diff --git a/docker/alloy/.env.example b/docker/alloy/.env.example
new file mode 100644
index 0000000..9074609
--- /dev/null
+++ b/docker/alloy/.env.example
@@ -0,0 +1,33 @@
+# =============================================================================
+# Grafana Alloy — Centralized OpenTelemetry Pipeline
+# =============================================================================
+# Domain target: https://alloy.ld50.xyz
+# Docs: https://grafana.com/docs/alloy/latest/
+# Image: grafana/alloy
+# =============================================================================
+
+# -- Image Tag -----------------------------------------------------------------
+# Use a stable version tag from https://github.com/grafana/alloy/releases
+ALLOY_VERSION=v1.17.0
+
+# -- Exposed Ports -------------------------------------------------------------
+# Alloy UI / debug / health endpoint
+EXPOSE_ALLOY_UI_PORT=12345
+# OTLP gRPC receiver (used by instrumented apps/services writing OTLP gRPC)
+EXPOSE_OTLP_GRPC_PORT=4317
+# OTLP HTTP receiver (used by instrumented apps/services writing OTLP HTTP)
+EXPOSE_OTLP_HTTP_PORT=4318
+
+# -- Forwarding Target ---------------------------------------------------------
+# Where Alloy forwards all received telemetry.
+# Defaults to LGTM's OTLP HTTP endpoint on the shared pipeline network.
+ALLOY_OTLP_FORWARD_ENDPOINT=http://lgtm:4318
+
+# -- Log Level -----------------------------------------------------------------
+# Alloy log level: debug, info, warn, error
+ALLOY_LOG_LEVEL=info
+
+# -- UI Basic Auth (optional) --------------------------------------------------
+# Leave ALLOY_UI_PASSWORD empty to disable authentication.
+ALLOY_UI_USERNAME=admin
+ALLOY_UI_PASSWORD=
diff --git a/docker/alloy/compose.yaml b/docker/alloy/compose.yaml
new file mode 100644
index 0000000..f15debc
--- /dev/null
+++ b/docker/alloy/compose.yaml
@@ -0,0 +1,70 @@
+name: alloy
+
+services:
+    alloy:
+        image: grafana/alloy:${ALLOY_VERSION:-v1.17.0}
+        restart: unless-stopped
+        command:
+            - run
+            - --server.http.listen-addr=0.0.0.0:12345
+            - --storage.path=/var/lib/alloy/data
+            - /etc/alloy/config.alloy
+        environment:
+            OTEL_EXPORTER_OTLP_ENDPOINT: ${ALLOY_OTLP_FORWARD_ENDPOINT:-http://lgtm:4318}
+
+            # Log level: debug, info, warn, error
+            ALLOY_LOG_LEVEL: ${ALLOY_LOG_LEVEL:-info}
+
+            # UI basic auth (optional)
+            ALLOY_UI_USERNAME: ${ALLOY_UI_USERNAME:-admin}
+            ALLOY_UI_PASSWORD: ${ALLOY_UI_PASSWORD:-}
+
+        ports:
+            # Alloy UI / debug endpoint
+            - ${EXPOSE_ALLOY_UI_PORT:-12345}:12345
+            # OTLP gRPC receiver
+            - ${EXPOSE_OTLP_GRPC_PORT:-4317}:4317
+            # OTLP HTTP receiver
+            - ${EXPOSE_OTLP_HTTP_PORT:-4318}:4318
+
+        volumes:
+            # Pipeline configuration
+            - ./config.alloy:/etc/alloy/config.alloy:ro
+            # Persistent storage for component state
+            - ./alloy-data:/var/lib/alloy/data
+
+        healthcheck:
+            test:
+                - CMD
+                - wget
+                - --no-verbose
+                - --tries=1
+                - --spider
+                - http://localhost:12345/-/healthy
+            interval: 15s
+            timeout: 5s
+            retries: 10
+            start_period: 10s
+
+        networks:
+            alloy:
+            pipeline:
+                aliases:
+                    - alloy
+                    - otel
+            # swag:
+            #     aliases:
+            #         - alloy
+
+networks:
+    alloy:
+        name: alloy
+        driver: bridge
+    pipeline:
+        name: pipeline
+        external: true
+    # swag:
+    #     name: swag
+    #     external: true
+
+volumes: {}
diff --git a/docker/alloy/config.alloy b/docker/alloy/config.alloy
new file mode 100644
index 0000000..3f545e3
--- /dev/null
+++ b/docker/alloy/config.alloy
@@ -0,0 +1,45 @@
+// =============================================================================
+// Grafana Alloy Pipeline Configuration
+// Centralized OpenTelemetry collector for the curated compose stacks.
+// Receives OTLP traces/metrics/logs and forwards to the LGTM backend.
+// =============================================================================
+
+// ---------------------------------------------------------------------------
+// OTLP Receiver — gRPC + HTTP
+// All stacks push telemetry here via OTLP gRPC (port 4317) or OTLP HTTP (port
+// 4318). Other stacks reference this service on the `pipeline` network as `otel`
+// or `alloy`.
+// ---------------------------------------------------------------------------
+otelcol.receiver.otlp "default" {
+    grpc {
+        endpoint = "0.0.0.0:4317"
+    }
+    http {
+        endpoint = "0.0.0.0:4318"
+    }
+}
+
+// ---------------------------------------------------------------------------
+// OTLP Exporter — Forward to LGTM
+// Sends all received telemetry to the LGTM backend (grafana/otel-lgtm).
+// The target endpoint is configurable via the ALLOY_OTLP_FORWARD_ENDPOINT env
+// var, defaulting to http://lgtm:4318 (LGTM's OTLP HTTP endpoint on pipeline).
+// ---------------------------------------------------------------------------
+otelcol.exporter.otlp "lgtm" {
+    client {
+        endpoint = env("OTEL_EXPORTER_OTLP_ENDPOINT", "http://lgtm:4318")
+        tls {
+            insecure             = true
+            insecure_skip_verify = true
+        }
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Pipeline — Connect receiver to exporter(s)
+// Routes telemetry from the OTLP receiver to the LGTM exporter.
+// ---------------------------------------------------------------------------
+otelcol.pipeline "default" {
+    receiver = otelcol.receiver.otlp.default
+    exporter = otelcol.exporter.otlp.lgtm
+}
diff --git a/docker/alloy/swag/alloy.subdomain.conf b/docker/alloy/swag/alloy.subdomain.conf
new file mode 100644
index 0000000..24f410a
--- /dev/null
+++ b/docker/alloy/swag/alloy.subdomain.conf
@@ -0,0 +1,37 @@
+## -----------------------------------------------------------------------------
+## SWAG proxy config for Grafana Alloy
+## Domain: alloy.ld50.xyz
+## Upstream: alloy:12345 (shared Docker network: ${NETWORKS_EXTERNAL_NAME:-swag})
+##
+## Install:
+## 1) Copy this file into SWAG: /config/nginx/proxy-confs/alloy.subdomain.conf
+## 2) Ensure both stacks share the same external Docker network (e.g. `swag`).
+## 3) In curated_compose/alloy/compose.yaml, uncomment external_network.
+## 4) Reload SWAG.
+## -----------------------------------------------------------------------------
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name alloy.ld50.xyz;
+
+    include /config/nginx/ssl.conf;
+
+    location / {
+        include /config/nginx/proxy.conf;
+
+        set $upstream_app alloy;
+        set $upstream_port 12345;
+        set $upstream_proto http;
+
+        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+
+        # Alloy UI uses WebSocket for live config reload
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        proxy_read_timeout 3600s;
+        proxy_send_timeout 3600s;
+    }
+}