diff --git a/hosts/cube/grafana.nix b/hosts/cube/grafana.nix
new file mode 100644
index 0000000..ec4f26a
--- /dev/null
+++ b/hosts/cube/grafana.nix
@@ -0,0 +1,32 @@
+{ config, ulib, ... }: with ulib;
+
+let
+  inherit (config.networking) domain;
+
+  fqdn = "metrics.${domain}";
+in serverSystemConfiguration {
+  age.secrets."cube.mail.password" = {
+    owner = "grafana";
+    group = "grafana";
+  };
+
+  services.grafana = enabled {
+    domain = fqdn;
+    port   = 8999;
+
+    settings.security = {
+      admin_email    = "metrics@${domain}";
+      admin_password = "$__file{${config.age.secrets."cube.mail.password".path}}";
+    };
+  };
+
+  services.nginx.virtualHosts.${fqdn} = {
+    forceSSL    = true;
+    useACMEHost = domain;
+
+    locations."/" = {
+      proxyPass       = "http://0.0.0.0:${toString config.services.grafana.port}";
+      proxyWebsockets = true;
+    };
+  };
+}
diff --git a/hosts/cube/mail.nix b/hosts/cube/mail.nix
index ae61ff9..73271a5 100644
--- a/hosts/cube/mail.nix
+++ b/hosts/cube/mail.nix
@@ -32,8 +32,8 @@ in serverSystemConfiguration {
     job_name = "mail";
 
     static_configs = [{
-      labels  = [ "mail" ];
-      targets = [
+      labels.job = "mail";
+      targets    = [
         "[::]:${toString config.services.prometheus.exporters.dmarc.port}"
         "[::]:${toString config.services.prometheus.exporters.dovecot.port}"
         "[::]:${toString config.services.prometheus.exporters.postfix.port}"
diff --git a/hosts/cube/nginx.nix b/hosts/cube/nginx.nix
index 8f0af6f..5f6fca6 100644
--- a/hosts/cube/nginx.nix
+++ b/hosts/cube/nginx.nix
@@ -1,4 +1,4 @@
-{ lib, ulib, pkgs, ... }: with ulib;
+{ config, lib, ulib, pkgs, ... }: with ulib;
 
 serverSystemConfiguration {
   networking.firewall.allowedTCPPorts = [ 80 443 ];
@@ -17,8 +17,8 @@ serverSystemConfiguration {
     job_name = "nginx";
 
     static_configs = [{
-      labels = [ "nginx" ];
-      targets = [
+      labels.job = "nginx";
+      targets    = [
         "[::]:${toString config.services.prometheus.exporters.nginxlog.port}"
         "[::]:${toString config.services.prometheus.exporters.nginx.port}"
       ];
diff --git a/hosts/cube/prometheus.nix b/hosts/cube/prometheus.nix
index 22f750a..37fd0fe 100644
--- a/hosts/cube/prometheus.nix
+++ b/hosts/cube/prometheus.nix
@@ -1,4 +1,4 @@
-{ ulib, ... }: with ulib;
+{ config, ulib, ... }: with ulib;
 
 serverSystemConfiguration {
   services.prometheus = enabled {
@@ -13,8 +13,8 @@ serverSystemConfiguration {
       job_name = "node";
 
       static_configs = [{
-        labels  = [ "node" ];
-        targets = [ "[::]:${toString config.services.prometheus.exporters.node.port}" ];
+        labels.job = "node";
+        targets    = [ "[::]:${toString config.services.prometheus.exporters.node.port}" ];
       }];
     }];
   };