diff --git a/playbooks/local_dns.yml b/playbooks/local_dns.yml
index 40252e3..5a8dbd7 100755
--- a/playbooks/local_dns.yml
+++ b/playbooks/local_dns.yml
@@ -106,6 +106,8 @@
           value: vm-general-1.ashburn.mgmt.desu.ltd
         - record: netbox.desu.ltd
           value: vm-general-1.ashburn.mgmt.desu.ltd
+        - record: prometheus.desu.ltd
+          value: vm-general-1.ashburn.mgmt.desu.ltd
         # Public media stuff
         - record: prowlarr.media.desu.ltd
           value: vm-general-1.ashburn.mgmt.desu.ltd
diff --git a/playbooks/prod_web.yml b/playbooks/prod_web.yml
index 43ad6fa..6c758f5 100755
--- a/playbooks/prod_web.yml
+++ b/playbooks/prod_web.yml
@@ -27,6 +27,7 @@
         - web/grafana.yml
         - web/netbox.yml
         - web/nextcloud.yml
+        - web/prometheus.yml
         - web/synapse.yml
         # Backend web services
         - web/prowlarr.yml
@@ -125,6 +126,14 @@
                   try_files $uri $uri/ =404;
           - name: netbox.desu.ltd
             proxy_pass: http://netbox:8080
+          - name: prometheus.desu.ltd
+            directives:
+              - "allow {{ common_home_address }}/{{ common_home_address_mask }}"
+              - "allow 10.0.0.0/8"
+              - "allow 172.16.0.0/12"
+              - "allow 192.168.0.0/16"
+              - "deny all"
+            proxy_pass: http://prometheus:9090
           # desu.ltd media bullshit
           - name: prowlarr.media.desu.ltd
             directives:
diff --git a/playbooks/tasks/web/prometheus.yml b/playbooks/tasks/web/prometheus.yml
new file mode 100644
index 0000000..bd08cd7
--- /dev/null
+++ b/playbooks/tasks/web/prometheus.yml
@@ -0,0 +1,30 @@
+# vim:ft=ansible:
+- name: ensure prometheus dirs
+  ansible.builtin.file:
+    state: directory
+    owner: 5476
+    group: 5476
+    mode: "0750"
+    path: "{{ item }}"
+  with_items:
+    - /data/prometheus/config
+    - /data/prometheus/data
+  tags: [ docker, prometheus, monitoring ]
+- name: docker deploy prometheus
+  # NOTE: If you're rebuilding this, you *need* to sync the data over as this
+  # container will try to explode if you run it with empty volumes. Copy over
+  # prometheus.yml into the config volume first or steal it from an empty fresh
+  # container instance
+  docker_container:
+    name: prometheus
+    image: prom/prometheus:latest
+    user: 5476:5476
+    env:
+      TZ: "America/Chicago"
+    networks:
+      - name: web
+        aliases: [ "prometheus" ]
+    volumes:
+      - /data/prometheus/config:/etc/prometheus
+      - /data/prometheus/data:/prometheus
+  tags: [ docker, prometheus, monitoring ]