diff --git a/README.md b/README.md
index ab4a4ec..202b5b7 100644
--- a/README.md
+++ b/README.md
@@ -136,15 +136,15 @@ openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
 
 ```bash
 # Recover admin account (server must not be running)
-> systemctl stop kanidmd
-> kanidmd recover_account -c server.toml admin
-aM4Fk1dvM8AjyYzuVsFuxGkY4PqcVJaZwaHSfvFQGvFkH2Ez
-> systemctl start kanidmd
+> systemctl stop kanidm
+> kanidmd recover-account -c server.toml admin
+AhNeQgKkwwEHZ85dxj1GPjx58vWsBU8QsvKSyYwUL7bz57bp
+> systemctl start kanidm
 # Login with recovered root account
 > kanidm login --name admin
 # Generate new credentials for idm_admin account
 > kanidm service-account credential generate -D admin idm_admin
-cVXKuT9LGpCN0RTjgjEG52bPFANxbPKbT9LjSb3H4K2NeW2g
+Yk0W24SQGzkLp97DNxxExCcryDLvA7Q2dR0A7ZuaVQevLR6B
 # Generate new oauth2 app for grafana
 > kanidm group create grafana-access
 > kanidm group create grafana-server-admins
diff --git a/flake.lock b/flake.lock
index f8fcf49..449ba50 100644
--- a/flake.lock
+++ b/flake.lock
@@ -31,11 +31,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1686617801,
-        "narHash": "sha256-fXNOCYjuFL4427jRW9C5xdc7KSJKhoFxXbBrxE3kibU=",
+        "lastModified": 1687090623,
+        "narHash": "sha256-LdlH20WGKY1ebO3YJ85gPgmMPlGJUP4JUdqM+k5MsZw=",
         "owner": "oddlama",
         "repo": "agenix-rekey",
-        "rev": "787efa41f1611403320517bbd41cd7cb7ebdf93d",
+        "rev": "317558abbec903324e6d38393e2e84b42c25f479",
         "type": "github"
       },
       "original": {
@@ -119,11 +119,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1686545384,
-        "narHash": "sha256-XniReOaWLjubBAXk6Wx2Ny6/b9Xdsx3viLhhs7ycuWw=",
+        "lastModified": 1687028856,
+        "narHash": "sha256-vKV3I31tmXwaWHiUOgfDVd27cEHqaPBr1lt9+NKdIp8=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "55eea2030a42845102334eb29f054f0c6604a32c",
+        "rev": "64c9c78c15fd4c899d857bf09dba88bda771b43a",
         "type": "github"
       },
       "original": {
@@ -210,11 +210,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1686604884,
-        "narHash": "sha256-AkfxSmGGvNMtyXt1us9Lm8cMeIwqxpkSTeNeBQ00SL8=",
+        "lastModified": 1687081547,
+        "narHash": "sha256-/JV70TxhvP2r4xYtTlbQ2rrRDcj7MqHnF13r5ZE0oFc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "b01eb1eb3b579c74e6a4189ef33cc3fa24c40613",
+        "rev": "28c823032cabfaa340a09e1d84cf45d11375c644",
         "type": "github"
       },
       "original": {
@@ -260,11 +260,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1686444102,
-        "narHash": "sha256-6J+pkUauanh6qfvyD80ngYZSyUmdmngMaO4TFY2Z0OA=",
+        "lastModified": 1686962046,
+        "narHash": "sha256-QE5I3/ONKubR2lvLwUbsS4OaOPc9gTburw9OBcYfgdw=",
         "owner": "astro",
         "repo": "microvm.nix",
-        "rev": "551239936a1c86479f6026658c4d1f1a3635d286",
+        "rev": "484e6e2209a0ead8ea43a9a79b193026026becfc",
         "type": "github"
       },
       "original": {
@@ -296,11 +296,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1685943944,
-        "narHash": "sha256-GpaQwOkvwkmSWxvWaZqbMKyyOSaBAwgdEcHCqLW/240=",
+        "lastModified": 1686924781,
+        "narHash": "sha256-6r3Hm2Fxf4F7LIWRYKU9bsS/xJwlG6L2+/I/pdffvOs=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "122dcc32cadf14c5015aa021fae8882c5058263a",
+        "rev": "a54683aa7eff00ee5b33dec225525d0eb6ab02de",
         "type": "github"
       },
       "original": {
@@ -311,11 +311,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1686452266,
-        "narHash": "sha256-zLKiX0iu6jZFeZDpR1gE6fNyMr8eiM8GLnj9SoUCjFs=",
+        "lastModified": 1686838567,
+        "narHash": "sha256-aqKCUD126dRlVSKV6vWuDCitfjFrZlkwNuvj5LtjRRU=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "2a807ad6e8dc458db08588b78cc3c0f0ec4ff321",
+        "rev": "429f232fe1dc398c5afea19a51aad6931ee0fb89",
         "type": "github"
       },
       "original": {
@@ -388,11 +388,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1686213770,
-        "narHash": "sha256-Re6xXLEqQ/HRnThryumyGzEf3Uv0Pl4cuG50MrDofP8=",
+        "lastModified": 1686668298,
+        "narHash": "sha256-AADh9NqHh6X2LOem4BvI7oCkMm+JPCSCE7iIw5nn0VA=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "182af51202998af5b64ddecaa7ff9be06425399b",
+        "rev": "5b6b54d3f722aa95cbf4ddbe35390a0af8c0015a",
         "type": "github"
       },
       "original": {
diff --git a/hosts/ward/microvms/grafana/default.nix b/hosts/ward/microvms/grafana/default.nix
index b83185a..028f570 100644
--- a/hosts/ward/microvms/grafana/default.nix
+++ b/hosts/ward/microvms/grafana/default.nix
@@ -13,6 +13,11 @@ in {
     ../../../../modules/proxy-via-sentinel.nix
   ];
 
+  extra.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
   networking.nftables.firewall.rules = lib.mkForce {
     sentinel-to-local.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
   };
@@ -81,7 +86,7 @@ in {
         auto_login = true;
         client_id = "grafana";
         #client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}";
-        client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
+        client_secret = "aZKNCM6KpjBy4RqwKJXMLXzyx9rKH6MZTFk4wYrKWuBqLj6t"; # TODO temporary test not a real secret
         scopes = "openid email profile";
         login_attribute_path = "prefered_username";
         auth_url = "https://${sentinelCfg.proxiedDomains.kanidm}/ui/oauth2";
@@ -110,7 +115,7 @@ in {
           url = "https://${sentinelCfg.proxiedDomains.loki}";
           orgId = 1;
           basicAuth = true;
-          basicAuthUser = nodeName;
+          basicAuthUser = "${nodeName}:grafana-loki-basic-auth-password";
           secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.grafana-loki-basic-auth-password.path}}";
         }
       ];
diff --git a/hosts/ward/microvms/grafana/secrets/promtail-loki-basic-auth-password.age b/hosts/ward/microvms/grafana/secrets/promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000..c1c6f93
--- /dev/null
+++ b/hosts/ward/microvms/grafana/secrets/promtail-loki-basic-auth-password.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 eJWTsTZwak+CdL0UPXcav0OmE2WFV525MS71EUREQRI
+4EVofvIdJooLW5GIGUMnKbjdBGvaq5PJc59pTcWfi2I
+-> piv-p256 xqSe8Q A54r2NQ4TDs0tzJs3hAOLIfwL/63kxw8UrFSyFUOoOpX
+BYs5RA4H1GgIiWp9hI0dsMQh43kOOKQjGvNeJjezbz0
+-> %jrC:-grease ;
+kSYxb5Aa4C7zMe+2nsSw+hn+xyU7EmVDznX5k7acTOOlEfUQOlUAiF4DhObUsFgS
+Rz045u3t6SK7p0tqkYI/84chCJPfDc0wxVBiE2poYkZrs96a2iJa5LUw8oUiXlo
+--- ueHYLEER0SQZdLT9eKJZVPdiFynhP7SgfwvTAbzHRco
+·Á’L*#Z”“VbÉªF>Âë‰+ƒ¿ßxÈƒYfé$õá®ö¬ÞŸ	‡T ›=n«(@y¾çÃ*†—‚wXeq^Ê#‚
\ No newline at end of file
diff --git a/hosts/ward/microvms/kanidm/default.nix b/hosts/ward/microvms/kanidm/default.nix
index 8272ce9..29b262a 100644
--- a/hosts/ward/microvms/kanidm/default.nix
+++ b/hosts/ward/microvms/kanidm/default.nix
@@ -14,6 +14,11 @@ in {
     ../../../../modules/proxy-via-sentinel.nix
   ];
 
+  extra.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
   networking.nftables.firewall.rules = lib.mkForce {
     sentinel-to-local.allowedTCPPorts = [kanidmPort];
   };
diff --git a/hosts/ward/microvms/kanidm/secrets/promtail-loki-basic-auth-password.age b/hosts/ward/microvms/kanidm/secrets/promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000..d7fed3a
Binary files /dev/null and b/hosts/ward/microvms/kanidm/secrets/promtail-loki-basic-auth-password.age differ
diff --git a/hosts/ward/microvms/loki/default.nix b/hosts/ward/microvms/loki/default.nix
index 373a216..b5c5e08 100644
--- a/hosts/ward/microvms/loki/default.nix
+++ b/hosts/ward/microvms/loki/default.nix
@@ -12,6 +12,11 @@ in {
     ../../../../modules/proxy-via-sentinel.nix
   ];
 
+  extra.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
   networking.nftables.firewall.rules = lib.mkForce {
     sentinel-to-local.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
   };
@@ -36,7 +41,7 @@ in {
             file,
           }: ''
             echo " -> Aggregating [32m"${lib.escapeShellArg host}":[m[33m"${lib.escapeShellArg name}"[m" >&2
-            echo -n ${lib.escapeShellArg host}" "
+            echo -n ${lib.escapeShellArg host}":"${lib.escapeShellArg name}" "
             ${decrypt} ${lib.escapeShellArg file} \
               | ${pkgs.caddy}/bin/caddy hash-password --algorithm bcrypt \
               || die "Failure while aggregating caddy basic auth hashes"
diff --git a/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age b/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age
index 24fd848..63dcba5 100644
Binary files a/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age and b/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age differ
diff --git a/hosts/ward/microvms/loki/secrets/promtail-loki-basic-auth-password.age b/hosts/ward/microvms/loki/secrets/promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000..99228b2
--- /dev/null
+++ b/hosts/ward/microvms/loki/secrets/promtail-loki-basic-auth-password.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 3x+QeciEIcDcJO3U+0386XIoJtOVn3b4myIxWOgDxjs
+oFCwl+TjzC6kjDcEm2CNgHuWIta/j9Zq9c9ZvoDAKBc
+-> piv-p256 xqSe8Q Ax9ZRwkb1UMUmpqg8U1vPU3+8wnWxOA3AkvPEjMDvduj
+e/iORb0ckijeWEg9N4IpBP+YxCB2eZnEt1FgcwrAL8c
+-> mcyx<Hk-grease
+npBOgSbaCG2/DizSzk9Ynaoq9T4mfFDujSptkpkRXzn247iR6kSYAGkjWN6eqCsH
+DrECWw
+--- 2tgfQ7Ff2bUUDo24ceUiyDiNHoK+UbIFqmCv74dGQ/E
+ø­Hój¡øvkÑ³€êØj’c¦ˆBÑMQÉ{§Óœ‰	¤¦‹¸Ûkf`Ãˆp]‡w²ª5’€”çå¬'`:£Ó?]
+@gr
\ No newline at end of file
diff --git a/hosts/ward/microvms/vaultwarden/default.nix b/hosts/ward/microvms/vaultwarden/default.nix
index 741fc12..6815918 100644
--- a/hosts/ward/microvms/vaultwarden/default.nix
+++ b/hosts/ward/microvms/vaultwarden/default.nix
@@ -12,6 +12,11 @@ in {
     ../../../../modules/proxy-via-sentinel.nix
   ];
 
+  extra.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
   age.secrets.vaultwarden-env = {
     rekeyFile = ./secrets/vaultwarden-env.age;
     mode = "440";
diff --git a/hosts/ward/microvms/vaultwarden/secrets/promtail-loki-basic-auth-password.age b/hosts/ward/microvms/vaultwarden/secrets/promtail-loki-basic-auth-password.age
new file mode 100644
index 0000000..c1d41a9
--- /dev/null
+++ b/hosts/ward/microvms/vaultwarden/secrets/promtail-loki-basic-auth-password.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 3mvQNS9Df1Kw6g4DK2OezJLlhRjeJuzoqu2LcQXobV8
+zsBLhAEhcUcun3GsDMP69zDqlhaYXIw3bNUGP7w0fWQ
+-> piv-p256 xqSe8Q AwmwPRJqCuGx5lVPro9yRP0vRvpkgufB/MwRRgYi3VZl
+3TvviCPeB4uSQc1raS5F4ky6IClqo+duR7jDPBrlE4M
+-> o-grease i0o: +r`
+LIUlecnKyS32IU1xbPVKqNN86PaiJP6ujjX7NCwUZD+PgvWWTxiiEdJMJbGO1fZ+
+9En9Ekiq7mGnLsRIMiWFAaoT8ZYe8ymuK4AOTG2Lb6s
+--- Hc8thFUczd8KIKMgQruJC8/9k1O22DPzEizmk7rlJt0
+mßuìÙßëÂ©¾:MQ¾QÏöóf˜’¨x½Ë‚Í?7< ‰ÊØkPÏ!é3ÀU­›ršudÛè;æfÜkkªÖ€‹ØÀEncÚÏ˜‚gÅj
\ No newline at end of file
diff --git a/modules/promtail.nix b/modules/promtail.nix
index 50fe674..c1ab389 100644
--- a/modules/promtail.nix
+++ b/modules/promtail.nix
@@ -48,7 +48,7 @@ in {
 
         clients = [
           {
-            basic_auth.username = nodeName;
+            basic_auth.username = "${nodeName}:promtail-loki-basic-auth-password";
             basic_auth.password_file = config.age.secrets.promtail-loki-basic-auth-password.path;
             url = "https://${nodes.${cfg.proxy}.config.proxiedDomains.loki}/loki/api/v1/push";
           }