diff --git a/files/pf.wg0.conf b/files/pf.wg0.conf
index ad8e828..5188250 100644
--- a/files/pf.wg0.conf
+++ b/files/pf.wg0.conf
@@ -3,3 +3,6 @@ pass in proto udp from any to self port 51820
 
 # allow ospf on wg0
 pass on wg0 proto ospf
+
+# allow prometheus on wg0
+pass on wg0 proto tcp from any to self port 9100
diff --git a/playbook_provision_eap-adp-jump01.yml b/playbook_provision_eap-adp-jump01.yml
index b3e6e6a..8323a7a 100644
--- a/playbook_provision_eap-adp-jump01.yml
+++ b/playbook_provision_eap-adp-jump01.yml
@@ -17,6 +17,7 @@
       notify:
         - reload firewall
 
+    # TODO: only activates after reboot :(
     - name: activate routing
       blockinfile:
         content: |
@@ -26,6 +27,16 @@
         mode: 0600
         create: yes
 
+    - name: install node_exporter
+      package:
+        name: node_exporter
+
+    - name: enable node_exporter
+      service:
+        name: node_exporter
+        state: started
+        enabled: yes
+
   handlers:
     - name: reload firewall
       command: pfctl -vf /etc/pf.conf