diff --git a/modules/services/prometheus/default.nix b/modules/services/prometheus/default.nix
new file mode 100644
index 0000000..45de0f5
--- /dev/null
+++ b/modules/services/prometheus/default.nix
@@ -0,0 +1,44 @@
+{
+  options,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.aa.services.prometheus;
+in {
+  options.aa.services.prometheus = with types; {
+    enable = mkEnableOption "prometheus";
+    acmeCertName = mkOption {
+      type = str;
+      default = "";
+      description = ''
+        If set to a non-empty string, forces SSL with the supplied acme
+        certificate.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.prometheus.enable = true;
+
+    services.nginx = {
+      enable = true;
+      virtualHosts."prometheus.${cfg.acmeCertName}" =
+        {
+          locations."/" = {
+            proxyPass = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
+          };
+        }
+        // lib.optionalAttrs (cfg.acmeCertName != "") {
+          forceSSL = true;
+          useACMEHost = cfg.acmeCertName;
+        };
+    };
+
+    networking.firewall = {
+      allowedTCPPorts = [80 443];
+    };
+  };
+}
diff --git a/systems/x86_64-linux/node/default.nix b/systems/x86_64-linux/node/default.nix
index 84670d0..a8c138a 100644
--- a/systems/x86_64-linux/node/default.nix
+++ b/systems/x86_64-linux/node/default.nix
@@ -34,6 +34,10 @@
       enable = true;
       acmeCertName = "kilonull.com";
     };
+    services.prometheus = {
+      enable = true;
+      acmeCertName = "kilonull.com";
+    };
     services.syncoid = {
       #  sudo -u backups zfs create -o mountpoint=/tank/backups/gospel tank/backups/gospel
       enable = true;