diff --git a/base/services/fluentbit.nix b/base/services/fluentbit.nix
index 9f8a9b7..fff7cb1 100644
--- a/base/services/fluentbit.nix
+++ b/base/services/fluentbit.nix
@@ -62,8 +62,10 @@ in
           name = "loki";
           match = "*";
 
-          host = "ildkule.pvv.ntnu.no";
-          port = 3100;
+          host = "loki.pvv.ntnu.no";
+          port = 443;
+          tls = "on";
+          "tls.verify" = "on";
           uri = "/loki/api/v1/push";
           compress = "gzip";
 
diff --git a/hosts/ildkule/services/monitoring/loki.nix b/hosts/ildkule/services/monitoring/loki.nix
index 4eba3e6..e9ea724 100644
--- a/hosts/ildkule/services/monitoring/loki.nix
+++ b/hosts/ildkule/services/monitoring/loki.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, values, ... }:
 
 let
   cfg = config.services.loki;
@@ -9,8 +9,8 @@ in {
     configuration = {
       auth_enabled = false;
       server = {
-        http_listen_port = 3100;
-        http_listen_address = "0.0.0.0";
+        http_listen_port = 31832;
+        http_listen_address = "127.0.0.1";
         grpc_listen_port = 9096;
       };
 
@@ -81,5 +81,25 @@ in {
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ cfg.configuration.server.http_listen_port ];
+  services.nginx.virtualHosts."loki.pvv.ntnu.no" = {
+    forceSSL = true;
+    enableACME = true;
+    kTLS = true;
+
+    locations = {
+      "/".return = "403";
+      "/loki/api/v1/push" = {
+        proxyPass = "http://${cfg.configuration.server.http_listen_address}:${toString cfg.configuration.server.http_listen_port}/loki/api/v1/push";
+        extraConfig = ''
+          allow 127.0.0.1;
+          allow ::1;
+          allow ${values.ipv4-space};
+          allow ${values.ipv6-space};
+          allow ${values.ntnu.ipv4-space};
+          allow ${values.ntnu.ipv6-space};
+          deny all;
+        '';
+      };
+    };
+  };
 }