diff --git a/flake.lock b/flake.lock
index da46c85..826b8b1 100644
--- a/flake.lock
+++ b/flake.lock
@@ -108,11 +108,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1725126502,
-        "narHash": "sha256-Xyxyvb+Hr/Gn8MPb1b9QXJRTNOS2M52zz6rEjfcLsyU=",
+        "lastModified": 1725126704,
+        "narHash": "sha256-evjwB70VXzEmEs+07pf4MfAmM+Gtl2JYRfsW+9Jbhaw=",
         "ref": "refs/heads/main",
-        "rev": "3934bcbb39994cd99b2dbf919d2ec1d1f5ccd2cc",
-        "revCount": 259,
+        "rev": "6c79be63e7f08ccded0f792dfc15de987299c92b",
+        "revCount": 260,
         "type": "git",
         "url": "https://git.lix.systems/the-distro/channel-scripts.git"
       },
diff --git a/services/channel-scripts/default.nix b/services/channel-scripts/default.nix
index 082301f..15550ab 100644
--- a/services/channel-scripts/default.nix
+++ b/services/channel-scripts/default.nix
@@ -21,6 +21,8 @@ let
           cfg.releaseBucketCredentialsFile
         ];
         Environment = cfg.extraEnvironment;
+        # TODO: we should have our own secret for this.
+        LoadCredential = [ "password:${config.age.secrets.alloy-push-password.path}" ];
       };
       unitConfig.After = [ "networking.target" ];
       script =
@@ -32,6 +34,8 @@ let
         fi
         GIT_DIR=$dir git config remote.origin.fetch '+refs/heads/*:refs/remotes/origin/*'
 
+        CREDENTIAL=$(echo -en "promtail:$(cat $CREDENTIALS_DIRECTORY/password)" | base64)
+        export OTEL_EXPORTER_OTLP_HEADERS="Authorization=Basic $CREDENTIAL"
         # TODO: use escapeShellArgs
         exec ${cfg.package}/bin/mirror-forkos -c ${configFile} ${concatStringsSep " " cfg.extraArgs} apply ${channelName} ${mainJob}
       '';
@@ -138,6 +142,9 @@ in
   };
 
   config = mkIf cfg.enable {
+    bagel.nixpkgs.channel-scripts.extraEnvironment = mkIf cfg.otlp.enable [
+      ''OTEL_EXPORTER_OTLP_TRACES_ENDPOINT="https://tempo.forkos.org/v1/traces"''
+    ];
     bagel.nixpkgs.channel-scripts.settings = {
       hydra_uri = cfg.hydraUrl;
       binary_cache_uri = cfg.binaryCacheUrl;
@@ -147,53 +154,6 @@ in
       s3_channel_bucket_name = cfg.s3.channel;
     };
 
-#     services.alloy = {
-#       enable = cfg.otlp.enable;
-#     };
-#
-#     bagel.services.channel-scripts.extraEnvironment = mkIf cfg.otlp.enable {
-#       OTLP_EXPORTER_OTLP_ENDPOINT = "127.0.0.1:9000";
-#       OTEL_EXPORTER_OTLP_PROTOCOL = "grpc";
-#     };
-#
-#     environment.etc."alloy/config.alloy".text = ''
-#       otelcol.auth.basic "forkos" {
-#         username = "promtail"
-#         password = env("/run/credentials/alloy.service/password")
-#       }
-#       otelcol.receiver.otlp "default" {
-#         grpc {
-#           endpoint = "127.0.0.1:9000"
-#         }
-#
-#         output {
-#           metrics = [otelcol.processor.batch.default.input]
-#           logs    = [otelcol.processor.batch.default.input]
-#           traces  = [otelcol.processor.batch.default.input]
-#         }
-#       }
-#
-#       otelcol.processor.batch "default" {
-#         output {
-#           metrics = [otelcol.exporter.otlp.default.input]
-#           logs    = [otelcol.exporter.otlp.default.input]
-#           traces  = [otelcol.exporter.otlp.default.input]
-#         }
-#       }
-#
-#       otelcol.exporter.otlp "default" {
-#         client {
-#           endpoint {
-#             url = "https://tempo.forkos.org"
-#             basic_auth {
-#               username = "promtail"
-#               password_file = "/run/credentials/alloy.service/password"
-#             }
-#           }
-#         }
-#       }
-#     '';
-#
     users.users.channel-scripts = {
       description = "Channel scripts user";
       isSystemUser = true;