{
  modulesPath,
  config,
  lib,
  pkgs,
  ...
}:
{
  sops = {
    secrets."services/loki/basic_auth" = {
      mode = "0440";
      owner = "alloy";
      group = "alloy";
      restartUnits = [ "alloy.service" ];
      sopsFile = ../secrets/passwords.yaml;
    };
    secrets."services/mimir/basic_auth" = {
      mode = "0440";
      owner = "alloy";
      group = "alloy";
      restartUnits = [ "alloy.service" ];
      sopsFile = ../secrets/passwords.yaml;
    };
  };

  services.alloy = {
    enable = true;
    configPath = "/etc/alloy/config.alloy";
  };

  environment.etc."alloy/config.alloy" = {
    text = ''
      prometheus.remote_write "default" {
        endpoint {
          url = "http://mimir.noc.eh22.intern/api/v1/push"
          basic_auth {
            username = "noc"
            password_file = "${config.sops.secrets."services/mimir/basic_auth".path}" 
          }
        }
      }
      loki.write "default" {
        endpoint {
          url = "http://loki.noc.eh22.intern/loki/api/v1/push"
          basic_auth {
            username = "noc"
            password_file = "${config.sops.secrets."services/loki/basic_auth".path}" 
          }
        }
      }

      loki.relabel "journal" {
        forward_to = []

        rule {
          source_labels = ["__journal__systemd_unit"]
          target_label  = "unit"
        }
      }

      loki.source.journal "read_journal"  {
        forward_to    = [loki.write.default.receiver]
        relabel_rules = loki.relabel.journal.rules
        labels        = {component = "loki.source.journal", host = "${config.networking.hostName}"}
      }

      logging {
        level = "info"
        format = "logfmt"
      }

      prometheus.exporter.unix "local_system" { }

      prometheus.scrape "scrape_metrics" {
        targets         = prometheus.exporter.unix.local_system.targets
        forward_to      = [prometheus.remote_write.default.receiver]
        scrape_interval = "10s"
      }
    '';
  };
}