diff --git a/flake.nix b/flake.nix
index cb9b533..12aaf52 100644
--- a/flake.nix
+++ b/flake.nix
@@ -29,6 +29,7 @@
           ./modules/puffer.nix
           ./modules/gitea.nix
           ./modules/grafana.nix
+          ./modules/prometheus.nix
           ./modules/letsencrypt.nix
           ./modules/fail2ban.nix
           ./modules/email.nix
diff --git a/modules/grafana.nix b/modules/grafana.nix
index 0db9928..b4ce900 100644
--- a/modules/grafana.nix
+++ b/modules/grafana.nix
@@ -21,6 +21,8 @@ in {
         admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}";
       };
       server = {
+        domain = grafana_host;
+        root_url = "https://${grafana_host}";
         http_port = grafana_port;
       };
     };
@@ -34,6 +36,7 @@ in {
       useACMEHost = root_host;
       locations."/" = {
         proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}";
+        proxyWebsockets = true;
       };
     };
   };
diff --git a/modules/prometheus.nix b/modules/prometheus.nix
new file mode 100644
index 0000000..b28674c
--- /dev/null
+++ b/modules/prometheus.nix
@@ -0,0 +1,51 @@
+{ config, ... } :
+let
+  root_host = "grimmauld.de";
+  prometheus_host = "prometheus.${root_host}";
+  prometheus_port = 9090; # netstat -nlp | grep 9090
+in {
+  security.acme.certs."${root_host}".extraDomainNames = [ prometheus_host];
+
+  services.prometheus = {
+    enable = true;
+    port = prometheus_port;
+    globalConfig.scrape_interval = "15s";
+    scrapeConfigs = [
+      {
+        job_name = "chrysalis";
+        static_configs = [{
+          targets = [
+            "127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
+            "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}"
+          ];
+        }];
+      }
+    ];
+    exporters = {
+      nginx.enable = true;
+      redis.enable = true;
+      domain.enable = true;
+      postgres.enable = true;
+      nginxlog.enable = true;
+      jitsi.enable = true;
+      node = {
+        enable = true;
+        enabledCollectors = [ "systemd" ];
+        port = 9002;
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."${prometheus_host}" = {
+      serverName = prometheus_host;
+      forceSSL = true;
+      useACMEHost = root_host;
+      locations."/" = {
+#        proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}";
+        return = "307 https://${root_host}"; # nuh uh, no raw prometheus access for you!
+      };
+    };
+  };
+}