diff --git a/roles/node_exporter/handlers/main.yml b/roles/node_exporter/handlers/main.yml
new file mode 100644
index 0000000..29d67a9
--- /dev/null
+++ b/roles/node_exporter/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart node_exporter
+  ansible.builtin.service:
+    name: prometheus-node-exporter
+    state: restarted
diff --git a/roles/node_exporter/meta/main.yml b/roles/node_exporter/meta/main.yml
new file mode 100644
index 0000000..ebfb16f
--- /dev/null
+++ b/roles/node_exporter/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - {role: epel_repo, when: ansible_os_family == "RedHat"}
diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml
new file mode 100644
index 0000000..d65eb8a
--- /dev/null
+++ b/roles/node_exporter/tasks/main.yml
@@ -0,0 +1,48 @@
+---
+- name: Install packages
+  ansible.builtin.package:
+    name: golang-github-prometheus-node-exporter
+    state: installed
+
+- name: Allow prometheus user to read private key
+  ansible.builtin.user:
+    name: prometheus
+    groups: hostkey
+    append: true
+  notify: Restart node_exporter
+
+- name: Create config directory
+  ansible.builtin.file:
+    path: /etc/node_exporter
+    state: directory
+    mode: "0755"
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: Create web-config
+  ansible.builtin.template:
+    dest: /etc/node_exporter/web-config.yml
+    src: web-config.yml.j2
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart node_exporter
+
+- name: Modify config
+  ansible.builtin.lineinfile:
+    path: /etc/default/prometheus-node-exporter
+    regexp: "^ARGS="
+    line: >-
+      ARGS="--collector.filesystem.ignored-mount-points
+      '^/(dev|proc|sys|run/(user|credentials/systemd-.+))($|/)'
+      --collector.netclass.ignored-devices '^(br-|docker|veth).+$'
+      --collector.netdev.device-exclude '^(br-|docker|veth).+$'
+      --web.config=/etc/node_exporter/web-config.yml
+      --collector.textfile.directory /var/lib/prometheus/node-exporter"
+  notify: Restart node_exporter
+
+- name: Enable node_exporter service
+  ansible.builtin.service:
+    name: prometheus-node-exporter
+    state: started
+    enabled: true
diff --git a/roles/node_exporter/templates/web-config.yml.j2 b/roles/node_exporter/templates/web-config.yml.j2
new file mode 100644
index 0000000..01c911f
--- /dev/null
+++ b/roles/node_exporter/templates/web-config.yml.j2
@@ -0,0 +1,6 @@
+---
+tls_server_config:
+  key_file: {{ tls_private }}/{{ inventory_hostname }}.key
+  cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt
+  client_ca_file: {{ tls_certs }}/ca.crt
+  client_auth_type: RequireAndVerifyClientCert