{ pkgs, config, lib, ... }: {


  networking.firewall = {
    allowedTCPPorts = [ config.services.promtail.configuration.server.http_listen_port ];
    allowedUDPPorts = [ config.services.promtail.configuration.server.http_listen_port ];
  };

  #$ var/ sudo setfacl -R -m u:promtail:rX log
  #$ sudo chown promtail:promtail /tmp/positions.yaml
  #$ sudo usermod -a -G systemd-journal promtail
  # makeshift permission since promtail by default has no permission to read /var

  services.promtail = {
    enable = true;
    configuration =
      {
        server = {
          http_listen_port = 6177;
          grpc_listen_port = 0;
          log_level = "debug";
        };
        positions = {
          filename = "/tmp/positions.yaml";
        };
        clients = [
          {
            url = "http://32.54.31.99:3100/loki/api/v1/push";
            tenant_id = 1;
          }
        ];

        scrape_configs = [
          {
            job_name = "nginx";
            static_configs = [
              {
                targets = [ "localhost" ];
                labels = {
                  job = "nginx";
                  host = "carbon";
                  agent = "promtail";
                  __path__ = ''/var/log/nginx/*-access.log'';
                };
              }
            ];
          }
        ];
      };
  };
}