diff --git a/playbooks/local_dns.yml b/playbooks/local_dns.yml
index 5d6b93b..40252e3 100755
--- a/playbooks/local_dns.yml
+++ b/playbooks/local_dns.yml
@@ -94,6 +94,8 @@
         # Public
         - record: git.desu.ltd
           value: vm-general-1.ashburn.mgmt.desu.ltd
+        - record: grafana.desu.ltd
+          value: vm-general-1.ashburn.mgmt.desu.ltd
         - record: matrix.desu.ltd
           value: vm-general-1.ashburn.mgmt.desu.ltd
         - record: movie.desu.ltd
diff --git a/playbooks/prod_web.yml b/playbooks/prod_web.yml
index 4d2ad31..43ad6fa 100755
--- a/playbooks/prod_web.yml
+++ b/playbooks/prod_web.yml
@@ -16,20 +16,25 @@
     - name: include tasks for applications
       include_tasks: tasks/{{ item }}
       with_items:
+        # Applications
         - app/gitlab-runner.yml
         - app/redis.yml
+        # Frontend web services
         - web/9iron.yml
         - web/desultd.yml
         - web/element-web.yml
         - web/gitea.yml
+        - web/grafana.yml
         - web/netbox.yml
         - web/nextcloud.yml
+        - web/synapse.yml
+        # Backend web services
         - web/prowlarr.yml
         - web/radarr.yml
         - web/sonarr.yml
         - web/srv.yml
-        - web/synapse.yml
         - web/transmission.yml
+        # Games
         - game/factorio.yml
         - game/minecraft-createfarming.yml
         - game/minecraft-direwolf20.yml
@@ -65,6 +70,12 @@
       tags: [ nagios, no-auto ]
     - role: ingress
       vars:
+        ingress_head: |
+          # Used by Grafana, required for its API or some shit
+          map $http_upgrade $connection_upgrade {
+            default upgrade;
+            '' close;
+          }
         ingress_servers:
           # desu.ltd
           - name: desu.ltd
@@ -80,6 +91,16 @@
                   return 200 '{"m.homeserver":{"base_url":"https://matrix.desu.ltd"}}';
           - name: git.desu.ltd
             proxy_pass: http://gitea:3000
+          - name: grafana.desu.ltd
+            proxy_pass: http://grafana:3000
+            locations:
+              - location: "/api/live/"
+                contents: |
+                      proxy_http_version 1.1;
+                      proxy_set_header Upgrade $http_upgrade;
+                      proxy_set_header Connection $connection_upgrade;
+                      proxy_set_header Host $host;
+                      proxy_pass http://grafana:3000;
           - name: matrix.desu.ltd
             proxies:
               - location: "~* ^(\/_matrix|\/_synapse|\/client|\/health)"
diff --git a/playbooks/tasks/web/grafana.yml b/playbooks/tasks/web/grafana.yml
new file mode 100644
index 0000000..860d7a8
--- /dev/null
+++ b/playbooks/tasks/web/grafana.yml
@@ -0,0 +1,30 @@
+# vim:ft=ansible:
+- name: ensure grafana dirs
+  ansible.builtin.file:
+    state: directory
+    owner: 472
+    group: 472
+    mode: "0750"
+    path: "{{ item }}"
+  with_items:
+    - /data/grafana/storage
+    - /data/grafana/logs
+  tags: [ docker, grafana, monitoring ]
+- name: docker deploy grafana
+  docker_container:
+    name: grafana
+    image: grafana/grafana-oss:main
+    env:
+      TZ: "America/Chicago"
+      # This enables logging to STDOUT for log aggregators to more easily hook it
+      GF_LOG_MODE: "console file"
+      GF_SERVER_DOMAIN: "grafana.desu.ltd"
+      GF_SERVER_PROTOCOL: "http"
+      GF_SERVER_ROOT_URL: "https://grafana.desu.ltd"
+    networks:
+      - name: web
+        aliases: [ "grafana" ]
+    volumes:
+      - /data/grafana/storage:/var/lib/grafana
+      - /data/grafana/logs:/var/log/grafana
+  tags: [ docker, grafana, monitoring ]
diff --git a/roles/ingress/templates/vhosts.conf.j2 b/roles/ingress/templates/vhosts.conf.j2
index 9160a58..a3504d9 100644
--- a/roles/ingress/templates/vhosts.conf.j2
+++ b/roles/ingress/templates/vhosts.conf.j2
@@ -1,3 +1,7 @@
+{% if ingress_head is defined %}
+{{ ingress_head }}
+{% endif %}
+
 {% for server in ingress_servers %}
 server {
 {% if loop.index == 1 %}