diff --git a/kube-prometheus/.gitattributes b/kube-prometheus/.gitattributes
new file mode 100644
index 0000000..0016a56
--- /dev/null
+++ b/kube-prometheus/.gitattributes
@@ -0,0 +1 @@
+secret.*.yaml filter=age diff=age merge=age -text
diff --git a/kube-prometheus/config/values.prometheus.yaml b/kube-prometheus/config/values.prometheus.yaml
new file mode 100644
index 0000000..e1cf9ac
--- /dev/null
+++ b/kube-prometheus/config/values.prometheus.yaml
@@ -0,0 +1,128 @@
+commonLabels:
+  prometheus: default
+
+admin:
+  existingSecret: grafana-admin-credentials
+  userKey: user
+  passwordKey: password
+
+defaultRules:
+  rules:
+    etcd: false
+
+prometheus:
+  prometheusSpec:
+    retention: 7d
+    serviceMonitorNamespaceSelector:
+      matchLabels:
+        prometheus: default
+    serviceMonitorSelector:
+      matchLabels:
+        prometheus: default
+    ruleSelector:
+      matchLabels:
+        prometheus: default
+    ruleNamespaceSelector:
+      matchLabels:
+        prometheus: default
+    podMonitorSelector:
+      matchLabels:
+        prometheus: default
+    podMonitorNamespaceSelector:
+      matchLabels:
+        prometheus: default
+    resources:
+      requests:
+        memory: 3Gi
+        cpu: 500m
+      limits:
+        memory: 4Gi
+        cpu:  800m
+    storageSpec:
+      volumeClaimTemplate:
+        spec:
+          storageClassName: hcloud-volumes
+          resources:
+            requests:
+              storage: 15Gi
+
+alertmanager:
+  enabled: false
+
+kubeEtcd:
+  enabled: false
+
+kubeControllerManager:
+  enabled: true
+  endpoints: ['172.23.2.10']
+  service:
+    enabled: true
+    port: 10257
+    targetPort: 10257
+  serviceMonitor:
+    enabled: true
+    https: true
+
+kubeScheduler:
+  enabled: false
+  endpoints: ['172.23.2.10']
+  service:
+    enabled: true
+    port: 10259
+    targetPort: 10259
+  serviceMonitor:
+    enabled: true
+    https: true
+
+kubeProxy:
+  enabled: false
+  endpoints: ['172.23.2.10']
+  service:
+    enabled: true
+    port: 10249
+    targetPort: 10249
+
+grafana:
+  ingress:
+    enabled: false
+  envFromSecrets:
+    - name: grafana-auth
+    - name: grafana-db
+  grafana.ini:
+    server:
+      domain: grafana.icb4dc0.de
+      root_url: "https://%(domain)s"
+    database:
+      type: postgres
+      host: default-cluster-primary.postgres.svc:5432
+      name: grafana
+      user: "${GF_DB_USER}"
+      password: "${GF_DB_PASSWORD}"
+      ssl_mode: require
+    auth:
+      disable_login_form: true
+    auth.generic_oauth:
+        name: Forgejo
+        icon: signin
+        enabled: "true"
+        client_id: "${GF_OAUTH_CLIENT_ID}"
+        client_secret: "${GF_OAUTH_CLIENT_SECRET}"
+        empty_scopes: true
+        auth_url: https://code.icb4dc0.de/login/oauth/authorize
+        token_url: https://code.icb4dc0.de/login/oauth/access_token
+        api_url: https://code.icb4dc0.de/login/oauth/userinfo
+  persistence:
+    enabled: false
+    storageClassName: hcloud-volumes
+
+prometheus-node-exporter:
+  prometheus:
+    monitor:
+      additionalLabels:
+        prometheus: default
+
+kube-state-metrics:
+  prometheus:
+    monitor:
+      additionalLabels:
+        prometheus: default
\ No newline at end of file
diff --git a/kube-prometheus/kustomization.yaml b/kube-prometheus/kustomization.yaml
new file mode 100644
index 0000000..510980f
--- /dev/null
+++ b/kube-prometheus/kustomization.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: observability-system
+
+resources:
+  - resources/secret.grafana-admin.yaml
+  - resources/secret.auth.yaml
+  - resources/secret.db.yaml
+
+helmCharts:
+  - name: kube-prometheus-stack
+    repo: https://prometheus-community.github.io/helm-charts
+    includeCRDs: true
+    namespace: observability-system
+    releaseName: prometheus
+    version: "58.4.0"
+    valuesFile: config/values.prometheus.yaml
\ No newline at end of file
diff --git a/kube-prometheus/resources/secret.auth.yaml b/kube-prometheus/resources/secret.auth.yaml
new file mode 100644
index 0000000..1dc6c50
Binary files /dev/null and b/kube-prometheus/resources/secret.auth.yaml differ
diff --git a/kube-prometheus/resources/secret.db.yaml b/kube-prometheus/resources/secret.db.yaml
new file mode 100644
index 0000000..0fba219
--- /dev/null
+++ b/kube-prometheus/resources/secret.db.yaml
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 rn+hSd2Wfsx4K1247+sw7zQ4xEyqos0TZlaChsb6Lw0
+7Z4MYesYB/tCeXfxX9TEM7RboK1WLuw0DblrZ0OyTOQ
+-> X25519 7emTMGrRAFGJABeK+SRKIt8otQjpRclQjkKl713izDQ
+2sydwj4FJugdisAD5YMdEHyOgbqYZamWA2mltUMnQ7E
+--- kSZgDff/Yk27eTxSW0dFXwZbgPUEEorPFp6MLltW3LY
+ù²†xbr˜hO<ÕøùüˆkS‚–—5*W/àóÖ[ùÒ)¦œ¼sC°	}ËßÚ·„çðFiS!ä4HŸŒ³¡›0öAÔ†ý}p¢q¬y8Ÿqèu—ÜXXó·#%tµ÷zÙ·/Bü\qpòî0ŸHxY¦¹„ùÊµœàÚ++û‘Ùó=.²üB¦Šè|
+[*»RºDŽuÃ¬$PöÇËVÂ!Ÿå-Xn³ô»	‘w_
+SOª
\ No newline at end of file
diff --git a/kube-prometheus/resources/secret.grafana-admin.yaml b/kube-prometheus/resources/secret.grafana-admin.yaml
new file mode 100644
index 0000000..728cd7f
--- /dev/null
+++ b/kube-prometheus/resources/secret.grafana-admin.yaml
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 TB5CkVKWXtgIjRx2SogIoW8tlrujheK7Awz1p4uQEgw
+Kshy+UCwlvJy5MCHWaQKMDYtVkCg4IcbD4IrDCufogo
+-> X25519 Vw++EMzh3zlyw4CuUHMxIeqWYll8zSelk8JSeMZulww
+a8pkLwi07VXY78pa5P5xtJ6b+CK6rGRl4Uk9scpOktw
+--- 9lY1JXzQk9DlqfWGi12HVDvdGEp7KVyoSeY4k5AZBtE
+u¹Ì>ð:SxæsëPT@ØEÀMŠ¯S^uýfümÊÖµZ%™C.·¬­	R3‡j¤Í~º³câq[ùüúT}‡gîÿâgÎô•­.~™7í¯IŠªû†gkŽÞº0ÒÿÖkNp­’ª÷fADH~ŸE•+óö¤ö=´®¦zXc•ó¾ˆc|Æ
+Ùf€ B¶JñW
+Lœ{¶DÆ)¼™Ö~
+³àœ/DÕ›ó®X¼Ì¢MA
\ No newline at end of file