diff --git a/newinfra/nix/modules/garage/README.md b/newinfra/nix/modules/garage/README.md
index cdc3add..95f82f8 100644
--- a/newinfra/nix/modules/garage/README.md
+++ b/newinfra/nix/modules/garage/README.md
@@ -16,9 +16,14 @@
 ## buckets
 
 - `caddy-store`: Store for Caddy webservers
-    - key `caddy`
+    - key `caddy` RW
 - `docker-registry`
+    - key `docker-registry` RW
+- `loki`
+    - key `loki` RW
 
 ## keys
 
 - `caddy`: `GK25e33d4ba20d54231e513b80`
+- `docker-registry`: `GK48011ee5b5ccbaf4233c0e40`
+- `loki`: `GK84ffae2a0728abff0f96667b`
diff --git a/newinfra/nix/modules/prometheus/default.nix b/newinfra/nix/modules/prometheus/default.nix
index 7541000..8fc5d6c 100644
--- a/newinfra/nix/modules/prometheus/default.nix
+++ b/newinfra/nix/modules/prometheus/default.nix
@@ -1,4 +1,4 @@
-{ config, ... }: {
+{ config, lib, ... }: {
   services.prometheus = {
     enable = true;
     globalConfig = { };
@@ -55,7 +55,6 @@
   };
 
   age.secrets.grafana_admin_password.file = ../../secrets/grafana_admin_password.age;
-
   systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana_admin_password.path;
   services.grafana = {
     enable = true;
@@ -83,8 +82,92 @@
               prometheusType = "Prometheus";
             };
           }
+          {
+            name = "loki";
+            type = "loki";
+            access = "proxy";
+            url = "http://vps3.local:3100";
+          }
         ];
       };
     };
   };
+
+  age.secrets.loki_env.file = ../../secrets/loki_env.age;
+  systemd.services.loki.serviceConfig.EnvironmentFile = config.age.secrets.loki_env.path;
+  services.loki = {
+    enable = true;
+    extraFlags = [ "-config.expand-env=true" ];
+    configuration = {
+      auth_enabled = false;
+      server = {
+        http_listen_port = 3100;
+      };
+      common = {
+        ring = {
+          instance_addr = "127.0.0.1";
+          kvstore.store = "inmemory";
+        };
+        replication_factor = 1;
+        path_prefix = "/var/lib/loki";
+      };
+      schema_config = {
+        configs = [
+          {
+            from = "2020-05-15";
+            store = "tsdb";
+            object_store = "s3";
+            schema = "v13";
+            index = {
+              prefix = "index_";
+              period = "24h";
+            };
+          }
+        ];
+      };
+      storage_config = {
+        tsdb_shipper = {
+          active_index_directory = "/var/lib/loki/index";
+          cache_location = "/var/lib/loki/cache";
+        };
+        aws = {
+          s3 = "s3://\${ACCESS_KEY}:\${SECRET_KEY}@http://127.0.0.1:3900/loki";
+          insecure = true;
+        };
+      };
+    };
+  };
+  system.activationScripts.makeLokiDir = lib.stringAfter [ "var" ] ''
+    mkdir -p /var/lib/loki/{index,cache}
+    chown ${config.services.loki.user}:${config.services.loki.group} -R /var/lib/loki
+  '';
+
+  services.promtail = {
+    enable = true;
+    configuration = {
+      server = {
+        disable = true;
+      };
+      clients = [
+        {
+          url = "http://localhost:3100/loki/api/v1/push";
+        }
+      ];
+      scrape_configs = [
+        {
+          job_name = "journal";
+          journal = {
+            max_age = "12h";
+            labels = {
+              job = "systemd-journal";
+            };
+          };
+          relabel_configs = [{
+            source_labels = [ "__journal__systemd_unit" ];
+            target_label = "unit";
+          }];
+        }
+      ];
+    };
+  };
 }
diff --git a/newinfra/nix/secrets/caddy_s3_key_secret.age b/newinfra/nix/secrets/caddy_s3_key_secret.age
index 9a940bb..c1fc9f7 100644
--- a/newinfra/nix/secrets/caddy_s3_key_secret.age
+++ b/newinfra/nix/secrets/caddy_s3_key_secret.age
@@ -1,13 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg suW24NAhcPEuIWyA1lFQSrtkVIoVUQV4qRppIwoH7n4
-XzB5wU21Od/y+nFQAFVesSSPhTPlRHJNTStOJVCVKNI
--> ssh-ed25519 XzACZQ v7FU9k53H5FZQZ2fiYElpDBcXT6+b9KNVTZ4g+2VjgI
-UUulUURY2fEui2ycv6r9PsVd5sZ662Kin2ZFfdJY9AY
--> ssh-ed25519 51bcvA 3CnO+G1LnAwYshp5DcnwfKmuFezJy0qADOzhcH6huWg
-B9CG7W4V9Z/oRvd54vOXsTopWiA+s3aXqypVREt+Njc
--> ssh-ed25519 vT7ExA nmuJNZLqv2n7pTQ2f2VgmonBh63O6RSm41vqxSrCTTQ
-lJXeHl4mKwYoaU2lI8lgGGNkBkU9ZRpqRzxm6UrPZ0U
---- lsYfgJSFOhYj0aR8B8t83su6POtmOdkPQJw39ku/bn0
-I6óÈqöST»bcƒ7'QT¢Í“¾4¨²Ã’Tt¾gÇxÀœqÐbcpŽ?l®oíC­8eÛ÷øo]ôJ*µDÐx®þ.OVßwvºãOš›
-È¹ðŒ3§‘_bm 9ML}×ƒîÉ"„ovu"’B[Ö#›w{I%]\9™:
-m­ÏKnƒç§:/ÉP£ZÀ´I 
\ No newline at end of file
+-> ssh-ed25519 qM6TYg CLDRFpO2DZRai0abyFUHTP0WWOBtLFS7rLOq5h5QtUs
+5gFHSYcctBGWkbe8LikjpTam/BHbilhbtMcWDBi9Oik
+-> ssh-ed25519 XzACZQ kx9bB9qiKbd/SLSaDjI1qODeLyBYfUrb12qC8adCvWs
+UpjT6xLfv7L1DnZnVcj72KIeClbryQ1efxgHeXTjngM
+-> ssh-ed25519 51bcvA 8nm/Z6VJacqmezgeYa1CsShZnclZgK0dfMBCgdD/unc
+6H2w2snEEhMvn4a4uXJdC4SfnvgQ/4B3qL7kpZ93Veg
+-> ssh-ed25519 vT7ExA Du6mW/IczVv0+SNLDT+6ghumvoNIL7wW+lKFuZ8SLTQ
+aqah8fBN8JgOoi6WsrspCqqKjk4Znnl4WZQhlt/AUQ4
+--- ljnxwBBY5gkLMQCwJvVfS8UJJ3VH4GVxh5G6CYcJvtA
+lm)túÐ3Á€GßŽŸ¤åNÑè=[·ç×?Õ­¾jóž(Ñ,{Û0œRS!“4Îé#òe¯k&ëU6E¦ÓÂ€$¨w»ÝvÐ£˜t×J6I,sÝ6Óe·nžƒ‡,ò—a÷êiÆs¤Ã”mJÔ9»–Øv~ñŠ0äøÄ¬Ol4KÔƒdÔSâŽ]ßp(d“|r
\ No newline at end of file
diff --git a/newinfra/nix/secrets/docker_registry_password.age b/newinfra/nix/secrets/docker_registry_password.age
index 110e8d2..26aee99 100644
--- a/newinfra/nix/secrets/docker_registry_password.age
+++ b/newinfra/nix/secrets/docker_registry_password.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg p6LIIYNxXoumgg777+rrmMoUBuudQrDb5R6p8EW/cC0
-bSwO9YTpnCxexbHiZANFykICHucznaA54C4hSdRnUo8
---- 3NVOMR4M/OUerHG/m+8srOq3JVt5D+ctjMvvkzQv47E
-´Ez<¸¦IuWÿX¤<qM­Ün›Ëñˆ‡0"Oø„•¾ÂLÙ)1ÐÆ¦þÝÏVá½h‘
\ No newline at end of file
+-> ssh-ed25519 qM6TYg NvguOs7htIflYp6bh6oiiH7Cp2l/0Mf4mcf/4b8ReQg
+BngCQfbilctBfNKjE+TkEhE3Bk2pkIlc1UYdAFISP/g
+--- 3hA+KfCqIAvwuL+mr4PFW9hVlpsc+t0uwG8I8Uc8JXY
+JŸÄ@¡zI­´9ì5/Š`…Ÿ…VfWß¤æßp#™0;DÔ ËØ¯w'¬r²ÞgËÁ+n
\ No newline at end of file
diff --git a/newinfra/nix/secrets/garage_secrets.age b/newinfra/nix/secrets/garage_secrets.age
index 1d1e8f8..1c7e29b 100644
Binary files a/newinfra/nix/secrets/garage_secrets.age and b/newinfra/nix/secrets/garage_secrets.age differ
diff --git a/newinfra/nix/secrets/grafana_admin_password.age b/newinfra/nix/secrets/grafana_admin_password.age
index 2ff5b1e..f43a25d 100644
--- a/newinfra/nix/secrets/grafana_admin_password.age
+++ b/newinfra/nix/secrets/grafana_admin_password.age
@@ -1,5 +1,6 @@
 age-encryption.org/v1
--> ssh-ed25519 XzACZQ 3tsILL/SbH8Q9HSLdHXp7bCp6qFpPvM+i9oY1ig7w2s
-wXY15JDZ1OJ/EOcRNcptCeJL6hJm3b9Qv979+GNTmmQ
---- Q+TStd6iOYR9XlxmSclv//8J+PZr2M7KwK/+Wrs65zY
-*·;x6ß=”%ä[´°Zg™·ì=:Tîs-2Ögî“º#â‰®‹‚”ë½ò· ûÙha³Fû…IDr.¯fÃ‡¥;û‘ÕªgíØ·~DŸãˆÈ¢udÁèÕMÉf»ýdÁ˜zÞå
\ No newline at end of file
+-> ssh-ed25519 XzACZQ SosFhSCAHF2iDSk+H05bziuG9qOxe+/wTjQxut+KggA
+4/f30HxHreEh28+oQwhZCP9zvg/8Wr5IVLciCWJjSmo
+--- 7p+ykQtDZWxlMpzcdjG8AMgBeo/zbrWet5A9uV5KuCo
+‚Ò”$Åê"¨íë?0¹k—¹£¥ŽÏì6'!’O4Á™¼C‰á\	¸E	#Rÿ>Mé+³+‡]êWZ	ntmÃ±Ê»ëdý
+¹¶KbŸU9Lâ“l“á;É}u=ÔÓ?®7¼ÛÀNy
\ No newline at end of file
diff --git a/newinfra/nix/secrets/hugochat_db_password.age b/newinfra/nix/secrets/hugochat_db_password.age
index cdc3a42..4e1e5c8 100644
Binary files a/newinfra/nix/secrets/hugochat_db_password.age and b/newinfra/nix/secrets/hugochat_db_password.age differ
diff --git a/newinfra/nix/secrets/loki_env.age b/newinfra/nix/secrets/loki_env.age
new file mode 100644
index 0000000..65ec96e
--- /dev/null
+++ b/newinfra/nix/secrets/loki_env.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 XzACZQ duC8HdUu3AuNHooD0lOyoQthZ2g7agHxE+o39iHljAk
+nOySC3inXaD1MjbosV1NcxJhXYKmU3gJu5M4CtdFwK0
+--- QkN5D8JfVCTCyBlWIou4mmV58gHZ5qgS1CY4APxm2wU
+³€'9NPp˜Ìí@5x@E“>X8˜“džæ}þ‰MqåGL1~¡_ áÍrxy–”Ë÷Ò0)%(DT@å[¾eÆËw2Îž©ó…yÊˆBôõ¬‰}<1
+Í‹Y1Z+ÏI§y$\X1e)–µe?yáKlÑG¾\´N£[aÁ¼ÿÇYqŒôKàœ¼>ž×
\ No newline at end of file
diff --git a/newinfra/nix/secrets/minio_env_file.age b/newinfra/nix/secrets/minio_env_file.age
index a214dce..9ccf0e2 100644
Binary files a/newinfra/nix/secrets/minio_env_file.age and b/newinfra/nix/secrets/minio_env_file.age differ
diff --git a/newinfra/nix/secrets/registry_htpasswd.age b/newinfra/nix/secrets/registry_htpasswd.age
index 3491858..2bf8a3f 100644
Binary files a/newinfra/nix/secrets/registry_htpasswd.age and b/newinfra/nix/secrets/registry_htpasswd.age differ
diff --git a/newinfra/nix/secrets/registry_s3_key_secret.age b/newinfra/nix/secrets/registry_s3_key_secret.age
index f3b5145..57df63e 100644
Binary files a/newinfra/nix/secrets/registry_s3_key_secret.age and b/newinfra/nix/secrets/registry_s3_key_secret.age differ
diff --git a/newinfra/nix/secrets/secrets.nix b/newinfra/nix/secrets/secrets.nix
index 46de4d9..edf17a0 100644
--- a/newinfra/nix/secrets/secrets.nix
+++ b/newinfra/nix/secrets/secrets.nix
@@ -17,6 +17,7 @@ in
   "registry_htpasswd.age".publicKeys = [ vps1 ];
   "registry_s3_key_secret.age".publicKeys = [ vps1 ];
   "grafana_admin_password.age".publicKeys = [ vps3 ];
+  "loki_env.age".publicKeys = [ vps3 ];
   "wg_private_dns1.age".publicKeys = [ dns1 ];
   "wg_private_dns2.age".publicKeys = [ dns2 ];
   "wg_private_vps1.age".publicKeys = [ vps1 ];
diff --git a/newinfra/nix/secrets/wg_private_dns1.age b/newinfra/nix/secrets/wg_private_dns1.age
index 2e5b93b..44c6e6e 100644
Binary files a/newinfra/nix/secrets/wg_private_dns1.age and b/newinfra/nix/secrets/wg_private_dns1.age differ
diff --git a/newinfra/nix/secrets/wg_private_dns2.age b/newinfra/nix/secrets/wg_private_dns2.age
index 8e6bee9..86fce00 100644
Binary files a/newinfra/nix/secrets/wg_private_dns2.age and b/newinfra/nix/secrets/wg_private_dns2.age differ
diff --git a/newinfra/nix/secrets/wg_private_vps1.age b/newinfra/nix/secrets/wg_private_vps1.age
index 503abb0..368b053 100644
Binary files a/newinfra/nix/secrets/wg_private_vps1.age and b/newinfra/nix/secrets/wg_private_vps1.age differ
diff --git a/newinfra/nix/secrets/wg_private_vps3.age b/newinfra/nix/secrets/wg_private_vps3.age
index 1ca6758..ab1a7d7 100644
Binary files a/newinfra/nix/secrets/wg_private_vps3.age and b/newinfra/nix/secrets/wg_private_vps3.age differ
diff --git a/newinfra/nix/secrets/wg_private_vps4.age b/newinfra/nix/secrets/wg_private_vps4.age
index 16471ae..b8f355f 100644
--- a/newinfra/nix/secrets/wg_private_vps4.age
+++ b/newinfra/nix/secrets/wg_private_vps4.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 51bcvA ji2zWkOp9u2bor9xScXWckGZN3733piHLN/gd+quiW0
-uzciBDLzZiizL3fFbn3vjiIoHGJWdFlHff3vjSWHs7g
---- fE0bz9m5izwJX90w3RjhmzNaCPuKjhpM5M0qngI9c/A
-ð·ß/žéË3^é¥'%‹(Ö¡!æk›eîG`òébÚê¹¯ÅJ´ù×0£L.»™–Ð´­Êîp¯ ŽeŸs,1ÚÈ·øÖ
\ No newline at end of file
+-> ssh-ed25519 51bcvA rPz/FYX2fQZl6qKVGi4lysbaEfcUlZLqgz5dTkiGEmc
+XFG3Mio/jSyD11sWTASw820p78mohiZ8e5vrP6ZQJO4
+--- 97H29fZ0yb9XByMaOEM7RcRfsEOYwjC5C7kZERehCEU
+VÙ”ïà^G~À×,s‘àô-Ù\uÒƒU(Èî2pÙ®r,½1¢¥†ÝÈ*dÎpÉ)?g/byày¢nÏMcŸ}dÌÄ¤3Ãv*WS`»	e¨
\ No newline at end of file
diff --git a/newinfra/nix/secrets/wg_private_vps5.age b/newinfra/nix/secrets/wg_private_vps5.age
index 5a1296f..6a84e45 100644
Binary files a/newinfra/nix/secrets/wg_private_vps5.age and b/newinfra/nix/secrets/wg_private_vps5.age differ
diff --git a/newinfra/nix/secrets/widetom_bot_token.age b/newinfra/nix/secrets/widetom_bot_token.age
index 8fedc8f..0638e3b 100644
Binary files a/newinfra/nix/secrets/widetom_bot_token.age and b/newinfra/nix/secrets/widetom_bot_token.age differ
diff --git a/newinfra/nix/secrets/widetom_config_toml.age b/newinfra/nix/secrets/widetom_config_toml.age
index 7ae49df..dc3698c 100644
Binary files a/newinfra/nix/secrets/widetom_config_toml.age and b/newinfra/nix/secrets/widetom_config_toml.age differ
diff --git a/newinfra/secrets-git-crypt/loki_env b/newinfra/secrets-git-crypt/loki_env
new file mode 100644
index 0000000..599b568
Binary files /dev/null and b/newinfra/secrets-git-crypt/loki_env differ