diff --git a/nixos/modules/monitoring/exporters/promtail.nix b/nixos/modules/monitoring/exporters/promtail.nix
index 83de3250af5f02635ec5c790eedf445b1e38a92e..d0a49971dda80c64e0c9f190f671c0a756c21b73 100644
--- a/nixos/modules/monitoring/exporters/promtail.nix
+++ b/nixos/modules/monitoring/exporters/promtail.nix
@@ -32,6 +32,29 @@ in {
   config = lib.mkIf cfg.enable {
     services.promtail.enable = true;
     networking.firewall.interfaces.monitoringvpn.allowedTCPPorts = [ 9080 ];
+
+    # Since we'll send our journald logs elsewhere, we don't need to keep them
+    # here for very long.  Keep them for a *little* while just to provide some
+    # context in case someone ends up looking at the logs on the system itself
+    # but generally suppose that people will look at Loki instead.
+    services.journald.extraConfig = ''
+      # This tells journald it can discard log files that contain only log
+      # entries that are older than 29 days.
+      MaxRetentionSec=29day
+
+      # This tells journald to start a new log file once a day.  Together with
+      # the MaxRetentionSec setting, this means that entries are kept for
+      # between 29 and 30 days (plus whatever scheduling slop journald has in
+      # enforcing these limits).
+      #
+      # https://www.freedesktop.org/software/systemd/man/journald.conf.html
+      # for further details about these options.
+      #
+      # A maximum retention of 30 days conforms to the published log retention
+      # policy.
+      MaxFileSec=1day
+    '';
+
     services.promtail.configuration = {
       server = {
         http_listen_port = 9080; # Using /metrics for health check