diff --git a/pp-node-exporter.nix b/pp-node-exporter.nix
new file mode 100644
index 0000000..11be08e
--- /dev/null
+++ b/pp-node-exporter.nix
@@ -0,0 +1,77 @@
+{ config, lib, pkgs, ... }: 
+let
+  cfg = config.services.ppNodeExporter;
+  prometheusCaFile = pkgs.writeTextFile {
+    name = "prometheus_ca.pem";
+    text = cfg.prometheusCa;
+  };
+  yaml = pkgs.formats.yaml { };
+  nodeWebConfig = yaml.generate "prometheus-node-exporter-webconfig.yml" {
+    tls_server_config = {
+      client_ca_file = prometheusCaFile;
+      cert_file = cfg.prometheusNodeExporterCertFile;
+      key_file = cfg.prometheusNodeExporterCertKeyFile;
+      client_auth_type = "RequireAndVerifyClientCert";
+      client_allowed_sans = lib.mkIf (cfg.prometheusNodeExporterAllowScrapperSans != null) cfg.prometheusNodeExporterAllowScrapperSans;
+    };
+  };
+in {
+  options.services.ppNodeExporter = {
+    prometheusCa = lib.mkOption {
+      type = lib.types.str;
+      example = ''
+        -----BEGIN CERTIFICATE-----
+        MIIBaTCCAQ6gAwIBAgIUccDw/Xe2RC4p9gwdQMkcbPlS740wCgYIKoZIzj0EAwIw
+        EjEQMA4GA1UEAwwHZXhhbXBsZTAeFw0yNTAyMjMxMTQzMTlaFw0zNTAyMjExMTQz
+        MTlaMBIxEDAOBgNVBAMMB2V4YW1wbGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
+        AARk2SGMdAzOR+I+xAJDXO2nm8N4oa8V/kqstJrvd3gGTVsk8b0/EA+6ZrFISL0t
+        MroC27QCybMwRol9oalSVnoCo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
+        /wQEAwIBhjAdBgNVHQ4EFgQUy13fD60aREMworuMEulXdkvTKOwwCgYIKoZIzj0E
+        AwIDSQAwRgIhALcoP/hicosVELvPfnomcEsWXTkkIVGbu1NeS5I2L72YAiEAi3AG
+        7/hpeMxkaE0d2D8pr6exVlZR7kDa9FgDpfu/+a0=
+        -----END CERTIFICATE-----
+      '';
+      description = "The CA that issues the prometheus scrapper certificate";
+    };
+    prometheusNodeExporterCertFile = lib.mkOption {
+      type = lib.types.path;
+      default = "/etc/prometheus-node-exporter/node-exporter.pem";
+      description = "The file of the certificate use by prometheus node exporter.";
+    };
+    prometheusNodeExporterCertKeyFile = lib.mkOption {
+      type = lib.types.path;
+      default = "/etc/prometheus-node-exporter/node-exporter.key";
+      description = "The file of the key for the certificate used by prometheus node exporter.";
+    };
+    prometheusNodeExporterAllowScrapperSans = lib.mkOption {
+      type = lib.types.nullOr (lib.types.listOf lib.types.str);
+      default = null;
+      example = [ "prometheus.example.com" ];
+      description = "The list of Subject Alternative Names allowed to scrape node exporter. If not set, do not check Subject Names.";
+    };
+  };
+  config = {
+    system.activationScripts = {
+      prometheusNodeExporterFilePermission.text =
+      ''
+        chmod 640 ${cfg.prometheusNodeExporterCertFile}
+        chmod 640 ${cfg.prometheusNodeExporterCertKeyFile}
+        chown root:${config.services.prometheus.exporters.node.group} ${cfg.prometheusNodeExporterCertFile}
+        chown root:${config.services.prometheus.exporters.node.group} ${cfg.prometheusNodeExporterCertKeyFile}
+      '';
+    };
+  
+    services.prometheus = {
+      exporters = {
+        node = {
+          enable = true;
+          port = 9100; # default
+          enabledCollectors = [ "systemd" ]; # logind ?
+          extraFlags = [
+            "--web.config.file=${nodeWebConfig}"
+          ];
+        };
+      };
+    };
+  };
+}