{config, ...}: let
  promtail_port = 9080;
in {
  networking.firewall.allowedTCPPorts = [promtail_port];

  systemd.tmpfiles.rules = [
    "d /var/lib/promtail 0755 promtail promtail -"
  ];

  services.promtail = {
    enable = true;
    configuration = {
      server = {
        http_listen_port = promtail_port;
        grpc_listen_port = 0;
      };
      positions = {
        filename = "/var/lib/promtail/positions.yaml";
      };
      clients = [
        {
          url = "http://monitor.lab:3100/loki/api/v1/push";
        }
      ];
      scrape_configs = [
        {
          job_name = "journal";
          journal = {
            path = "/var/log/journal";
            labels = {
              job = "promtail";
              host = config.networking.hostName;
              env = "proxmox";
              instance = "${config.networking.hostName}.lab";
            };
          };
          relabel_configs = [
            {
              source_labels = ["__journal__systemd_unit"];
              target_label = "unit";
            }
            {
              source_labels = ["__journal__hostname"];
              target_label = "host";
            }
            {
              source_labels = ["__journal__systemd_user_unit"];
              target_label = "user_unit";
            }
            {
              source_labels = ["__journal__transport"];
              target_label = "transport";
            }
            {
              source_labels = ["__journal_priority_keyword"];
              target_label = "severity";
            }
          ];
        }
        # {
        #   job_name = "secure";
        #   static_configs = {
        #     targets = ["localhost"];
        #     labels = {
        #       job = "secure";
        #       host = config.networking.hostName;
        #       env = "proxmox";
        #       instance = "${config.networking.hostName}.lab";
        #       __path__ = "/var/log/secure";
        #     };
        #   };
        # }
      ];
    };
  };
}