diff --git a/cluster/services/monitoring/logging.nix b/cluster/services/monitoring/logging.nix
index feb7122..915d866 100644
--- a/cluster/services/monitoring/logging.nix
+++ b/cluster/services/monitoring/logging.nix
@@ -8,8 +8,12 @@ let
   cfg = config.services.loki;
 in
 {
+  age.secrets.lokiSecrets.file = ./secrets/loki-secrets.age;
   links.loki-grpc.protocol = "grpc";
-  systemd.services.loki.after = [ "wireguard-wgmesh.service" ];
+  systemd.services.loki = {
+    after = [ "wireguard-wgmesh.service" ];
+    serviceConfig.EnvironmentFile = config.age.secrets.lokiSecrets.path;
+  };
   services.loki = {
     enable = true;
     dataDir = "/srv/storage/private/loki";
@@ -46,10 +50,37 @@ in
             period = "168h";
           };
         }
+        {
+          from = "2023-11-08";
+          store = "boltdb-shipper";
+          object_store = "s3";
+          schema = "v11";
+          index = {
+            prefix = "index_";
+            period = "24h";
+          };
+        }
       ];
       storage_config = {
         boltdb.directory = "${cfg.dataDir}/boltdb-index";
         filesystem.directory = "${cfg.dataDir}/storage-chunks";
+        boltdb_shipper = {
+          shared_store = "s3";
+          active_index_directory = "${cfg.dataDir}/boltdb-shipper-index";
+          cache_location = "${cfg.dataDir}/boltdb-shipper-cache";
+        };
+        aws = {
+          endpoint = cluster.config.links.garageS3.url;
+          s3forcepathstyle = true;
+          bucketnames = "loki-chunks";
+          region = "us-east-1";
+          access_key_id = "\${AWS_ACCESS_KEY_ID}";
+          secret_access_key = "\${AWS_SECRET_ACCESS_KEY}";
+        };
+      };
+      compactor = {
+        shared_store = "s3";
+        working_directory = "${cfg.dataDir}/compactor-work";
       };
       limits_config = {
         enforce_metric_name = false;
diff --git a/cluster/services/monitoring/secrets/loki-secrets.age b/cluster/services/monitoring/secrets/loki-secrets.age
new file mode 100644
index 0000000..970cb4a
Binary files /dev/null and b/cluster/services/monitoring/secrets/loki-secrets.age differ
diff --git a/secrets.nix b/secrets.nix
index 50627f3..9f0c183 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -41,6 +41,7 @@ in with hosts;
   "cluster/services/irc/irc-peer-key.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/monitoring/secrets/grafana-db-credentials.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
   "cluster/services/monitoring/secrets/grafana-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS prophet ];
+  "cluster/services/monitoring/secrets/loki-secrets.age".publicKeys = max ++ map systemKeys [ VEGAS ];
   "cluster/services/monitoring/secrets/secret-monitoring/blackbox.age".publicKeys = max ++ map systemKeys [ checkmate grail prophet ];
   "cluster/services/patroni/passwords/metrics.age".publicKeys = max ++ map systemKeys [ thunderskin VEGAS prophet ];
   "cluster/services/patroni/passwords/replication.age".publicKeys = max ++ map systemKeys [ thunderskin VEGAS prophet ];