diff --git a/flake.nix b/flake.nix
index 9655e72..cc88389 100644
--- a/flake.nix
+++ b/flake.nix
@@ -10,9 +10,10 @@
     nixosModules.default = { config, ... }: {
       imports = [
         modules/backup.nix
-        modules/jellyfin.nix
         modules/haproxy.nix
         modules/home-assistant.nix
+        modules/jellyfin.nix
+        modules/monitoring.nix
         modules/nextcloud-server.nix
       ];
     };
diff --git a/modules/monitoring.nix b/modules/monitoring.nix
new file mode 100644
index 0000000..d8df37c
--- /dev/null
+++ b/modules/monitoring.nix
@@ -0,0 +1,90 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.shb.monitoring;
+in
+{
+  options.shb.monitoring = {
+    enable = lib.mkEnableOption "selfhostblocks.monitoring";
+
+    # sopsFile = lib.mkOption {
+    #   type = lib.types.path;
+    #   description = "Sops file location";
+    #   example = "secrets/monitoring.yaml";
+    # };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "grafana" ];
+      ensureUsers = [
+        {
+          name = "grafana";
+          ensurePermissions = {
+            "DATABASE grafana" = "ALL PRIVILEGES";
+          };
+          ensureClauses = {
+            "login" = true;
+          };
+        }
+      ];
+    };
+
+    services.grafana = {
+      enable = true;
+
+      database = {
+        host = "/run/postgresql";
+        user = "grafana";
+        name = "grafana";
+        type = "postgres";
+        # Uses peer auth for local users, so we don't need a password.
+        # Here's the syntax anyway for future refence:
+        # password = "$__file{/run/secrets/homeassistant/dbpass}";
+      };
+
+      settings = {
+        server = {
+          http_addr = "127.0.0.1";
+          http_port = 3000;
+        };
+      };
+    };
+
+    shb.reverseproxy.sites.grafana = {
+      frontend = {
+        acl = {
+          acl_grafana = "hdr_beg(host) grafana.";
+        };
+        use_backend = "if acl_grafana";
+      };
+      backend = {
+        servers = [
+          {
+            name = "grafana1";
+            address = "127.0.0.1:3000";
+            forwardfor = true;
+            balance = "roundrobin";
+            check = {
+              inter = "5s";
+              downinter = "15s";
+              fall = "3";
+              rise = "3";
+            };
+            httpcheck = "GET /";
+          }
+        ];
+      };
+    };
+
+    # sops.secrets."grafana" = {
+    #   inherit (cfg) sopsFile;
+    #   mode = "0440";
+    #   owner = "grafana";
+    #   group = "grafana";
+    #   # path = "${config.services.home-assistant.configDir}/secrets.yaml";
+    #   restartUnits = [ "grafana.service" ];
+    # };
+  };
+}