:
+      chunks_directory: /var/loki/chunks
+      rules_directory: /var/loki/rules
+  replication_factor: 1
+  ring:
+    kvstore:
+      store: inmemory
+
+storage_config:
+  filesystem:
+    directory: /var/loki/chunks
+  index_queries_cache_config:
+    embedded_cache:
+      enabled: true
+      max_size_mb: 80
+      ttl: 30m
+
+schema_config:
+  configs:
+    - from: 2025-04-28
+      store: tsdb
+      object_store: filesystem
+      schema: v13
+      index:
+        prefix: index_
+        period: 24h
+
+chunk_store_config:
+  chunk_cache_config:
+    embedded_cache:
+      enabled: true
+      max_size_mb: 80
+      ttl: 30m
+  write_dedupe_cache_config:
+    embedded_cache:
+      enabled: true
+      max_size_mb: 80
+      ttl: 30m
diff --git a/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf
new file mode 100644
index 0000000..f62dc4e
--- /dev/null
+++ b/resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf
@@ -0,0 +1,71 @@
+server {
+    # Wieske
+    allow 172.31.17.128/25;
+    allow 212.12.51.128/28;
+    allow 2a00:14b0:42:100::/56;
+    # Z9
+    allow 2a07:c480:0:100::/56;
+    allow 2a07:c481:1::/48;
+    deny all;
+
+    listen [2a00:14b0:4200:3380:0000:5a5f:1dbc:6a39]:9099 ssl http2;
+    listen 172.31.17.145:9099 ssl http2;
+
+    server_name loki.hamburg.ccc.de;
+
+    ssl_certificate /etc/letsencrypt/live/loki.hamburg.ccc.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/loki.hamburg.ccc.de/privkey.pem;
+
+    auth_basic  "loki";
+    auth_basic_user_file loki.htpasswd;
+    location / {
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Port 9099;
+        # This is https in any case.
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Scope-OrgID $remote_user;
+        grpc_pass grpc://localhost:19009;
+    }
+}
+
+server {
+    # Wieske
+    allow 172.31.17.128/25;
+    allow 212.12.51.128/28;
+    allow 2a00:14b0:42:100::/56;
+    # Z9
+    allow 2a07:c480:0:100::/56;
+    allow 2a07:c481:1::/48;
+    deny all;
+
+    listen [2a00:14b0:4200:3380:0000:5a5f:1dbc:6a39]:3100 ssl http2;
+    listen 172.31.17.145:3100 ssl http2;
+
+    server_name loki.hamburg.ccc.de;
+
+    ssl_certificate /etc/letsencrypt/live/loki.hamburg.ccc.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/loki.hamburg.ccc.de/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/loki.hamburg.ccc.de/chain.pem;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    auth_basic  "loki";
+    auth_basic_user_file loki.htpasswd;
+
+    location / {
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Port 3100;
+        # This is https in any case.
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Scope-OrgID $remote_user;
+        proxy_pass http://127.0.0.1:13100;
+    }
+}
diff --git a/resources/chaosknoten/grafana/nginx/loki.htpasswd.j2 b/resources/chaosknoten/grafana/nginx/loki.htpasswd.j2
new file mode 100644
index 0000000..0c2f8b7
--- /dev/null
+++ b/resources/chaosknoten/grafana/nginx/loki.htpasswd.j2
@@ -0,0 +1 @@
+chaos:{{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/grafana/loki_chaos_basic_auth", create=false, missing="error") }}
diff --git a/resources/chaosknoten/grafana/nginx/redirect.conf b/resources/chaosknoten/grafana/nginx/redirect.conf
new file mode 100644
index 0000000..28b265a
--- /dev/null
+++ b/resources/chaosknoten/grafana/nginx/redirect.conf
@@ -0,0 +1,14 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+
+    location /.well-known/acme-challenge/ {
+        proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
+    }
+}
diff --git a/roles/nginx/meta/argument_specs.yaml b/roles/nginx/meta/argument_specs.yaml
index 866cb81..f2cb1d7 100644
--- a/roles/nginx/meta/argument_specs.yaml
+++ b/roles/nginx/meta/argument_specs.yaml
@@ -34,3 +34,19 @@ argument_specs:
         type: str
         required: false
         default: ""
+      nginx__deploy_htpasswds:
+        type: bool
+        required: false
+        default: false
+      nginx__htpasswds:
+        type: list
+        elements: dict
+        required: false
+        default: [ ]
+        options:
+          name:
+            type: str
+            required: true
+          content:
+            type: str
+            required: true
diff --git a/roles/nginx/tasks/main/04_config_deploy.yaml b/roles/nginx/tasks/main/04_config_deploy.yaml
index 38dbfc1..7dba579 100644
--- a/roles/nginx/tasks/main/04_config_deploy.yaml
+++ b/roles/nginx/tasks/main/04_config_deploy.yaml
@@ -131,6 +131,20 @@
     label: "{{ item.name }}"
   notify: Restart nginx
 
+- name: Ensure all given htpasswd files are deployed
+  when: nginx__deploy_htpasswds
+  ansible.builtin.copy:
+    content: "{{ item.content }}"
+    dest: "/etc/nginx/{{ item.name }}.htpasswd"
+    mode: "0644"
+    owner: root
+    group: root
+  become: true
+  loop: "{{ nginx__htpasswds }}"
+  loop_control:
+    label: "{{ item.name }}"
+  notify: Restart nginx
+
 - name: Add names with suffixes from `nginx__configurations` to `nginx__config_files_to_exist` fact
   ansible.builtin.set_fact:
     nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ item.name + '.conf' ] }}"  # noqa: jinja[spacing]