diff --git a/adyya-pkgs/adyya_pkgs.mod.nix b/adyya-pkgs/adyya_pkgs.mod.nix
index e5af837..696dc9d 100644
--- a/adyya-pkgs/adyya_pkgs.mod.nix
+++ b/adyya-pkgs/adyya_pkgs.mod.nix
@@ -66,7 +66,7 @@
     {
       nixpkgs.overlays = [
         (final: prev: {
- #         beeref = final.callPackage ./beeref.nix {}; # I'M GOING TO TRUNCATE *YOU*, BEEREF.
+          #         beeref = final.callPackage ./beeref.nix {}; # I'M GOING TO TRUNCATE *YOU*, BEEREF.
         })
       ];
     }
diff --git a/art.mod.nix b/art.mod.nix
index 51dd77f..8464dfe 100644
--- a/art.mod.nix
+++ b/art.mod.nix
@@ -18,7 +18,7 @@
           darktable
           obs-studio
           # pureref # not updated on nixpkgs apparently
-        #  beeref  # straight up doesn't work
+          #  beeref  # straight up doesn't work
         ];
       }
     )
diff --git a/networking/firewall.mod.nix b/networking/firewall.mod.nix
index d952102..9a383c6 100644
--- a/networking/firewall.mod.nix
+++ b/networking/firewall.mod.nix
@@ -23,9 +23,13 @@
       networking.firewall = {
         allowedTCPPorts = [
           64738 # murmur tcp
+          6700 # grafana
+          6750 # prometheus
         ];
         allowedUDPPorts = [
           64738 # murmur udp
+          6700 # grafana
+          6750 # prometheus
         ];
       };
     }
@@ -36,9 +40,9 @@
       services.fail2ban.enable = true;
       networking.firewall = {
         interfaces.eth0.allowedTCPPorts = [
-          80
+          80 # http
           222 # forgejo ssh
-          443
+          443 # https
           64738 # murmur tcp
         ];
         interfaces.eth0.allowedUDPPorts = [
diff --git a/secrets.yaml b/secrets.yaml
index 1d7281d..82e98c5 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -22,6 +22,10 @@ murmur_welcome_message: ENC[AES256_GCM,data:k05ez0/raIbgBMu90NrAg5O1nkucDibQXdj8
 murmur_login_password: ENC[AES256_GCM,data:Fh6XjSxiLEP1jE56D9JRv0TokYOjEafeDkrh9/x5f+Rv4qgH18k54Le4dyl3EzNQ,iv:QbAPJx4xe2DT7AhXbOvQto4M6ICKVlJ/BXoP3ORjd4o=,tag:clHHTrQdi1bzA21gjY7mSg==,type:str]
 forgejo_runner_glucose_token: ENC[AES256_GCM,data:UWzKhDUojVrSWbS2sDyX8xdK9albNoHr9PACjbtd1YKhukfjC0W1ig==,iv:13gymOJQlwWrpz7CMweBf++BsLCJvq6XMv4CMdb32gk=,tag:tPgk6x8GLS9HH2VDuwPdvA==,type:str]
 forgejo_runner_fructose_token: ENC[AES256_GCM,data:vExgJdEHpqzn6DAsMVnE2e3EmgehZMFnPTAV/VYOGvl6kgTYqYoBhA==,iv:dja9VC4Pr9asl/I4ieg5c718V4Nq+pqvB8c7oQD5Qqc=,tag:ynFs2NQX466ECYnsmeUFzg==,type:str]
+grafana_admin_account: ENC[AES256_GCM,data:kDj9o2cpRLmpRVwONBI=,iv:cQfeFhBAVMSysP43J+eDVKAmn1NM+aUN9huraGgpRkY=,tag:AFIr0pwRvHj8ruDAqc2Lww==,type:str]
+grafana_admin_pass: ENC[AES256_GCM,data:AnuVrCJcfj1cHP5W2s5eDlRLaJTOc0T7W3sS2/flnA==,iv:EA0SGXxf9kF+ltmNgcd3rGE7Jmg8/+s3Gip0uByEF9o=,tag:Rm+eSe+H1uytm/MMxMuZpw==,type:str]
+grafana_db_pass: ENC[AES256_GCM,data:2yVNv62go7Bxgmhoqx6J5WU=,iv:4VGAsT4WR0J/aNKUjts+rUIK5UR8OyHjCln4NXnS0LA=,tag:0KtbBFX+3+5fp6ekDSKGrw==,type:str]
+grafana_secret_key: ENC[AES256_GCM,data:w5wrktLlSo8iIfc+r4Rc+XGj5RuXLeRvtTc3iHeGBZclrl+PsjIKf70p,iv:b0NM55wvDCyAtuBebjBgu2Zxio9cPTkFSNusu7veC4o=,tag:3suBUO0tizxjepLgJ1e1mw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -37,8 +41,8 @@ sops:
             NHg3M2l5MWY2alpHdVhIbE5PQ3VxeW8Kr+o5K2EIrPSfIFBWK68mWl4lWJooZxF/
             vKsU99C2iIsbX/eTF2uNQqeDkOqy5egKCG42xikwycGFO/gbnCDIdw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-26T10:35:19Z"
-    mac: ENC[AES256_GCM,data:sP45NUFj0qRLYj3w1bZN2C5gzOef4O7GFtE7GOkDHm4IQ8YaDJW+rt3DHiAqGt34qAHcP4ahDKpsL9S1ZPs4fw+DFUEdWZROUFAMS1OsTurVQUPt08DzC8mi6t3SH4ud6YZw3l6M8eja80BK7KsEBMD4UfxoP4pgQB4oOSRoJn4=,iv:5WJq42Idwu7oMKBQBGuFp44+Bnh/Ncgkuhq0lPi+Rxc=,tag:9O45IrqkMWVtyXgXBv1bmg==,type:str]
+    lastmodified: "2024-12-20T15:19:45Z"
+    mac: ENC[AES256_GCM,data:vDwQ9F9DgTAqdEjA5zDBR6v3ZCLM5VpZZoMpkrOC0baudVqPK7tt8IcyxgfESn9yJ/GGHwkHgmYvQSOSReEjwKtnMjoTjvAl41PBMwG1+5/c7nqliajk0Sx+znXxDoSIKac4XYlWp5J5myK+wln7pTwy0y7/CgKlsyhIOOxOKec=,iv:1hlEIE8rxk74mb6v8Z9wVel01mtF96eOwsPka2os5L8=,tag:PN4soo9Ko5PlUMbI9HeXow==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2
diff --git a/services/caddy/Caddyfile b/services/caddy/Caddyfile
index c35763c..ddcd352 100644
--- a/services/caddy/Caddyfile
+++ b/services/caddy/Caddyfile
@@ -48,4 +48,11 @@ https://cache.collective-conciousness.monster {
     encode zstd gzip
      
     reverse_proxy 10.24.1.4:5020
+}
+
+https://grf.collective-conciousness.monster {
+    encode zstd gzip
+
+    reverse_proxy 10.24.1.4:6700
+
 }
\ No newline at end of file
diff --git a/services/monitoring/grafana.mod.nix b/services/monitoring/grafana.mod.nix
new file mode 100644
index 0000000..0fa7f40
--- /dev/null
+++ b/services/monitoring/grafana.mod.nix
@@ -0,0 +1,60 @@
+{
+  glucose.modules = [
+    ({
+      config,
+      lib,
+      ...
+    }: {
+      services.grafana = {
+        enable = true;
+        dataDir = "/var/services/grafana";
+        # declarativePlugins = null;
+
+        settings = {
+          analytics = {
+            check_for_plugin_updates = false;
+            check_for_updates = false;
+            feedback_links_enabled = false;
+            reporting_enabled = false;
+          };
+
+          database = {
+            host = "10.24.1.9:5432";
+            type = "postgres";
+            name = "grafanadb";
+            user = "grafana";
+            password = builtins.concatStringsSep "" ["$__file" "{${config.sops.secrets.grafana_db_pass.path}}"];
+          };
+          # paths = {};
+          security = {
+            admin_user = builtins.concatStringsSep "" ["$__file" "{${config.sops.secrets.grafana_admin_account.path}}"];
+            admin_password = builtins.concatStringsSep "" ["$__file" "{${config.sops.secrets.grafana_admin_pass.path}}"];
+            secret_key = builtins.concatStringsSep "" ["$__file" "{${config.sops.secrets.grafana_secret_key.path}}"];
+
+            disable_gravatar = true;
+            cookie_secure = true;
+          };
+          server = {
+            root_url = "https://grf.collective-conciousness.monster";
+            enable_gzip = true;
+            http_addr = "0.0.0.0";
+            http_port = 6700;
+          };
+          # smtp = {};
+          users = {
+            allow_org_create = true;
+            default_theme = "system";
+          };
+        };
+
+        /*
+          provision = {
+          alerting = {};
+          dashboards = {};
+          datasources = {};
+        };
+        */
+      };
+    })
+  ];
+}
diff --git a/services/monitoring/prometheus.mod.nix b/services/monitoring/prometheus.mod.nix
new file mode 100644
index 0000000..f862814
--- /dev/null
+++ b/services/monitoring/prometheus.mod.nix
@@ -0,0 +1,34 @@
+{
+  universal.modules = [
+    {
+      services.prometheus.exporters = {
+        node = {
+          enable = true;
+          enabledCollectors = ["systemd"];
+          port = 6703;
+        };
+        varnish.enable = true;
+      };
+    }
+  ];
+  glucose.modules = [
+    {
+      services.prometheus = {
+        enable = true;
+        port = 6750;
+        enableReload = true;
+
+        scrapeConfigs = [
+          {
+            job_name = "devices";
+            static_configs = [
+              {
+                targets = ["10.24.1.4:6703" "10.24.1.9:6703" "10.24.1.16:6703" "10.24.1.225:6703" "10.24.1.196:6703"];
+              }
+            ];
+          }
+        ];
+      };
+    }
+  ];
+}
diff --git a/sops.mod.nix b/sops.mod.nix
index 107fcc5..e46ab03 100644
--- a/sops.mod.nix
+++ b/sops.mod.nix
@@ -54,6 +54,16 @@
         '';
       }
     )
+    ({config, ...}: {
+      sops.secrets.grafana_admin_pass = {};
+      sops.secrets.grafana_admin_account = {};
+      sops.secrets.grafana_db_pass = {};
+      sops.secrets.grafana_secret_key = {};
+      sops.secrets.grafana_admin_account.owner = "grafana";
+      sops.secrets.grafana_admin_pass.owner = "grafana";
+      sops.secrets.grafana_db_pass.owner = "grafana";
+      sops.secrets.grafana_secret_key.owner = "grafana";
+    })
     (
       {config, ...}: {
         sops.secrets.murmur_login_password = {};