diff --git a/roles/mysqld_exporter/defaults/main.yml b/roles/mysqld_exporter/defaults/main.yml
new file mode 100644
index 0000000..77a7507
--- /dev/null
+++ b/roles/mysqld_exporter/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+mysqld_exporter_pkg: "mysqld_exporter-{{ mysqld_exporter_version }}.linux-amd64"
diff --git a/roles/mysqld_exporter/files/mysqld_exporter.service b/roles/mysqld_exporter/files/mysqld_exporter.service
new file mode 100644
index 0000000..c623707
--- /dev/null
+++ b/roles/mysqld_exporter/files/mysqld_exporter.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Prometheus MySQL Exporter
+After=syslog.target
+After=network.target
+
+[Service]
+Type=simple
+User=mysqld_exporter
+Group=mysqld_exporter
+ExecStart=/usr/local/bin/mysqld_exporter --config.my-cnf=/etc/mysqld_exporter/my.cnf --web.config.file=/etc/mysqld_exporter/web-config.yml
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/mysqld_exporter/handlers/main.yml b/roles/mysqld_exporter/handlers/main.yml
new file mode 100644
index 0000000..855013c
--- /dev/null
+++ b/roles/mysqld_exporter/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart mysqld_exporter
+  ansible.builtin.systemd:
+    name: mysqld_exporter
+    daemon_reload: true
+    state: restarted
diff --git a/roles/mysqld_exporter/meta/main.yml b/roles/mysqld_exporter/meta/main.yml
new file mode 100644
index 0000000..9978a00
--- /dev/null
+++ b/roles/mysqld_exporter/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - {role: pki}
diff --git a/roles/mysqld_exporter/tasks/main.yml b/roles/mysqld_exporter/tasks/main.yml
new file mode 100644
index 0000000..e69ce1c
--- /dev/null
+++ b/roles/mysqld_exporter/tasks/main.yml
@@ -0,0 +1,83 @@
+---
+- name: Create group
+  ansible.builtin.group:
+    name: mysqld_exporter
+    system: true
+
+- name: Create user
+  ansible.builtin.user:
+    name: mysqld_exporter
+    comment: Prometheus MySQL Exporter
+    group: mysqld_exporter
+    groups: hostkey
+    create_home: false
+    home: /var/empty
+    shell: /sbin/nologin
+    system: true
+
+- name: Download package
+  ansible.builtin.get_url:
+    url: "https://github.com/prometheus/mysqld_exporter/releases/download/v{{ mysqld_exporter_version }}/{{ mysqld_exporter_pkg }}.tar.gz"
+    dest: "/usr/local/src/{{ mysqld_exporter_pkg }}.tar.gz"
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: Extract package
+  ansible.builtin.unarchive:
+    src: "/usr/local/src/{{ mysqld_exporter_pkg }}.tar.gz"
+    dest: /usr/local/src
+    owner: root
+    group: "{{ ansible_wheel }}"
+    creates: "/usr/local/src/{{ mysqld_exporter_pkg }}"
+    remote_src: true
+
+- name: Copy binary
+  ansible.builtin.copy:
+    dest: /usr/local/bin/mysqld_exporter
+    src: "/usr/local/src/{{ mysqld_exporter_pkg }}/mysqld_exporter"
+    mode: "0755"
+    owner: root
+    group: "{{ ansible_wheel }}"
+    remote_src: true
+
+- name: Create config directory
+  ansible.builtin.file:
+    path: /etc/mysqld_exporter
+    state: directory
+    mode: "0755"
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: Create web-config
+  ansible.builtin.template:
+    dest: /etc/mysqld_exporter/web-config.yml
+    src: web-config.yml.j2
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart mysqld_exporter
+
+- name: Create credentials config
+  ansible.builtin.template:
+    dest: /etc/mysqld_exporter/my.cnf
+    src: my.cnf.j2
+    mode: "0640"
+    owner: root
+    group: mysqld_exporter
+  notify: Restart mysqld_exporter
+
+- name: Create service file
+  ansible.builtin.copy:
+    dest: /etc/systemd/system/mysqld_exporter.service
+    src: mysqld_exporter.service
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart mysqld_exporter
+
+- name: Enable service
+  ansible.builtin.service:
+    name: mysqld_exporter
+    state: started
+    enabled: true
diff --git a/roles/mysqld_exporter/templates/my.cnf.j2 b/roles/mysqld_exporter/templates/my.cnf.j2
new file mode 100644
index 0000000..2627e84
--- /dev/null
+++ b/roles/mysqld_exporter/templates/my.cnf.j2
@@ -0,0 +1,6 @@
+[client]
+user = mysqld_exporter
+password = {{ mysqld_exporter_pass }}
+ssl-cert = {{ tls_certs }}/{{ inventory_hostname }}.crt
+ssl-key = {{ tls_private }}/{{ inventory_hostname }}.key
+ssl-ca = {{ tls_certs }}/ca.crt
diff --git a/roles/mysqld_exporter/templates/web-config.yml.j2 b/roles/mysqld_exporter/templates/web-config.yml.j2
new file mode 100644
index 0000000..626169b
--- /dev/null
+++ b/roles/mysqld_exporter/templates/web-config.yml.j2
@@ -0,0 +1,11 @@
+tls_server_config:
+  key_file: {{ tls_private }}/{{ inventory_hostname }}.key
+  cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt
+  client_ca_file: {{ tls_certs }}/ca.crt
+  client_auth_type: RequireAndVerifyClientCert
+  client_allowed_sans:
+    - prometheus01.home.foo.sh
+    - prometheus02.home.foo.sh
+    - prometheus03.home.foo.sh
+    - prometheus04.home.foo.sh
+  min_version: TLS13