diff --git a/cluster/services/monitoring/default.nix b/cluster/services/monitoring/default.nix
index 80f1ebb..20961cc 100644
--- a/cluster/services/monitoring/default.nix
+++ b/cluster/services/monitoring/default.nix
@@ -78,11 +78,21 @@ in
 
   garage = {
     keys = {
-      loki = { };
+      loki-ingest.locksmith = {
+        nodes = config.services.monitoring.nodes.logging;
+        format = "envFile";
+      };
+      loki-query.locksmith = {
+        nodes = config.services.monitoring.nodes.logging;
+        format = "envFile";
+      };
       tempo = { };
     };
     buckets = {
-      loki-chunks.allow.loki = [ "read" "write" ];
+      loki-chunks.allow = {
+        loki-ingest = [ "read" "write" ];
+        loki-query = [ "read" ];
+      };
       tempo-chunks.allow.tempo = [ "read" "write" ];
     };
   };
diff --git a/cluster/services/monitoring/logging.nix b/cluster/services/monitoring/logging.nix
index 2f52332..4c134aa 100644
--- a/cluster/services/monitoring/logging.nix
+++ b/cluster/services/monitoring/logging.nix
@@ -8,12 +8,16 @@ let
   cfg = config.services.loki;
 in
 {
-  age.secrets.lokiSecrets.file = ./secrets/loki-secrets.age;
   links.loki-grpc.protocol = "grpc";
   systemd.services.loki = {
     after = [ "wireguard-wgmesh.service" ];
-    serviceConfig.EnvironmentFile = config.age.secrets.lokiSecrets.path;
+    serviceConfig.EnvironmentFile = "/run/locksmith/garage-loki-ingest";
   };
+
+  services.locksmith.waitForSecrets.loki = [
+    "garage-loki-ingest"
+  ];
+
   services.loki = {
     enable = true;
     dataDir = "/srv/storage/private/loki";
diff --git a/cluster/services/monitoring/secrets/loki-secrets.age b/cluster/services/monitoring/secrets/loki-secrets.age
deleted file mode 100644
index 970cb4a..0000000
Binary files a/cluster/services/monitoring/secrets/loki-secrets.age and /dev/null differ
diff --git a/secrets.nix b/secrets.nix
index 8dc3e9f..3e1c920 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -9,7 +9,6 @@ in with hosts;
   "cluster/services/dns/acme-dns-db-credentials.age".publicKeys = max ++ map systemKeys [ checkmate VEGAS prophet ];
   "cluster/services/monitoring/secrets/grafana-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/monitoring/secrets/grafana-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
-  "cluster/services/monitoring/secrets/loki-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/monitoring/secrets/secret-monitoring/blackbox.age".publicKeys = max ++ map systemKeys [ checkmate grail prophet ];
   "cluster/services/monitoring/secrets/tempo-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/storage/secrets/heresy-encryption-key.age".publicKeys = max ++ map systemKeys [ VEGAS ];