diff --git a/nixos/hosts/reisen-nrt0/default.nix b/nixos/hosts/reisen-nrt0/default.nix
index 6b5ffaf..6ae6210 100644
--- a/nixos/hosts/reisen-nrt0/default.nix
+++ b/nixos/hosts/reisen-nrt0/default.nix
@@ -11,6 +11,7 @@
       services.caddy
       services.knot.secondary
       services.prometheus.node-exporter
+      services.prometheus.server
     ])
     ++ (mylib.path.scanPaths ./. "default.nix");
 
diff --git a/nixos/profiles/services/prometheus/server.nix b/nixos/profiles/services/prometheus/server.nix
new file mode 100644
index 0000000..851495c
--- /dev/null
+++ b/nixos/profiles/services/prometheus/server.nix
@@ -0,0 +1,43 @@
+{ config, lib, ... }:
+let
+  common = import ../../../../zones/common.nix;
+  publicHosts = lib.filterAttrs (_name: value: value.endpoints != [ ]) common.hosts;
+  targets = lib.mapAttrsToList (name: _value: "${name}.rebmit.link") publicHosts;
+in
+{
+  sops.secrets."prometheus/password" = {
+    sopsFile = config.sops.secretFiles.host;
+    owner = config.systemd.services.prometheus.serviceConfig.User;
+    restartUnits = [ "prometheus.service" ];
+  };
+
+  services.prometheus = {
+    enable = true;
+    webExternalUrl = "https://prometheus.rebmit.moe";
+    listenAddress = "127.0.0.1";
+    port = config.networking.ports.prometheus;
+    retentionTime = "7d";
+    globalConfig = {
+      scrape_interval = "1m";
+      evaluation_interval = "1m";
+    };
+    scrapeConfigs = [
+      {
+        job_name = "metrics";
+        scheme = "https";
+        metrics_path = "/metrics";
+        basic_auth = {
+          username = "prometheus";
+          password_file = config.sops.secrets."prometheus/password".path;
+        };
+        static_configs = [ { inherit targets; } ];
+      }
+    ];
+  };
+
+  services.caddy.virtualHosts."prometheus.rebmit.moe" = {
+    extraConfig = with config.services.prometheus; ''
+      reverse_proxy ${listenAddress}:${toString port}
+    '';
+  };
+}
diff --git a/zones/rebmit.moe.nix b/zones/rebmit.moe.nix
index 3e30cc2..2c23847 100644
--- a/zones/rebmit.moe.nix
+++ b/zones/rebmit.moe.nix
@@ -48,5 +48,6 @@ dns.lib.toString "rebmit.moe" {
     matrix.CNAME = [ "suwako-vie0.rebmit.link." ];
     miniflux.CNAME = [ "suwako-vie0.rebmit.link." ];
     ntfy.CNAME = [ "suwako-vie0.rebmit.link." ];
+    prometheus.CNAME = [ "reisen-nrt0.rebmit.link." ];
   };
 }