diff --git a/roles/alloy/defaults/main.yml b/roles/alloy/defaults/main.yml
index 7ab8d525..5708549a 100644
--- a/roles/alloy/defaults/main.yml
+++ b/roles/alloy/defaults/main.yml
@@ -43,3 +43,8 @@ grafana_alloy_config: |
         url = "http://mimir:9009/api/v1/push"
     }
   }
+
+# Stolen from promtail to allow Alloy to read /var/log/messages
+grafana_alloy_runtime_mode: "acl"  # Supported "root" or "acl"
+grafana_alloy_user_append_groups:
+  - "systemd-journal"
diff --git a/roles/alloy/tasks/install.yml b/roles/alloy/tasks/install.yml
index 0f291209..110a0448 100644
--- a/roles/alloy/tasks/install.yml
+++ b/roles/alloy/tasks/install.yml
@@ -18,6 +18,20 @@
     create_home: false  # Appropriate for a system user, usually doesn't need a home directory
   become: true
 
+# Mercilessly stealing from promtail to allow Alloy to read /var/log/messages etc.
+- name: Add the Alloy system user to additional group
+  ansible.builtin.user:
+    name: "{{ grafana_alloy_service_user }}"
+    groups: "{{ item }}"
+    system: true
+    append: true
+    create_home: false
+    state: present
+  loop: "{{ grafana_alloy_user_append_groups }}"
+  when:
+    - grafana_alloy_user_append_groups | length > 0
+    - grafana_alloy_runtime_mode == "acl"
+
 - name: Download alloy binary
   ansible.builtin.get_url:
     url: "{{ grafana_alloy_binary_url }}"