diff --git a/nixos/boxes/bolty/default.nix b/nixos/boxes/bolty/default.nix
index 32806c59..b463f761 100644
--- a/nixos/boxes/bolty/default.nix
+++ b/nixos/boxes/bolty/default.nix
@@ -2,6 +2,7 @@
   imports = [
     ../cli.nix
     ./bolty-boot.nix
+    ./grafana.nix
     ./home-assistant.nix
     ./influxdb.nix
     ./matrix-server.nix
diff --git a/nixos/boxes/bolty/grafana.nix b/nixos/boxes/bolty/grafana.nix
new file mode 100644
index 00000000..dcf812e9
--- /dev/null
+++ b/nixos/boxes/bolty/grafana.nix
@@ -0,0 +1,45 @@
+{ config, pkgs, inputs, lib, ... }:
+let
+  fqdn = "bolty.raptor-carp.ts.net";
+  port = 30001;
+  path = "/data/grafana";
+  certPath = "${path}/cert.pem";
+  keyPath = "${path}/key.pem";
+in {
+  networking.firewall.allowedTCPPorts = [ port ];
+
+  systemd.services.grafana-prep = {
+    script = ''
+      mkdir -p ${path}
+      cp -rv /var/lib/tailscale-certs/cert.pem ${certPath}
+      cp -rv /var/lib/tailscale-certs/key.pem ${keyPath}
+      chown -Rv grafana:grafana ${path}
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      ReloadPropagatedFrom = "tailscale-cert.service";
+    };
+    before = [ "grafana.service" ];
+    wantedBy = [ "multi-user.target" ];
+    after = [
+      "network.target"
+      "network-online.target"
+      "tailscaled.service"
+      "tailscale-cert.service"
+    ];
+    wants = [ "tailscale-cert.service" ];
+  };
+
+  services.grafana = {
+    enable = true;
+    dataDir = path;
+    settings.server = {
+      protocol = "https";
+      domain = fqdn;
+      http_port = port;
+      http_addr = fqdn;
+      cert_file = certPath;
+      cert_key = keyPath;
+    };
+  };
+}