diff --git a/ansible/files/alloy.river b/ansible/files/alloy.river
new file mode 100644
index 0000000..010a8ea
--- /dev/null
+++ b/ansible/files/alloy.river
@@ -0,0 +1,61 @@
+logging {
+  level = "info"
+}
+
+loki.write "default" {
+  endpoint {
+    url = "https://loki.put.gay/loki/api/v1/push"
+    basic_auth {
+      username = "loki"
+      password = "{{hostvars[inventory_hostname].metrics_password}}"
+    }
+  }
+}
+
+local.file_match "system_logs" {
+  path_targets = [
+    {__path__ = "/var/log/syslog"},
+    {__path__ = "/var/log/messages"},
+    {__path__ = "/var/log/*.log"},
+  ]
+}
+
+loki.source.file "system_logs" {
+  targets    = local.file_match.system_logs.targets
+  forward_to = [loki.write.default.receiver]
+
+  tail_from_end = true
+}
+
+local.file_match "journal_logs" {
+  path_targets = [
+    {__path__ = "/var/log/journal/*/*"},
+  ]
+}
+
+loki.source.journal "journal" {
+  forward_to = [loki.write.default.receiver]
+  relabel_rules = loki.relabel.journal.rules
+  labels = {
+    job = "systemd-journal",
+  }
+}
+
+loki.relabel "journal" {
+  forward_to = [loki.write.default.receiver]
+
+  rule {
+    source_labels = ["__journal__systemd_unit"]
+    target_label  = "unit"
+  }
+
+  rule {
+    source_labels = ["__journal__hostname"]
+    target_label  = "hostname"
+  }
+
+  rule {
+    source_labels = ["__journal_priority_keyword"]
+    target_label  = "level"
+  }
+}
diff --git a/ansible/files/alloy.service b/ansible/files/alloy.service
new file mode 100644
index 0000000..b2c02ac
--- /dev/null
+++ b/ansible/files/alloy.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=Grafana Alloy
+Documentation=https://grafana.com/docs/alloy/latest/
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+User=alloy
+Environment=HOSTNAME=%H
+Environment="ALLOY_DEPLOY_MODE=default"
+Environment="ALLOY_ENABLE_FEATURES="
+Environment="ALLOY_DISABLE_FEATURES="
+Environment="ALLOY_CLUSTER_ENABLED=false"
+Environment="ALLOY_DISABLE_REPORTING=false"
+ExecStart=/usr/bin/alloy run --storage.path=/var/lib/alloy/data /etc/alloy/config.river
+ExecReload=/usr/bin/env kill -SIGHUP $MAINPID
+Restart=always
+RestartSec=10
+TimeoutStopSec=10s
+SendSIGKILL=yes
+
+[Install]
+WantedBy=multi-user.target
\ No newline at end of file
diff --git a/ansible/handlers/global.yml b/ansible/handlers/global.yml
index 841ca03..f1e861d 100644
--- a/ansible/handlers/global.yml
+++ b/ansible/handlers/global.yml
@@ -19,3 +19,10 @@
 - name: restart blocky
   service: name=blocky state=restarted enabled=yes daemon-reload=true
   listen: "restart blocky"
+- name: restart alloy
+  service: name=alloy state=restarted enabled=yes
+  listen: "restart alloy"
+- name: reload systemd
+  systemd:
+    daemon_reload: yes
+  listen: "reload systemd"
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
index 545ca05..fa5f022 100644
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@@ -7,6 +7,7 @@
   - import_tasks: ./tasks/debian.yml
   - import_tasks: ./tasks/dns.yml
   - import_tasks: ./tasks/prometheus.yml
+  - import_tasks: ./tasks/alloy.yml
   handlers:
     - import_tasks: ./handlers/global.yml
 - hosts: lb_ord
@@ -17,6 +18,7 @@
   - import_tasks: ./tasks/blocky.yml
   - import_tasks: ./tasks/dnsdist.yml
   - import_tasks: ./tasks/caddy.yml
+  - import_tasks: ./tasks/alloy.yml
   - name: copy dnsdist service override
     template:
       src: "{{ playbook_dir }}/files/dnsdist.service"
diff --git a/ansible/tasks/alloy.yml b/ansible/tasks/alloy.yml
new file mode 100644
index 0000000..5a50c8f
--- /dev/null
+++ b/ansible/tasks/alloy.yml
@@ -0,0 +1,55 @@
+---
+- name: Install Grafana Alloy
+  block:
+    - name: Add Grafana GPG apt key
+      ansible.builtin.apt_key:
+        url: https://apt.grafana.com/gpg.key
+        state: present
+
+    - name: Add Grafana repository
+      ansible.builtin.apt_repository:
+        repo: "deb https://apt.grafana.com stable main"
+        state: present
+        update_cache: yes
+
+    - name: Install Alloy
+      ansible.builtin.apt:
+        name: alloy
+        state: present
+        update_cache: yes
+
+    - name: Create Alloy configuration directory
+      ansible.builtin.file:
+        path: /etc/alloy
+        state: directory
+        mode: '0755'
+
+    - name: Copy Alloy configuration
+      template:
+        src: "{{ playbook_dir }}/files/alloy.river"
+        dest: /etc/alloy/config.river
+        mode: '0644'
+      notify: restart alloy
+
+    - name: Add alloy user to systemd-journal and adm groups
+      ansible.builtin.user:
+        name: alloy
+        groups: systemd-journal,adm
+        append: yes
+      notify: restart alloy
+
+    - name: Copy Alloy systemd service file
+      ansible.builtin.copy:
+        src: "{{ playbook_dir }}/files/alloy.service"
+        dest: /etc/systemd/system/alloy.service
+        mode: '0644'
+      notify:
+        - reload systemd
+        - restart alloy
+
+    - name: Enable and start Alloy service
+      ansible.builtin.systemd:
+        name: alloy
+        enabled: yes
+        state: started
+        daemon_reload: yes
diff --git a/ansible/tasks/dnsdist.yml b/ansible/tasks/dnsdist.yml
index ba3f607..a5462b8 100644
--- a/ansible/tasks/dnsdist.yml
+++ b/ansible/tasks/dnsdist.yml
@@ -1,6 +1,6 @@
 # vi: ft=yaml.ansible
 - name: install dnsdist
   apt:
-    deb: https://repo.powerdns.com/debian/pool/main/d/dnsdist/dnsdist_1.9.6-1pdns.bookworm_amd64.deb
+    deb: https://repo.powerdns.com/debian/pool/main/d/dnsdist/dnsdist_1.9.10-1pdns.bookworm_amd64.deb
 - name: ensure dnsdist default svc is not running
   service: name=dnsdist state=stopped enabled=no