diff --git a/dnsmasq/files/rre.conf b/dnsmasq/files/rre.conf
index 43eaa94..ecf422e 100644
--- a/dnsmasq/files/rre.conf
+++ b/dnsmasq/files/rre.conf
@@ -6,7 +6,7 @@ domain=rre.nu
 # public cnames
 cname=push.rre.nu,cl2-ingress-public.rre.nu.
 cname=git.rre.nu,cl2-ingress-public.rre.nu
-cname=home.rre.nu,cl2-ingress-public.rre.nu
+cname=home.rre.nu,poblano.rre.nu
 cname=nextcloud.rre.nu,cl2-ingress-public.rre.nu
 cname=nodered.rre.nu,cl2-ingress-public.rre.nu
 cname=rre.nu,cl2-ingress-public.rre.nu
@@ -18,3 +18,4 @@ cname=unifi.rre.nu,cl2-ingress-public.rre.nu
 cname=rancher.rre.nu,cl1.rre.nu
 cname=prometheus.rre.nu,poblano.rre.nu
 cname=unpoller.rre.nu,poblano.rre.nu
+cname=loki.rre.nu,poblano.rre.nu
diff --git a/fail2ban/files/filter.d/nextcloud.local b/fail2ban/files/filter.d/nextcloud.local
new file mode 100644
index 0000000..f1ac53c
--- /dev/null
+++ b/fail2ban/files/filter.d/nextcloud.local
@@ -0,0 +1,6 @@
+[Definition]
+_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
+
diff --git a/fail2ban/files/jail.d/nextcloud.local b/fail2ban/files/jail.d/nextcloud.local
new file mode 100644
index 0000000..d75d693
--- /dev/null
+++ b/fail2ban/files/jail.d/nextcloud.local
@@ -0,0 +1,10 @@
+[nextcloud]
+backend = auto
+enabled = true
+port = 80,443
+protocol = tcp
+filter = nextcloud
+maxretry = 3
+bantime = 1w
+findtime = 1d
+logpath = /srv/podman/containers/storage/volumes/nextcloud-data/_data/data/nextcloud.log
diff --git a/fail2ban/files/jail.local b/fail2ban/files/jail.local
index 6bbdc66..b361868 100644
--- a/fail2ban/files/jail.local
+++ b/fail2ban/files/jail.local
@@ -89,7 +89,7 @@ before = paths-opensuse.conf
 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
 # will not ban a host which matches an address in this list. Several addresses
 # can be defined using space (and/or comma) separator.
-#ignoreip = 127.0.0.1/8 ::1
+ignoreip = 127.0.0.1/8 ::1 10.2.0.101 10.0.10.156 10.0.10.174
 
 # External command that will take an tagged arguments to ignore, e.g. <ip>,
 # and return true if the IP is to be ignored. False otherwise.
diff --git a/fail2ban/init.sls b/fail2ban/init.sls
index 1385ded..0c1be13 100644
--- a/fail2ban/init.sls
+++ b/fail2ban/init.sls
@@ -1,3 +1,4 @@
 include:
   - fail2ban.install
   - fail2ban.jails
+  - fail2ban.prometheus
diff --git a/fail2ban/jails.sls b/fail2ban/jails.sls
index be42d07..00841db 100644
--- a/fail2ban/jails.sls
+++ b/fail2ban/jails.sls
@@ -1,3 +1,4 @@
+# SSH
 configure sshd jail:
   file.managed:
     - name: /etc/fail2ban/jail.d/sshd.local
@@ -8,10 +9,30 @@ configure sshd jail:
     - onlyif:
       - pkg.is_installed: openssh
 
+# Nextcloud
+configure nextcloud jail:
+  file.managed:
+    - name: /etc/fail2ban/jail.d/nextcloud.local
+    - source: salt://fail2ban/files/jail.d/nextcloud.local
+    - user: root
+    - group: root
+    - mode: "0644"
+    - onlyif: runuser -l {{ salt['pillar.get']('podman:user', 'root') }} -c 'podman container exists gitea'
 
+configure nextcloud filter:
+  file.managed:
+    - name: /etc/fail2ban/filter.d/nextcloud.local
+    - source: salt://fail2ban/files/filter.d/nextcloud.local
+    - user: root
+    - group: root
+    - mode: "0644"
+    - onlyif: runuser -l {{ salt['pillar.get']('podman:user', 'root') }} -c 'podman container exists gitea'
 
+######
 realod fail2ban config:
   cmd.run:
     - name: fail2ban-client reload
     - onchanges:
       - file: configure sshd jail
+      - file: configure nextcloud jail
+      - file: configure nextcloud filter
diff --git a/fail2ban/prometheus.sls b/fail2ban/prometheus.sls
new file mode 100644
index 0000000..a7aae9a
--- /dev/null
+++ b/fail2ban/prometheus.sls
@@ -0,0 +1,35 @@
+Define firewalld service for fail2ban exporter:
+  firewalld.service:
+    - name: fail2ban_exporter
+    - ports:
+      - 9191/tcp
+
+Addinge fail2ban exporter fw service:
+  firewalld.present:
+    - name: public
+    - services:
+      - fail2ban_exporter
+
+create fail2ban-exporter container:
+  cmd.run:
+    - name: podman container create --name fail2ban-exporter -v /var/run/fail2ban:/var/run/fail2ban:ro -p 9191:9191 registry.gitlab.com/hectorjsmith/fail2ban-prometheus-exporter:latest
+    - unless: podman container exists fail2ban-exporter
+
+create fail2ban-exporter container unit file:
+  cmd.run:
+    - name: podman generate systemd --name fail2ban-exporter > /etc/systemd/system/fail2ban-exporter.service
+    - onchanges:
+      - cmd: create fail2ban-exporter container
+
+run daemon reload for fail2ban-exporter container unit file:
+  cmd.run:
+    - name: systemctl daemon-reload
+    - onchanges:
+      - cmd: create fail2ban-exporter container unit file
+
+start fail2ban-exporter container:
+  service.running:
+    - name: fail2ban-exporter
+    - enable: true
+    - watch:
+      - cmd: create fail2ban-exporter container unit file
diff --git a/podman/files/container.sh.jinja b/podman/files/container.sh.jinja
index 090921b..88ae559 100644
--- a/podman/files/container.sh.jinja
+++ b/podman/files/container.sh.jinja
@@ -46,7 +46,9 @@ function create_container() {
             --device {{ key }}:{{ value}} \
             {%- endfor %}
             {%- endif %}
-            {{ args['image'] }}:{{ args['tag'] }}
+            {{ args['image'] }}:{{ args['tag'] }}{%- if args['run'] is defined %} \
+            {{ args['run'] }}
+            {%- endif %}
     fi
 
 }
diff --git a/podman/hass.sls b/podman/hass.sls
new file mode 100644
index 0000000..ca7dbd4
--- /dev/null
+++ b/podman/hass.sls
@@ -0,0 +1,3 @@
+{% from 'lib.sls' import container_deploy with context %}
+
+{{ container_deploy('hass') }}
diff --git a/podman/loki.sls b/podman/loki.sls
new file mode 100644
index 0000000..8f3aa16
--- /dev/null
+++ b/podman/loki.sls
@@ -0,0 +1,4 @@
+{% from 'lib.sls' import container_deploy with context %}
+
+{{ container_deploy('loki') }}
+
diff --git a/podman/nginx-exporter.sls b/podman/nginx-exporter.sls
new file mode 100644
index 0000000..7c5fb63
--- /dev/null
+++ b/podman/nginx-exporter.sls
@@ -0,0 +1,4 @@
+{% from 'lib.sls' import container_deploy with context %}
+
+{{ container_deploy('nginx-exporter') }}
+
diff --git a/promtail/files/promtail.conf.jinja b/promtail/files/promtail.conf.jinja
new file mode 100644
index 0000000..4a60ad8
--- /dev/null
+++ b/promtail/files/promtail.conf.jinja
@@ -0,0 +1,20 @@
+server:
+  http_listen_port: {{ http_listen_port }}
+  grpc_listen_port: 0
+
+positions:
+  filename: /tmp/positions.yaml
+
+clients:
+  - url: "{{ client_url }}"
+
+scrape_configs:
+  - job_name: journal
+    journal:
+      max_age: 12h
+      path: /var/log/journal
+      labels:
+        job: systemd-journal
+    relabel_configs:
+      - source_labels: ['__journal__systemd_unit']
+        target_label: 'unit'
diff --git a/promtail/init.sls b/promtail/init.sls
new file mode 100644
index 0000000..8063111
--- /dev/null
+++ b/promtail/init.sls
@@ -0,0 +1,61 @@
+{%- set client_url = "http://loki.rre.nu:3100/loki/api/v1/push" %}
+{%- set http_listen_port = 9080 %}
+{%- set zone = "public" %}
+
+
+Create promtail configuration folder:
+  file.directory:
+    - name: /etc/promtail
+    - user: root
+    - group: root
+    - mode: "0755"
+
+Create promtail configuration:
+  file.managed:
+    - name: /etc/promtail/promtail.conf
+    - source: salt://promtail/files/promtail.conf.jinja
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: "0644"
+    - require:
+      - file: Create promtail configuration folder
+    - context:
+      client_url: {{ client_url }}
+      http_listen_port: {{ http_listen_port }}
+
+Define firewall service for promtail:
+  firewalld.service:
+    - name: promtail
+    - ports:
+      - {{ http_listen_port }}/tcp
+
+adding fw service for promtail in {{ zone }} zone:
+  firewalld.present:
+    - name: {{ zone }}
+    - services:
+      - promtail
+
+Create promtail container:
+  cmd.run:
+    - name: podman container create --name promtail -p {{ http_listen_port }}:{{ http_listen_port}} -v /etc/promtail:/etc/promtail:ro -v /var/log/journal:/var/log/journal:ro docker.io/grafana/promtail:latest -config.file=/etc/promtail/promtail.conf --client.external-labels=hostname={{ grains['fqdn'] }}
+    - unless: podman container exists promtail
+
+Create promail unit file:
+  cmd.run:
+    - name: podman generate systemd --name promtail > /etc/systemd/system/promtail.service
+    - onchanges:
+      - cmd: Create promtail container
+
+Run daeom-reload for promtail:
+  cmd.run:
+    - name: systemctl daemon-reload
+    - onchanges:
+      - cmd: Create promail unit file
+
+start promail service:
+  service.running:
+    - name: promtail
+    - enable: true
+    - watch:
+      - cmd: Create promail unit file
diff --git a/top.sls b/top.sls
index 1ddb57a..af35162 100644
--- a/top.sls
+++ b/top.sls
@@ -10,6 +10,7 @@ base:
     - restic
     - cockpit
     - fail2ban
+    - promtail
 
   'pepper.rre.nu':
     - dnsmasq