diff --git a/secrets/passwords.yaml b/secrets/passwords.yaml
index bcd90ab..c03559c 100644
--- a/secrets/passwords.yaml
+++ b/secrets/passwords.yaml
@@ -12,6 +12,8 @@ vms:
     __default__:
         users:
             noc: ENC[AES256_GCM,data:4XsNofA6Qk8MphMBDSUrAq43RF/d1x7lDg==,iv:ecS8GEZhK5X9GOq2SNDIh7ZWyfHA7kayszqCHyQj+Pc=,tag:fVC2+ztLpewhB9p6EwMtCg==,type:str]
+    grafana:
+        admin_password: ENC[AES256_GCM,data:xwjYXJkK+2PZ8uu8vnX4Gy5CRWXJuBfG+NBX+qIVruo=,iv:WWMjUmDZzjjvTjT5A1nEdpxgpWGWCc3D8k/kjrNxYtc=,tag:nbI+aCwN+n/iACjwvk0ljw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -36,8 +38,8 @@ sops:
             YW1BSERaOURtVGpMSnRiTkJyaDR3OTQK3pXGQU1SoUKdmLKUe88e8/BjqPjmdhke
             bP7DHbpvk4xG2Z3fnacihDCwiBASn2Wu350hl1WoM5pzMiqmS84X9Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-21T18:34:34Z"
-    mac: ENC[AES256_GCM,data:yeMXclT2ZdxHy2CqWQkXVay4EHHq2o8dXF2yXa7q1FKyteRzf0Gve/IQVxH3VXYsGQf3lSdL5EAe3BXmNesWnA5QfTELt2hzgd5nQ6+NTzLDXmi/AW3L4BhzpOoK7UIJ+mG42N4mkYlBe1dUyDBikxevWB3AAzGl7mAF/2io4TQ=,iv:d4g5dWUhFBauR8+4aPGU1hYkhyGsmdGBjgwBMs0HbtA=,tag:oOYKKCwOw/gjqeB/SCdkuQ==,type:str]
+    lastmodified: "2025-03-04T21:26:03Z"
+    mac: ENC[AES256_GCM,data:QS1Aq8aUqfOmBwOAbZDlG3Y5CLKWk9u5YQkqzp1i8RvbeXMOOgPj+73kshI8m5QOtMiOGNlnkR0gMD3XIuK/57yte1ir0oWtlrT88yyPLLqwDA16XjPQ61iCHoZQUg8au/+bzYe1uswiKme80FYTIFQfxqtByxFg66244wLiAPE=,iv:e86pdwGXrEMiFj0Rzrz//UKBTCyN63EA1KGJS1x+YQo=,tag:zuIVf2kMQEZReGL72dOj5A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4
diff --git a/systems/default.nix b/systems/default.nix
index bac10f0..41dd469 100644
--- a/systems/default.nix
+++ b/systems/default.nix
@@ -47,6 +47,7 @@ in
   # staging temp infra
   "sketchy-router.noc.eh22.intern" = mkSystem "x86_64-linux" "sketchy-router.noc.eh22.intern";
 
+  "grafana.noc.eh22.intern" = mkSystem "x86_64-linux" "grafana.noc.eh22.intern";
   # misc hosts
   "test.eh22.intern" = mkSystem "x86_64-linux" "test.eh22.intern";
   "installer" = mkSystem "x86_64-linux" "installer";
diff --git a/systems/grafana.noc.eh22.intern.nix b/systems/grafana.noc.eh22.intern.nix
new file mode 100644
index 0000000..f1ee937
--- /dev/null
+++ b/systems/grafana.noc.eh22.intern.nix
@@ -0,0 +1,48 @@
+{
+  pkgs,
+  ...
+}:
+{
+  imports = [];
+
+  systemd.network = {
+    enable = true;
+    networks = {
+      "10-mgmtNet" = {
+        matchConfig.MACAddress = "BC:24:11:FC:C2:26";
+        address = [ "10.20.25.4/24" ];
+        gateway = [ "10.20.25.2" ];
+      };
+    };
+  };
+
+  services.grafana = {
+    enable = true;
+    security.admin_password = "$__file{${sops.secrets.vms.grafana.admin_password.path}}";
+    settings.server = {
+      domain = "grafana.noc.eh22.intern";
+      root_url = "http://grafana.noc.eh22.intern/";
+    };
+  };
+
+  services.nginx.virtualHosts.${config.services.grafana.domain} = {
+    locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
+        proxyWebsockets = true;
+    };
+  };
+
+  sops = {
+    defaultSopsFile = ../secrets/passwords.yaml;
+    "vms"."grafana"."admin_password" = {
+      mode = "0440";
+      owner = "grafana";
+      group = "grafana";
+      restartUnits = [ "grafana.service" ];
+    };
+  };
+  # DO NOT CHANGE
+  # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
+  home-manager.users.noc.home.stateVersion = "24.11";
+  system.stateVersion = "24.11"; 
+}
\ No newline at end of file