diff --git a/system/services/telemetry/alloy.nix b/system/services/telemetry/alloy.nix
index f9749ea..7728f47 100644
--- a/system/services/telemetry/alloy.nix
+++ b/system/services/telemetry/alloy.nix
@@ -8,6 +8,8 @@
 let
   cfg = config.profile.services.telemetry.alloy;
   webguiListenAddress = "0.0.0.0:5319";
+  otelcolHTTPListenAddress = "192.168.100.5:4318";
+  otelcolGRPCListenAddress = "192.168.100.5:4317";
   domain = "alloy.tigor.web.id";
 in
 {
@@ -32,6 +34,26 @@ in
       reverse_proxy ${webguiListenAddress}
     '';
 
+    services.caddy.virtualHosts."otelhttp.tigor.web.id".extraConfig = ''
+      @require_auth not remote_ip private_ranges
+
+      basic_auth @require_auth {
+        {$AUTH_USERNAME} {$AUTH_PASSWORD}
+      }
+
+      reverse_proxy ${otelcolHTTPListenAddress}
+    '';
+
+    services.caddy.virtualHosts."otelgrpc.tigor.web.id".extraConfig = ''
+      @require_auth not remote_ip private_ranges
+
+      basic_auth @require_auth {
+        {$AUTH_USERNAME} {$AUTH_PASSWORD}
+      }
+
+      reverse_proxy ${otelcolGRPCListenAddress}
+    '';
+
     systemd.services.alloy.serviceConfig = {
       User = "root";
     };
@@ -39,18 +61,18 @@ in
     environment.etc."alloy/config.alloy".text =
       let
         lokiConfig = config.services.loki.configuration;
-        tempoServer = config.services.tempo.settings.server;
+        tempoProtocols = config.services.tempo.settings.distributor.receivers.otlp.protocols;
         mimirServer = config.services.mimir.configuration.server;
       in
       # hcl
       ''
         otelcol.receiver.otlp "homeserver" {
             grpc {
-                endpoint = "0.0.0.0:5317"
+                endpoint = "${otelcolGRPCListenAddress}"
             }
 
             http {
-                endpoint = "0.0.0.0:5318"
+                endpoint = "${otelcolHTTPListenAddress}"
             }
 
             output {
@@ -133,7 +155,11 @@ in
 
         otelcol.exporter.otlp "tempo" {
             client {
-                endpoint = "${tempoServer.http_listen_address}:${toString tempoServer.http_listen_port}"
+                endpoint = "${tempoProtocols.grpc.endpoint}"
+                tls {
+                      insecure = true
+                      insecure_skip_verify = true
+                }
             }
         }
 
diff --git a/system/services/telemetry/tempo.nix b/system/services/telemetry/tempo.nix
index c6765c0..d4cae57 100644
--- a/system/services/telemetry/tempo.nix
+++ b/system/services/telemetry/tempo.nix
@@ -17,11 +17,11 @@ in
       reverse_proxy ${server.http_listen_address}:3200
     '';
 
-    services.tempo = {
+    services.tempo = rec {
       enable = true;
       settings = {
         server = {
-          http_listen_address = "0.0.0.0";
+          http_listen_address = "192.168.100.3";
           http_listen_port = 3200;
           grpc_listen_port = 9096;
         };
@@ -29,7 +29,12 @@ in
           receivers = {
             otlp = {
               protocols = {
-                http = { };
+                http = {
+                  endpoint = "${settings.server.http_listen_address}:4318";
+                };
+                grpc = {
+                  endpoint = "${settings.server.http_listen_address}:4317";
+                };
               };
             };
           };