diff --git a/newinfra/nix/hive.nix b/newinfra/nix/hive.nix
index 232b5e1..5ad7694 100644
--- a/newinfra/nix/hive.nix
+++ b/newinfra/nix/hive.nix
@@ -148,13 +148,13 @@
       ./modules/ingress
       ./modules/garage
       ./modules/podman
+      ./modules/registry
 
       # apps
       ./apps/widetom
       ./apps/hugo-chat
       ./apps/uptime
       ./apps/cargo-bisect-rustc-service
-      ./apps/registry
     ];
 
     deployment.tags = [ "ingress" "eu" "apps" "wg" ];
diff --git a/newinfra/nix/modules/dns/noratrieb.dev.nix b/newinfra/nix/modules/dns/noratrieb.dev.nix
index 93497f7..0cf899e 100644
--- a/newinfra/nix/modules/dns/noratrieb.dev.nix
+++ b/newinfra/nix/modules/dns/noratrieb.dev.nix
@@ -61,6 +61,7 @@ let
         ];
 
         # --- infra
+        grafana = vps3;
         infra.subdomains = hostsToDns;
       };
     };
diff --git a/newinfra/nix/modules/ingress/default.nix b/newinfra/nix/modules/ingress/default.nix
index 38e02eb..0748ffc 100644
--- a/newinfra/nix/modules/ingress/default.nix
+++ b/newinfra/nix/modules/ingress/default.nix
@@ -71,8 +71,8 @@ in
           }
 
           ${
-            if name == "vps1" then
-            builtins.readFile ./Caddyfile else ""
+            if name == "vps1" || name == "vps3" then
+            builtins.readFile ./${name}.Caddyfile else ""
           }
         ''
       );
diff --git a/newinfra/nix/modules/ingress/Caddyfile b/newinfra/nix/modules/ingress/vps1.Caddyfile
similarity index 100%
rename from newinfra/nix/modules/ingress/Caddyfile
rename to newinfra/nix/modules/ingress/vps1.Caddyfile
diff --git a/newinfra/nix/modules/ingress/vps3.Caddyfile b/newinfra/nix/modules/ingress/vps3.Caddyfile
new file mode 100644
index 0000000..bc9b1aa
--- /dev/null
+++ b/newinfra/nix/modules/ingress/vps3.Caddyfile
@@ -0,0 +1,4 @@
+grafana.noratrieb.dev {
+	encode zstd gzip
+	reverse_proxy * localhost:3000
+}
diff --git a/newinfra/nix/modules/prometheus/default.nix b/newinfra/nix/modules/prometheus/default.nix
index 0fecef1..e591593 100644
--- a/newinfra/nix/modules/prometheus/default.nix
+++ b/newinfra/nix/modules/prometheus/default.nix
@@ -1,4 +1,4 @@
-{ ... }: {
+{ config, ... }: {
   services.prometheus = {
     enable = true;
     globalConfig = { };
@@ -27,6 +27,46 @@
           { targets = [ "vps5.local:9010" ]; }
         ];
       }
+      {
+        job_name = "docker-registry";
+        static_configs = [
+          { targets = [ "vps1.local:9011" ]; }
+        ];
+      }
     ];
   };
+
+  age.secrets.grafana_admin_password.file = ../../secrets/grafana_admin_password.age;
+
+  systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana_admin_password.path;
+  services.grafana = {
+    enable = true;
+    settings = {
+      security = {
+        admin_user = "admin";
+      };
+      server = {
+        root_url = "https://grafana.noratrieb.dev";
+      };
+    };
+
+    provision = {
+      enable = true;
+      datasources.settings = {
+        apiVersion = 1;
+        datasources = [
+          {
+            name = "Prometheus";
+            type = "prometheus";
+            access = "proxy";
+            url = "http://vps3.local:9090";
+            jsonData = {
+              httpMethod = "POST";
+              prometheusType = "Prometheus";
+            };
+          }
+        ];
+      };
+    };
+  };
 }
diff --git a/newinfra/nix/apps/registry/default.nix b/newinfra/nix/modules/registry/default.nix
similarity index 85%
rename from newinfra/nix/apps/registry/default.nix
rename to newinfra/nix/modules/registry/default.nix
index 4de51ae..c49ec87 100644
--- a/newinfra/nix/apps/registry/default.nix
+++ b/newinfra/nix/modules/registry/default.nix
@@ -10,6 +10,8 @@
     };
   };
 
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9011 ]; # metrics
+
   systemd.services.docker-registry.serviceConfig.EnvironmentFile = config.age.secrets.registry_s3_key_secret.path;
   services.dockerRegistry = {
     enable = true;
@@ -37,6 +39,13 @@
       http = {
         host = "https://docker.noratrieb.dev";
         draintimeout = "60s";
+        debug = {
+          addr = ":9011";
+          prometheus = {
+            enabled = true;
+            path = "/metrics";
+          };
+        };
       };
       auth.htpasswd = {
         # TODO: ugh :(
diff --git a/newinfra/nix/secrets/caddy_s3_key_secret.age b/newinfra/nix/secrets/caddy_s3_key_secret.age
index b99b7b9..a9bf784 100644
Binary files a/newinfra/nix/secrets/caddy_s3_key_secret.age and b/newinfra/nix/secrets/caddy_s3_key_secret.age differ
diff --git a/newinfra/nix/secrets/docker_registry_password.age b/newinfra/nix/secrets/docker_registry_password.age
index 18f4fc9..9064b3d 100644
Binary files a/newinfra/nix/secrets/docker_registry_password.age and b/newinfra/nix/secrets/docker_registry_password.age differ
diff --git a/newinfra/nix/secrets/garage_secrets.age b/newinfra/nix/secrets/garage_secrets.age
index 4ea886d..6d72f56 100644
Binary files a/newinfra/nix/secrets/garage_secrets.age and b/newinfra/nix/secrets/garage_secrets.age differ
diff --git a/newinfra/nix/secrets/grafana_admin_password.age b/newinfra/nix/secrets/grafana_admin_password.age
new file mode 100644
index 0000000..9860b55
Binary files /dev/null and b/newinfra/nix/secrets/grafana_admin_password.age differ
diff --git a/newinfra/nix/secrets/hugochat_db_password.age b/newinfra/nix/secrets/hugochat_db_password.age
index 63e13b0..f9aa17e 100644
Binary files a/newinfra/nix/secrets/hugochat_db_password.age and b/newinfra/nix/secrets/hugochat_db_password.age differ
diff --git a/newinfra/nix/secrets/minio_env_file.age b/newinfra/nix/secrets/minio_env_file.age
index e3facf3..5328ccb 100644
Binary files a/newinfra/nix/secrets/minio_env_file.age and b/newinfra/nix/secrets/minio_env_file.age differ
diff --git a/newinfra/nix/secrets/registry_htpasswd.age b/newinfra/nix/secrets/registry_htpasswd.age
index 8414c47..ef92c62 100644
Binary files a/newinfra/nix/secrets/registry_htpasswd.age and b/newinfra/nix/secrets/registry_htpasswd.age differ
diff --git a/newinfra/nix/secrets/registry_s3_key_secret.age b/newinfra/nix/secrets/registry_s3_key_secret.age
index 64047eb..e967f62 100644
Binary files a/newinfra/nix/secrets/registry_s3_key_secret.age and b/newinfra/nix/secrets/registry_s3_key_secret.age differ
diff --git a/newinfra/nix/secrets/secrets.nix b/newinfra/nix/secrets/secrets.nix
index 4cb10d2..f372d15 100644
--- a/newinfra/nix/secrets/secrets.nix
+++ b/newinfra/nix/secrets/secrets.nix
@@ -14,6 +14,7 @@ in
   "caddy_s3_key_secret.age".publicKeys = [ vps1 vps3 vps4 vps5 ];
   "registry_htpasswd.age".publicKeys = [ vps1 ];
   "registry_s3_key_secret.age".publicKeys = [ vps1 ];
+  "grafana_admin_password.age".publicKeys = [ vps3 ];
   "wg_private_vps1.age".publicKeys = [ vps1 ];
   "wg_private_vps3.age".publicKeys = [ vps3 ];
   "wg_private_vps4.age".publicKeys = [ vps4 ];
diff --git a/newinfra/nix/secrets/wg_private_vps1.age b/newinfra/nix/secrets/wg_private_vps1.age
index d4740ab..e2ea459 100644
--- a/newinfra/nix/secrets/wg_private_vps1.age
+++ b/newinfra/nix/secrets/wg_private_vps1.age
@@ -1,5 +1,6 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg O7IcxaeSOGfOmQJudTMomwnl/bsPhAUKCPeidwbThXs
-e4Llj1rpB0QtY08AOQYSr9450fdLd7Io8MpXzCAma5c
---- DnobWf9zRcr2T9fV32wFhZDmHoXdrLGoEbiOMg+ixyE
-’ÓZŸeÆúNKÚh,Ÿðû $Æ!Ï¹¶ÿbÿz‹/Û:—q–Ÿ^¹u1®ŒÌÉõqEíÇÿF-‹ƒ«F=7‰¤C%Ð†Ú¥q®
\ No newline at end of file
+-> ssh-ed25519 qM6TYg vqaZ8FrH2/iw1skzhxcDVtTGNrvgacXe6yZ6FLR5NxA
+YsksjwIhIsGqSuHsgE2bxEChfhezUiab1KCR2JwGJog
+--- tBUyV+jlTZVRhpzYloVwoKozRDOgOv6lLsLj9y8yxqI
+%xTEÀâÿcÉcÃ1eó#È=¡)ùh&•¡ÇKUã†‘­GÔ}J™o¿„ê®Ã|4M*¸Ô©]xhpë›oð±Ãe
+)œ
\ No newline at end of file
diff --git a/newinfra/nix/secrets/wg_private_vps3.age b/newinfra/nix/secrets/wg_private_vps3.age
index 532de45..aabf1dd 100644
Binary files a/newinfra/nix/secrets/wg_private_vps3.age and b/newinfra/nix/secrets/wg_private_vps3.age differ
diff --git a/newinfra/nix/secrets/wg_private_vps4.age b/newinfra/nix/secrets/wg_private_vps4.age
index 10b0d3b..a4fb419 100644
--- a/newinfra/nix/secrets/wg_private_vps4.age
+++ b/newinfra/nix/secrets/wg_private_vps4.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 51bcvA CjxIs41xJfD5FLvhNePVx4Z+oxLNGs18rIqA1oePZUA
-vbbgC5XDSpheko+opZcGdGOLRTkpy9oOKUDqJB5mHrA
---- zIA/cJR2IvTe9PrxvsqYUtx3CVDMadur9Zab5yklQHk
-9öÖÞ_n5Ù~¡â\ÊÅC'qŠ±]Ù+~jwº&âO4¸‚Ÿ‚NÁv‚ï€Uo$ÔÊ¤béÕØùˆEÍ…Gì¥kmkÞ\ú
\ No newline at end of file
+-> ssh-ed25519 51bcvA cvlpm3reQDmA9Faca2wB1M8a4diEUTAYnZ7scmbt+i0
+DNQrAzPoVvbDR7UVCft8m/6kjHySIpT1l+xl22TW9bk
+--- PELEXNV7Ottz1Jgc+5U0ew9t2YEKfUVSsiaYehvwqnc
+WßÂLºŒ…£ÿe·‘7Mè?Ìí™VÛý¬69)†ÚY%yú1›ƒJ(uëˆ¿¸‚0)x@Y~¥óhâ”ˆ¿Ž¡ çÒY5îËNÎd
\ No newline at end of file
diff --git a/newinfra/nix/secrets/wg_private_vps5.age b/newinfra/nix/secrets/wg_private_vps5.age
index 5529669..39e89f5 100644
--- a/newinfra/nix/secrets/wg_private_vps5.age
+++ b/newinfra/nix/secrets/wg_private_vps5.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 vT7ExA hiEMWjjGY/Elfd8oc9gB7p1bcV0G4u+NpvcChl06Kko
-TANojl91jyH5dIjj0e7FlyvWfblRWd1psLerI3AxKe4
---- EZL4OcGAkc70DMOiFaiZab64IX+Cv952bGXgF/5XZNc
-{KŸ¶´›Nnþ0§oí½íšjM£½r§ÕTOqÈ3ÂðMa‰p­&;D	qû–ASãótr©‚YÏ@åùúƒm4ñ©r®Om
\ No newline at end of file
+-> ssh-ed25519 vT7ExA ZtMI/PoOE6fF7heY5Eq12bhzgn/ViE/PzeLRJlFOZxo
+kdRK08mwj0vCjhvJzX4TmI4H0dnRbnDC7kK+U7BW4mM
+--- QSYK8SFsCQK0hrCG2ZjAG3KIpXPQTJqolMLj6aWHkcs
+ ÕšŠb¤CÓCŽx·¼Tñ§Ñ>ÓIÐÄnñµe¦ÊÚþ3ÖÎö‰F n.‹Â=éàV~›â(GÀ8ÓšGi»¦(úÃ3Yd:e…u•
\ No newline at end of file
diff --git a/newinfra/nix/secrets/widetom_bot_token.age b/newinfra/nix/secrets/widetom_bot_token.age
index 08e20fd..0fea19d 100644
Binary files a/newinfra/nix/secrets/widetom_bot_token.age and b/newinfra/nix/secrets/widetom_bot_token.age differ
diff --git a/newinfra/nix/secrets/widetom_config_toml.age b/newinfra/nix/secrets/widetom_config_toml.age
index 3180cab..2730076 100644
Binary files a/newinfra/nix/secrets/widetom_config_toml.age and b/newinfra/nix/secrets/widetom_config_toml.age differ
diff --git a/newinfra/secrets-git-crypt/grafana_admin_password b/newinfra/secrets-git-crypt/grafana_admin_password
new file mode 100644
index 0000000..e7d317b
Binary files /dev/null and b/newinfra/secrets-git-crypt/grafana_admin_password differ