diff --git a/nixos/modules/services/logging/promtail.nix b/nixos/modules/services/logging/promtail.nix
index 834bb99bb1d6..19b12daa4152 100644
--- a/nixos/modules/services/logging/promtail.nix
+++ b/nixos/modules/services/logging/promtail.nix
@@ -6,25 +6,14 @@ let
     echo '${builtins.toJSON conf}' | ${pkgs.buildPackages.jq}/bin/jq 'del(._module)' > $out
   '';
 
+  allowSystemdJournal = cfg.configuration ? scrape_configs && lib.any (v: v ? journal) cfg.configuration.scrape_configs;
 in {
   options.services.promtail = with types; {
     enable = mkEnableOption "the Promtail ingresser";
 
+
     configuration = mkOption {
-      type = with lib.types; let
-        valueType = nullOr (oneOf [
-          bool
-          int
-          float
-          str
-          (lazyAttrsOf valueType)
-          (listOf valueType)
-        ]) // {
-          description = "JSON value";
-          emptyValue.value = {};
-          deprecationMessage = null;
-        };
-      in valueType;
+      type = (pkgs.formats.json {}).type;
       description = ''
         Specify the configuration for Promtail in Nix.
       '';
@@ -80,6 +69,8 @@ in {
         RestrictRealtime = true;
         MemoryDenyWriteExecute = true;
         PrivateUsers = true;
+
+        SupplementaryGroups = lib.optional (allowSystemdJournal) "systemd-journal";
       } // (optionalAttrs (!pkgs.stdenv.isAarch64) { # FIXME: figure out why this breaks on aarch64
         SystemCallFilter = "@system-service";
       });
diff --git a/nixos/modules/services/monitoring/loki.nix b/nixos/modules/services/monitoring/loki.nix
index f4eec7e0d284..51cabaa274a3 100644
--- a/nixos/modules/services/monitoring/loki.nix
+++ b/nixos/modules/services/monitoring/loki.nix
@@ -39,7 +39,7 @@ in {
     };
 
     configuration = mkOption {
-      type = types.attrs;
+      type = (pkgs.formats.json {}).type;
       default = {};
       description = ''
         Specify the configuration for Loki in Nix.
@@ -78,6 +78,8 @@ in {
       '';
     }];
 
+    environment.systemPackages = [ pkgs.grafana-loki ]; # logcli
+
     users.groups.${cfg.group} = { };
     users.users.${cfg.user} = {
       description = "Loki Service User";
diff --git a/nixos/tests/loki.nix b/nixos/tests/loki.nix
index eaee717cf87d..bede775b7d3c 100644
--- a/nixos/tests/loki.nix
+++ b/nixos/tests/loki.nix
@@ -45,6 +45,8 @@ import ./make-test-python.nix ({ lib, pkgs, ... }:
     machine.wait_for_open_port(3100)
     machine.wait_for_open_port(9080)
     machine.succeed("echo 'Loki Ingestion Test' > /var/log/testlog")
+    # should not have access to journal unless specified
+    machine.fail("systemctl show --property=SupplementaryGroups promtail | grep -q systemd-journal")
     machine.wait_until_succeeds(
         "${pkgs.grafana-loki}/bin/logcli --addr='http://localhost:3100' query --no-labels '{job=\"varlogs\",filename=\"/var/log/testlog\"}' | grep -q 'Loki Ingestion Test'"
     )
diff --git a/pkgs/servers/monitoring/loki/default.nix b/pkgs/servers/monitoring/loki/default.nix
index c4bfeed8c88d..f1cefdc0b1d9 100644
--- a/pkgs/servers/monitoring/loki/default.nix
+++ b/pkgs/servers/monitoring/loki/default.nix
@@ -1,4 +1,12 @@
-{ stdenv, lib, buildGoModule, fetchFromGitHub, makeWrapper, systemd, fetchpatch }:
+{ stdenv
+, lib
+, buildGoModule
+, fetchFromGitHub
+, makeWrapper
+, nixosTests
+, systemd
+, fetchpatch
+}:
 
 buildGoModule rec {
   version = "2.0.0";
@@ -32,6 +40,8 @@ buildGoModule rec {
       --prefix LD_LIBRARY_PATH : "${lib.getLib systemd}/lib"
   '';
 
+  passthru.tests = { inherit (nixosTests) loki; };
+
   doCheck = true;
 
   meta = with stdenv.lib; {