diff --git a/.github/workflows/flake.yaml b/.github/workflows/flake.yaml
index 9912afd..7c47e61 100644
--- a/.github/workflows/flake.yaml
+++ b/.github/workflows/flake.yaml
@@ -10,22 +10,22 @@ env:
   CACHIX_BINARY_CACHE: altf4llc-os
 
 jobs:
-  check:
+  test:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        profile:
+          - alloy
     steps:
       - uses: cachix/install-nix-action@v27
-        with:
-          enable_kvm: true
       - uses: cachix/cachix-action@v15
         with:
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
           name: ${{ env.CACHIX_BINARY_CACHE }}
       - uses: actions/checkout@v4
-      - run: nix develop -c just check
+      - run: nix develop -c just test "${{ matrix.profile }}"
 
   build:
-    needs:
-      - check
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -38,9 +38,6 @@ jobs:
           - actions-runner
     steps:
       - uses: cachix/install-nix-action@v27
-        with:
-          enable_kvm: true
-
       - uses: cachix/cachix-action@v15
         with:
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
diff --git a/flake.nix b/flake.nix
index ab3fab7..d2bfd86 100644
--- a/flake.nix
+++ b/flake.nix
@@ -24,6 +24,8 @@
           buildInputs = [awscli2 just];
         };
 
+        checks = import ./modules/tests { inherit pkgs; };
+
         formatter = pkgs.alejandra;
 
         packages = import ./nix/images.nix { inherit system inputs; };
diff --git a/justfile b/justfile
index a6bf87e..4d07041 100644
--- a/justfile
+++ b/justfile
@@ -8,3 +8,6 @@ build profile:
 
 publish-ami profile:
   bash ./ci-build-publish.sh "{{ami_bucket}}" "{{profile}}"
+
+test profile arch='x86_64-linux':
+  just build 'checks.{{arch}}.{{profile}}'
diff --git a/modules/mixins/alloy-forwarder/config.alloy b/modules/mixins/alloy-forwarder/config.alloy
index 74c3f85..1101c20 100644
--- a/modules/mixins/alloy-forwarder/config.alloy
+++ b/modules/mixins/alloy-forwarder/config.alloy
@@ -50,19 +50,12 @@ loki.source.api "receive" {
         listen_address = "0.0.0.0"
         listen_port = 3100
     }
-    forward_to = [
-      grafana_cloud.stack.receivers.logs,
-    ]
+    forward_to = [grafana_cloud.stack.receivers.logs]
 }
 
 loki.source.journal "read" {
-  forward_to = [
-    grafana_cloud.stack.receivers.logs,
-  ]
-  relabel_rules = concat(
-    loki.relabel.journal.rules,
-    loki.relabel.instance.rules,
-  )
+  forward_to = [grafana_cloud.stack.receivers.logs]
+  relabel_rules = loki.relabel.omnibus.rules
   labels = {
     "job" = "integrations/node_exporter",
   }
diff --git a/modules/mixins/alloy/base.alloy b/modules/mixins/alloy/base.alloy
index 6310d60..f4db4fd 100644
--- a/modules/mixins/alloy/base.alloy
+++ b/modules/mixins/alloy/base.alloy
@@ -3,19 +3,14 @@ local.file "hostname" {
   filename = "/etc/hostname"
 }
 
-// Set hostname from /etc
-loki.relabel "instance" {
+// Loki journal relabeller
+loki.relabel "omnibus" {
   forward_to = []
 
   rule {
     target_label = "instance"
     replacement  = local.file.hostname.content
   }
-}
-
-// Loki journal relabeller
-loki.relabel "journal" {
-  forward_to = []
 
   rule {
     source_labels = ["__journal__systemd_unit"]
diff --git a/modules/mixins/alloy/config.alloy b/modules/mixins/alloy/config.alloy
index 554b4a6..3f341ff 100644
--- a/modules/mixins/alloy/config.alloy
+++ b/modules/mixins/alloy/config.alloy
@@ -32,30 +32,30 @@ loki.relabel "journal" {
   forward_to = []
 
   rule {
-    source_labels = ["__journal__systemd_unit"]
-    target_label  = "unit"
+    target_label = "instance"
+    replacement  = local.file.hostname.content
   }
 
   rule {
-    source_labels = ["__journal_container_name"]
-    target_label  = "container_name"
+    source_labels = ["__journal__systemd_unit"]
+    target_label  = "unit"
   }
 
   rule {
-    source_labels = ["__journal_image_name"]
-    target_label  = "container_image"
+    source_labels = ["__journal__boot_id"]
+    target_label  = "boot_id"
   }
 
   rule {
-    source_labels = ["__journal_container_id"]
-    target_label  = "container_id"
+    source_labels = ["__journal__transport"]
+    target_label  = "transport"
   }
 }
 
 // Fetch journal entries
 loki.source.journal "journal" {
   forward_to    = [otelcol.receiver.loki.default.receiver]
-  relabel_rules = loki.relabel.journal.rules
+  relabel_rules = loki.relabel.omnibus.rules
   labels        = {component = "loki.source.journal"}
 }
 
diff --git a/modules/mixins/alloy/default.nix b/modules/mixins/alloy/default.nix
index 3606c86..2ac2c4e 100644
--- a/modules/mixins/alloy/default.nix
+++ b/modules/mixins/alloy/default.nix
@@ -1,15 +1,5 @@
 { ... }: {
-  environment.etc."alloy/config.alloy" = {
-    source = ./config.alloy;
-    mode = "0440";
-    user = "root";
-  };
-
-  environment.etc."alloy/base.alloy" = {
-    source = ./base.alloy;
-    mode = "0440";
-    user = "root";
-  };
-
+  environment.etc."alloy/config.alloy".source = ./config.alloy;
+  environment.etc."alloy/base.alloy".source = ./base.alloy;
   services.alloy.enable = true;
 }
diff --git a/modules/mixins/docker/default.nix b/modules/mixins/docker/default.nix
index 481b969..05695e7 100644
--- a/modules/mixins/docker/default.nix
+++ b/modules/mixins/docker/default.nix
@@ -3,9 +3,5 @@
   virtualisation.oci-containers.backend = "docker";
 
   # Monitoring
-  environment.etc."alloy/docker.alloy" = {
-    source = ./config.alloy;
-    mode = "0440";
-    user = "root";
-  };
+  environment.etc."alloy/docker.alloy".source = ./config.alloy;
 }
diff --git a/modules/mixins/ecs-agent/config.alloy b/modules/mixins/ecs-agent/config.alloy
index ede3c60..70bc7f1 100644
--- a/modules/mixins/ecs-agent/config.alloy
+++ b/modules/mixins/ecs-agent/config.alloy
@@ -1,8 +1,5 @@
 prometheus.scrape "ecs_agent" {
-  targets = [
-    {"__address__" = "127.0.0.1:51680", instance = env("HOSTNAME")},
-  ]
-
+  targets         = [{"__address__" = "127.0.0.1:51680"}]
   forward_to      = [prometheus.relabel.instance.receiver]
   scrape_interval = "30s"
 }
diff --git a/modules/mixins/ecs-agent/default.nix b/modules/mixins/ecs-agent/default.nix
index 0f12c9f..e198427 100644
--- a/modules/mixins/ecs-agent/default.nix
+++ b/modules/mixins/ecs-agent/default.nix
@@ -47,9 +47,5 @@
   };
 
   # Monitoring
-  environment.etc."alloy/ecs-agent.alloy" = {
-    source = ./config.alloy;
-    mode = "0440";
-    user = "root";
-  };
+  environment.etc."alloy/ecs-agent.alloy".source = ./config.alloy;
 }
diff --git a/modules/tests/alloy/default.nix b/modules/tests/alloy/default.nix
new file mode 100644
index 0000000..1caaf3f
--- /dev/null
+++ b/modules/tests/alloy/default.nix
@@ -0,0 +1,15 @@
+{ pkgs, ... }:
+pkgs.testers.runNixOSTest {
+  name = "alloy-test";
+
+  nodes.machine = { ... }: {
+    networking.firewall.allowedTCPPorts = [ 12345 ];
+    imports = [ ../../mixins/alloy ];
+  };
+
+  testScript = ''
+    machine.wait_for_unit("alloy.service", timeout=10)
+    machine.wait_for_open_port(12345, timeout=10)
+    machine.succeed("curl http://localhost:12345 | grep -o \"Grafana Alloy\"")
+  '';
+}
diff --git a/modules/tests/default.nix b/modules/tests/default.nix
new file mode 100644
index 0000000..14b5306
--- /dev/null
+++ b/modules/tests/default.nix
@@ -0,0 +1,4 @@
+{ pkgs, ... }:
+{
+  alloy = pkgs.callPackage ./alloy/default.nix { };
+}