diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix
index 1b321d8..7ab9d3c 100644
--- a/hosts/matrix/default.nix
+++ b/hosts/matrix/default.nix
@@ -5,6 +5,7 @@
     ../common.nix
     ../../services/openssh.nix
     ../../services/nginx.nix
+    ../../services/prometheus-node.nix
     ./nginx.nix
     ./synapse.nix
     ./draupnir.nix
diff --git a/hosts/md/default.nix b/hosts/md/default.nix
index e30f687..437a864 100644
--- a/hosts/md/default.nix
+++ b/hosts/md/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ../common.nix
     ../../services/openssh.nix
+    ../../services/prometheus-node.nix
     ./hedgedoc.nix
     ../../services/nginx.nix
     ./nginx.nix
diff --git a/hosts/monitoring/default.nix b/hosts/monitoring/default.nix
index fb2e323..18ccdce 100644
--- a/hosts/monitoring/default.nix
+++ b/hosts/monitoring/default.nix
@@ -4,8 +4,9 @@
   imports = [
     ../common.nix
     ../../services/openssh.nix
+    ../../services/prometheus-node.nix
     ../../services/nginx.nix
-    #./nginx.nix
+    ./nginx.nix
     #./prometheus.nix
     #./grafana.nix
   ];
diff --git a/hosts/monitoring/nginx.nix b/hosts/monitoring/nginx.nix
index 5712204..bb61893 100644
--- a/hosts/monitoring/nginx.nix
+++ b/hosts/monitoring/nginx.nix
@@ -7,7 +7,7 @@
     kTLS = true;
     forceSSL = true;
     enableACME = true;
-    #basicAuthFile = config.age.secrets.grafana_basic_auth.path;
+    basicAuthFile = config.age.secrets.grafana_basic_auth.path;
     locations = {
       "/" = {
         #proxyPass = "http://";
diff --git a/hosts/sql/default.nix b/hosts/sql/default.nix
index 707f731..50c94ce 100644
--- a/hosts/sql/default.nix
+++ b/hosts/sql/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ../common.nix
     ../../services/openssh.nix
+    ../../services/prometheus-node.nix
     ./postgres.nix
   ];
 
diff --git a/hosts/www/default.nix b/hosts/www/default.nix
index fd41fe2..2a62713 100644
--- a/hosts/www/default.nix
+++ b/hosts/www/default.nix
@@ -5,6 +5,7 @@
     ../common.nix
     ../../services/openssh.nix
     ./openssh.nix
+    ../../services/prometheus-node.nix
     ../../services/nginx.nix
     ./nginx.nix
   ];
diff --git a/secrets/grafana_basic_auth.age b/secrets/grafana_basic_auth.age
new file mode 100644
index 0000000..0a9d08f
Binary files /dev/null and b/secrets/grafana_basic_auth.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 3114dbe..d687b70 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -35,6 +35,7 @@ in
 
   "grafana_admin_password.age".publicKeys = users ++ [ _monitoring ];
   "grafana_secret_key.age".publicKeys = users ++ [ _monitoring ];
+  "grafana_basic_auth.age".publicKeys = users ++ [ _monitoring ];
 
   "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ];
   "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ];
diff --git a/services/prometheus-node.nix b/services/prometheus-node.nix
new file mode 100644
index 0000000..71e75e7
--- /dev/null
+++ b/services/prometheus-node.nix
@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+  services.prometheus.exporters.node = {
+    enable = true;
+    #listenAddress = "0.0.0.0";
+    firewallRules = ''
+      ip saddr 195.160.173.14/32 tcp dport ${config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"
+      ip6 saddr 2001:678:760:cccb::14/128 tcp dport ${config.services.prometheus.exporters.node.port} accept comment "Allow prometheus on monitoring.berlin.ccc.der"
+    '';
+    enabledCollectors = [];
+    disabledCollectors = [];
+  };
+}
+