diff --git a/configuration/services/metrics/victorialogs.nix b/configuration/services/metrics/victorialogs.nix
index ae47c39..ed74c59 100644
--- a/configuration/services/metrics/victorialogs.nix
+++ b/configuration/services/metrics/victorialogs.nix
@@ -1,26 +1,37 @@
 {
   config,
+  pkgs,
   lib,
   ...
 }:
 let
   cfg = config.services.victorialogs;
+  pkg = pkgs.victoriametrics;
+  dirname = "victorialogs";
 in
 {
-  options.services.victorialogs.bindAddress = lib.mkOption {
-    readOnly = true;
-    type = lib.types.str;
-    description = ''
-      Final address on which victorialogs listens.
-    '';
-  };
+  options.services.victorialogs =
+    let
+      inherit (lib.types) str;
+    in
+    {
+      listenAddress = lib.mkOption {
+        default = ":9428";
+        type = str;
+      };
+
+      bindAddress = lib.mkOption {
+        readOnly = true;
+        type = str;
+        description = ''
+          Final address on which victorialogs listens.
+        '';
+      };
+    };
 
   config = {
-    services.victorialogs = {
-      enable = true;
-      bindAddress =
-        (lib.optionalString (lib.hasPrefix ":" cfg.listenAddress) "127.0.0.1") + cfg.listenAddress;
-    };
+    services.victorialogs.bindAddress =
+      (lib.optionalString (lib.hasPrefix ":" cfg.listenAddress) "127.0.0.1") + cfg.listenAddress;
 
     services.journald.upload = {
       enable = true;
@@ -29,6 +40,71 @@ in
         NetworkTimeoutSec = "20s";
       };
     };
+
     systemd.services."systemd-journal-upload".after = [ "victorialogs.service" ];
+
+    systemd.services.victorialogs = {
+      description = "VictoriaLogs log database";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      startLimitBurst = 5;
+
+      serviceConfig = {
+        ExecStart = lib.escapeShellArgs [
+          "${pkg}/bin/victoria-logs"
+          "-storageDataPath=/var/lib/${dirname}"
+          "-httpListenAddr=${cfg.listenAddress}"
+        ];
+
+        DynamicUser = true;
+        RestartSec = 1;
+        Restart = "on-failure";
+        RuntimeDirectory = dirname;
+        RuntimeDirectoryMode = "0700";
+        StateDirectory = dirname;
+        StateDirectoryMode = "0700";
+
+        LimitNOFILE = 1048576;
+
+        # Hardening
+        DeviceAllow = [ "/dev/null rw" ];
+        DevicePolicy = "strict";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "full";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+      };
+
+      postStart = lib.mkBefore ''
+        until ${lib.getBin pkgs.curl}/bin/curl -s -o /dev/null http://${cfg.bindAddress}/ping; do
+          sleep 1;
+        done
+      '';
+    };
   };
 }
diff --git a/flake.lock b/flake.lock
index 83911d7..3f3fc39 100644
--- a/flake.lock
+++ b/flake.lock
@@ -216,11 +216,11 @@
         "rocksdb": "rocksdb"
       },
       "locked": {
-        "lastModified": 1743735594,
-        "narHash": "sha256-aaP8OjY4fkpxk2JdSggx9S3Rk+P+VhuivT6aRpLxoj0=",
+        "lastModified": 1743473828,
+        "narHash": "sha256-x/sfh6LCHGAz8rL23GHhH7dac1LtHBbRRJi1p8gOdtI=",
         "owner": "girlbossceo",
         "repo": "conduwuit",
-        "rev": "00f7745ec4ebcea5f892376c5de5db1299f71696",
+        "rev": "0f81c1e1ccdcb0c5c6d5a27e82f16eb37b1e61c8",
         "type": "github"
       },
       "original": {
@@ -499,11 +499,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743598667,
-        "narHash": "sha256-ViE7NoFWytYO2uJONTAX35eGsvTYXNHjWALeHAg8OQY=",
+        "lastModified": 1739841949,
+        "narHash": "sha256-lSOXdgW/1zi/SSu7xp71v+55D5Egz8ACv0STkj7fhbs=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "329d3d7e8bc63dd30c39e14e6076db590a6eabe6",
+        "rev": "15dbf8cebd8e2655a883b74547108e089f051bf0",
         "type": "github"
       },
       "original": {
@@ -1278,11 +1278,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1743732435,
-        "narHash": "sha256-RrWgOj3F1N6kDG0xatvZzP0p1Zq00yhcTMlaj4bWi5E=",
+        "lastModified": 1740215764,
+        "narHash": "sha256-wzBbGGZ6i1VVBA/cDJaLfuuGYCUriD7fwsLgJJHRVRk=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a462b946265ed006720d02153882780b12a8376d",
+        "rev": "8465e233b0668cf162c608a92e62e8d78c1ba7e4",
         "type": "github"
       },
       "original": {
@@ -1400,11 +1400,11 @@
     },
     "nixpkgs_6": {
       "locked": {
-        "lastModified": 1743703532,
-        "narHash": "sha256-s1KLDALEeqy+ttrvqV3jx9mBZEvmthQErTVOAzbjHZs=",
+        "lastModified": 1740162160,
+        "narHash": "sha256-SSYxFhqCOb3aiPb6MmN68yEzBIltfom8IgRz7phHscM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "bdb91860de2f719b57eef819b5617762f7120c70",
+        "rev": "11415c7ae8539d6292f2928317ee7a8410b28bb9",
         "type": "github"
       },
       "original": {
@@ -1727,11 +1727,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743756170,
-        "narHash": "sha256-2b11EYa08oqDmF3zEBLkG1AoNn9rB1k39ew/T/mSvbU=",
+        "lastModified": 1739262228,
+        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "cff8437c5fe8c68fc3a840a21bf1f4dc801da40d",
+        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
         "type": "github"
       },
       "original": {
diff --git a/pkgs/crowdsec/_sources/generated.json b/pkgs/crowdsec/_sources/generated.json
index 97c4e87..ac251aa 100644
--- a/pkgs/crowdsec/_sources/generated.json
+++ b/pkgs/crowdsec/_sources/generated.json
@@ -21,7 +21,7 @@
     },
     "crowdsec-hub": {
         "cargoLocks": null,
-        "date": "2025-04-04",
+        "date": "2025-02-22",
         "extract": null,
         "name": "crowdsec-hub",
         "passthru": null,
@@ -33,10 +33,10 @@
             "name": null,
             "owner": "crowdsecurity",
             "repo": "hub",
-            "rev": "eebc5f71379ea8f4de4a26f6695e0340444c719c",
-            "sha256": "sha256-/jhsqumekdOHDbHjBP8KvAICsSNhCg5ejMT3jSRiROo=",
+            "rev": "f9883cd6c7d1913c13e4a3a69d9a0b887a7d57df",
+            "sha256": "sha256-45pUln7Qj5luY9I9BE2qhzjH7kv4IbYvNoEX3/4AVVg=",
             "type": "github"
         },
-        "version": "eebc5f71379ea8f4de4a26f6695e0340444c719c"
+        "version": "f9883cd6c7d1913c13e4a3a69d9a0b887a7d57df"
     }
 }
\ No newline at end of file
diff --git a/pkgs/crowdsec/_sources/generated.nix b/pkgs/crowdsec/_sources/generated.nix
index aca88b2..9c63cc5 100644
--- a/pkgs/crowdsec/_sources/generated.nix
+++ b/pkgs/crowdsec/_sources/generated.nix
@@ -14,14 +14,14 @@
   };
   crowdsec-hub = {
     pname = "crowdsec-hub";
-    version = "eebc5f71379ea8f4de4a26f6695e0340444c719c";
+    version = "f9883cd6c7d1913c13e4a3a69d9a0b887a7d57df";
     src = fetchFromGitHub {
       owner = "crowdsecurity";
       repo = "hub";
-      rev = "eebc5f71379ea8f4de4a26f6695e0340444c719c";
+      rev = "f9883cd6c7d1913c13e4a3a69d9a0b887a7d57df";
       fetchSubmodules = false;
-      sha256 = "sha256-/jhsqumekdOHDbHjBP8KvAICsSNhCg5ejMT3jSRiROo=";
+      sha256 = "sha256-45pUln7Qj5luY9I9BE2qhzjH7kv4IbYvNoEX3/4AVVg=";
     };
-    date = "2025-04-04";
+    date = "2025-02-22";
   };
 }