diff --git a/applications/loki.yaml b/applications/loki.yaml
new file mode 100644
index 00000000..4c3e4c3d
--- /dev/null
+++ b/applications/loki.yaml
@@ -0,0 +1,42 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: loki
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: loki
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: https://gitlab.com/serit/k8s/serit-platform-manifests.git
+    path: network-policies/netpol-loki
+    targetRevision: HEAD
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: HEAD
+    ref: values
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: 3.3.4
+    chart: loki
+    helm:
+      valueFiles:
+        - $values/kustomizations/loki/values.yaml
+  project: aux
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
diff --git a/kustomizations/loki/values.yaml b/kustomizations/loki/values.yaml
new file mode 100644
index 00000000..e93b1fb1
--- /dev/null
+++ b/kustomizations/loki/values.yaml
@@ -0,0 +1,111 @@
+loki:
+  auth_enabled: false
+  storage:
+    bucketNames:
+      chunks: loki-chunks
+      ruler: loki-chunks
+      admin: loki-chunks
+    s3:
+      endpoint: http://10.255.241.30:30080
+      region: tos
+      secretAccessKey: ${S3SECRET}
+      accessKeyId: ${S3KEY}
+      s3ForcePathStyle: true
+      http_config:
+        insecure_skip_verify: true
+write:
+  extraArgs:
+    - -config.expand-env=true
+  extraEnv:
+  - name: S3KEY
+    valueFrom:
+      secretKeyRef:
+        name: loki-s3
+        key: AWS_ACCESS_KEY_ID
+  - name: S3SECRET
+    valueFrom:
+      secretKeyRef:
+        name: loki-s3
+        key: AWS_ACCESS_KEY_SECRET
+  tolerations:
+  - effect: "NoSchedule"
+    operator: "Equal"
+    key: "unschedulable"
+    value: "true"
+read:
+  extraArgs:
+    - -config.expand-env=true
+  extraEnv:
+  - name: S3KEY
+    valueFrom:
+      secretKeyRef:
+        name: loki-s3
+        key: AWS_ACCESS_KEY_ID
+  - name: S3SECRET
+    valueFrom:
+      secretKeyRef:
+        name: loki-s3
+        key: AWS_ACCESS_KEY_SECRET
+  tolerations:
+  - effect: "NoSchedule"
+    operator: "Equal"
+    key: "unschedulable"
+    value: "true"
+ingress:
+  enabled: true
+  ingressClassName: nginx
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-staging
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    atlantis.oceanbox.io/expose: internal
+  paths:
+    # -- Paths that are exposed by Loki Distributor.
+    # If deployment mode is Distributed, the requests are forwarded to the service: `{{"loki.distributorFullname"}}`.
+    # If deployment mode is SimpleScalable, the requests are forwarded to write k8s service: `{{"loki.writeFullname"}}`.
+    # If deployment mode is SingleBinary, the requests are forwarded to the central/single k8s service: `{{"loki.singleBinaryFullname"}}`
+    distributor:
+      - /api/prom/push
+      - /loki/api/v1/push
+      - /otlp/v1/logs
+    # -- Paths that are exposed by Loki Query Frontend.
+    # If deployment mode is Distributed, the requests are forwarded to the service: `{{"loki.queryFrontendFullname"}}`.
+    # If deployment mode is SimpleScalable, the requests are forwarded to write k8s service: `{{"loki.readFullname"}}`.
+    # If deployment mode is SingleBinary, the requests are forwarded to the central/single k8s service: `{{"loki.singleBinaryFullname"}}`
+    queryFrontend:
+      - /api/prom/query
+      # this path covers labels and labelValues endpoints
+      - /api/prom/label
+      - /api/prom/series
+      - /api/prom/tail
+      - /loki/api/v1/query
+      - /loki/api/v1/query_range
+      - /loki/api/v1/tail
+      # this path covers labels and labelValues endpoints
+      - /loki/api/v1/label
+      - /loki/api/v1/labels
+      - /loki/api/v1/series
+      - /loki/api/v1/index/stats
+      - /loki/api/v1/index/volume
+      - /loki/api/v1/index/volume_range
+      - /loki/api/v1/format_query
+      - /loki/api/v1/detected_fields
+      - /loki/api/v1/detected_labels
+      - /loki/api/v1/patterns
+    # -- Paths that are exposed by Loki Ruler.
+    # If deployment mode is Distributed, the requests are forwarded to the service: `{{"loki.rulerFullname"}}`.
+    # If deployment mode is SimpleScalable, the requests are forwarded to k8s service: `{{"loki.backendFullname"}}`.
+    # If deployment mode is SimpleScalable but `read.legacyReadTarget` is `true`, the requests are forwarded to k8s service: `{{"loki.readFullname"}}`.
+    # If deployment mode is SingleBinary, the requests are forwarded to the central/single k8s service: `{{"loki.singleBinaryFullname"}}`
+    ruler:
+      - /api/prom/rules
+      - /api/prom/api/v1/rules
+      - /api/prom/api/v1/alerts
+      - /loki/api/v1/rules
+      - /prometheus/api/v1/rules
+      - /prometheus/api/v1/alerts
+  hosts:
+    - loki.adm.oceanbox.io
+  tls:
+    - hosts:
+       - loki.adm.oceanbox.io
+      secretName: loki-distributed-tls