diff --git a/modules/alloy.nix b/modules/alloy.nix
new file mode 100644
index 0000000..d5c3c6d
--- /dev/null
+++ b/modules/alloy.nix
@@ -0,0 +1,81 @@
+{
+  modulesPath,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  sops = {
+    secrets."services/loki/basic_auth" = {
+      mode = "0440";
+      owner = "alloy";
+      group = "alloy";
+      restartUnits = [ "alloy.service" ];
+      sopsFile = ../secrets/passwords.yaml;
+    };
+    secrets."services/mimir/basic_auth" = {
+      mode = "0440";
+      owner = "alloy";
+      group = "alloy";
+      restartUnits = [ "alloy.service" ];
+      sopsFile = ../secrets/passwords.yaml;
+    };
+  };
+
+  services.alloy = {
+    enable = true;
+    configPath = "/etc/alloy/config.alloy";
+  };
+
+  environment.etc."alloy/config.alloy" = {
+    text = ''
+      prometheus.remote_write "default" {
+        endpoint {
+          url = "http://mimir.noc.eh22.intern/api/v1/push"
+          basic_auth {
+            username = "noc"
+            password_file = "${config.sops.secrets."services/mimir/basic_auth".path}" 
+          }
+        }
+      }
+      loki.write "default" {
+        endpoint {
+          url = "http://loki.noc.eh22.intern/loki/api/v1/push"
+          basic_auth {
+            username = "noc"
+            password_file = "${config.sops.secrets."services/loki/basic_auth".path}" 
+          }
+        }
+      }
+
+      loki.relabel "journal" {
+        forward_to = []
+
+        rule {
+          source_labels = ["__journal__systemd_unit"]
+          target_label  = "unit"
+        }
+      }
+
+      loki.source.journal "read_journal"  {
+        forward_to    = [loki.write.default.receiver]
+        relabel_rules = loki.relabel.journal.rules
+        labels        = {component = "loki.source.journal", host = "${config.networking.hostName}"}
+      }
+
+      logging {
+        level = "info"
+        format = "logfmt"
+      }
+
+      prometheus.exporter.unix "local_system" { }
+
+      prometheus.scrape "scrape_metrics" {
+        targets         = prometheus.exporter.unix.local_system.targets
+        forward_to      = [prometheus.remote_write.default.receiver]
+        scrape_interval = "10s"
+      }
+    '';
+  };
+}
diff --git a/secrets/passwords.yaml b/secrets/passwords.yaml
index 3453f35..6349a89 100644
--- a/secrets/passwords.yaml
+++ b/secrets/passwords.yaml
@@ -7,7 +7,11 @@ services:
     grafana:
         admin_password: ENC[AES256_GCM,data:EimHeXiWzrzDVHnqmfAs+6/jsNp0cyVRJQu8U7drsP4=,iv:WmpPZstgTru8AHg5VeKRhfFdc0r5J9OWhCHdCzw/g+E=,tag:uftQ1kgj8LAuFB+MLSqnJw==,type:str]
     loki:
-        basic_auth: ENC[AES256_GCM,data:nr03H2jHSwn49EorFmapJ6MZ,iv:TNao6XZJPW+BXpeB0BOvV9Rty6N4sgpVWiwCDSKrVcQ=,tag:YmCkIUwfBCcASGIxlT4pGg==,type:str]
+        basic_auth: ENC[AES256_GCM,data:EuzUz2HFgpj/qvwr70fjezYrck7VveZfq1AWgCrgqY8=,iv:JANdADgMSZ1VFdkT5SdEITy1aI7VNc9lrU7eL6VZAb0=,tag:Z8eiu3vBWn7+7LxIEsrRoA==,type:str]
+        nginx: ENC[AES256_GCM,data:dLfstf/UaUfM3pIRa5PPGA8K2VK42QvJArXkjUTFO0OeYn8lTtSx2M8=,iv:WuNZQ+bcY5UqZq9rpBk4yihIxEAoN4ReQ5SjBjBKfXg=,tag:7eeexb97Aye+4VZum8TSuA==,type:str]
+    mimir:
+        basic_auth: ENC[AES256_GCM,data:B0UHO6/oj2KQACanDKaGToVQ+d345IZDVXbDqL1JM2A=,iv:7nEMQXpZJO9iLCVjEQupQ6/fhfr5Q0IQNkGFeJxegYo=,tag:4hWLdPHKz2nvB2kPuW3JIA==,type:str]
+        nginx: ENC[AES256_GCM,data:1vQE9z+w6RGwFK8mOuhzW3NArwthEcY/c/yQzAA6IwXtsDuxu7AS11M=,iv:jMtkHRR/+DVX1FREGUVTSTVUUUzOpjrLbNabHnw8Dq0=,tag:HbtQyuLlW5AbYqYDrtrbJA==,type:str]
 hardware:
     proxmox_server:
         ipmi:
@@ -49,8 +53,8 @@ sops:
             SHhiSU5PZmpUakZvQVNtYk5nUk1tZjAKyHND2LZuuBciy7toDLrAH47kyWcGAN7c
             ORrD03DBoEV7mjBY86Hl3SaLKHxlBXsB93OOWqeZrvHlbki+qn/OZA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-10T21:45:17Z"
-    mac: ENC[AES256_GCM,data:8Qa+pqO3pm2geqpTTvOUyR8QEMh1KS7YorGn3P+Zt+Ts9bD4Dn/HkuYnE+vjmtAotl8OnSdGf6gaGEMSC2O7mHz6pbplsYWrho45i6ZkpLh7gDG+UR7hp5pjC1K6oX3wIGzfr1z3VyGRt8dnAaEk01tTIztoP5dFSzZrFeliUis=,iv:mgjqoJfkChkUkpeBQgUxdonalmtfI6fzO+TttS8LShk=,tag:tT57gxysO4Np/BZaKUDVug==,type:str]
+    lastmodified: "2025-03-14T17:47:08Z"
+    mac: ENC[AES256_GCM,data:w6psg02RoJ4fxu/jMr8ld2z8soXqb0UQmyCspwCOI8Qj3UvAE7EePKFmgqj7GEkY9yJ0VtBTqrwRcA2VWJ2Xtq6NyCyUdHNqiNDLRnegkD7EG4izYGib2Z32YnX73azh0sT6ZrB0de7vyyqj9i8J/UHphBEVayvAe7RVMVvlSgw=,iv:uAV+FHTzf92MaFiqXlfxyZkZf7OHEkTXPrbiIV6UVV4=,tag:orZqw7CQlbp7tKS7ccmdfg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4
diff --git a/systems/default.nix b/systems/default.nix
index dd900c3..d0b01c8 100644
--- a/systems/default.nix
+++ b/systems/default.nix
@@ -21,6 +21,7 @@ let
 
         ../modules/base_system.nix
         ../modules/user_account.nix
+        ../modules/alloy.nix
         systemModule
 
         (
diff --git a/systems/monitoring.noc.eh22.intern/loki.nix b/systems/monitoring.noc.eh22.intern/loki.nix
index 00fb4d4..a740d4b 100644
--- a/systems/monitoring.noc.eh22.intern/loki.nix
+++ b/systems/monitoring.noc.eh22.intern/loki.nix
@@ -62,7 +62,7 @@
       virtualHosts."loki.noc.eh22.intern" = {
         locations."/loki/api/v1/push" = {
           proxyPass = "http://loki";
-          #basicAuthFile = config.sops.secrets."services/loki/basic_auth".path;
+          basicAuthFile = config.sops.secrets."services/loki/nginx".path;
         };
       };
     };
diff --git a/systems/monitoring.noc.eh22.intern/mimir.nix b/systems/monitoring.noc.eh22.intern/mimir.nix
index 259dbe6..cb9ebc0 100644
--- a/systems/monitoring.noc.eh22.intern/mimir.nix
+++ b/systems/monitoring.noc.eh22.intern/mimir.nix
@@ -40,6 +40,7 @@
     virtualHosts."mimir.noc.eh22.intern" = {
       locations."/api/v1/push" = {
         proxyPass = "http://mimir";
+        basicAuthFile = config.sops.secrets."services/mimir/nginx".path;
       };
     };
   };
diff --git a/systems/monitoring.noc.eh22.intern/system.nix b/systems/monitoring.noc.eh22.intern/system.nix
index dd9aa54..2dd20fd 100644
--- a/systems/monitoring.noc.eh22.intern/system.nix
+++ b/systems/monitoring.noc.eh22.intern/system.nix
@@ -12,8 +12,17 @@
       group = "grafana";
       restartUnits = [ "grafana.service" ];
     };
-    secrets."services/loki/basic_auth" = {
-      mode = "0777";
+    secrets."services/loki/nginx" = {
+      mode = "0440";
+      owner = "nginx";
+      group = "nginx";
+      restartUnits = [ "nginx.service" ];
+    };
+    secrets."services/mimir/nginx" = {
+      mode = "0440";
+      owner = "nginx";
+      group = "nginx";
+      restartUnits = [ "nginx.service" ];
     };
   };
 
@@ -26,60 +35,13 @@
         matchConfig.MACAddress = "BC:24:11:FC:C2:26";
         address = [ "10.20.25.4/24" ];
         gateway = [ "10.20.25.2" ];
+        dns = [ "10.20.25.5" ];
       };
     };
   };
 
   networking.firewall.allowedTCPPorts = [ 80 ];
 
-  services.alloy = {
-    enable = true;
-    configPath = "/etc/alloy/config.alloy";
-  };
-
-  environment.etc."alloy/config.alloy" = {
-    text = ''
-      prometheus.remote_write "default" {
-        endpoint {
-          url = "http://127.0.0.1:9009/api/v1/push"
-        }
-      }
-      loki.write "default" {
-        endpoint {
-          url = "http://127.0.0.1:3100/loki/api/v1/push" 
-        }
-      }
-
-      loki.relabel "journal" {
-        forward_to = []
-
-        rule {
-          source_labels = ["__journal__systemd_unit"]
-          target_label  = "unit"
-        }
-      }
-
-      loki.source.journal "read_journal"  {
-        forward_to    = [loki.write.default.receiver]
-        relabel_rules = loki.relabel.journal.rules
-        labels        = {component = "loki.source.journal", host = "${config.networking.hostName}"}
-      }
-
-      logging {
-        level = "info"
-        format = "logfmt"
-      }
-
-      prometheus.exporter.unix "local_system" { }
-
-      prometheus.scrape "scrape_metrics" {
-        targets         = prometheus.exporter.unix.local_system.targets
-        forward_to      = [prometheus.remote_write.default.receiver]
-        scrape_interval = "10s"
-      }
-    '';
-  };
-
   imports = [
     ./grafana.nix
     ./mimir.nix