diff --git a/roles/blackbox_exporter/files/blackbox.yml b/roles/blackbox_exporter/files/blackbox.yml
new file mode 100644
index 0000000..9152489
--- /dev/null
+++ b/roles/blackbox_exporter/files/blackbox.yml
@@ -0,0 +1,17 @@
+---
+modules:
+  http:
+    prober: http
+    http:
+      valid_status_codes:
+        - 200
+        - 401
+        - 403
+  ssh:
+    prober: tcp
+    tcp:
+      query_response:
+        - expect: "^SSH-2.0-"
+        - send: "SSH-2.0-blackbox-ssh-check"
+  tcp:
+    prober: tcp
diff --git a/roles/blackbox_exporter/handlers/main.yml b/roles/blackbox_exporter/handlers/main.yml
new file mode 100644
index 0000000..34e0f2d
--- /dev/null
+++ b/roles/blackbox_exporter/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart blackbox_exporter
+  ansible.builtin.service:
+    name: blackbox_exporter
+    state: restarted
diff --git a/roles/blackbox_exporter/tasks/main.yml b/roles/blackbox_exporter/tasks/main.yml
new file mode 100644
index 0000000..b3e2410
--- /dev/null
+++ b/roles/blackbox_exporter/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+- name: Install packages
+  ansible.builtin.package:
+    name: blackbox_exporter
+    state: installed
+
+- name: Add user to hostkey group
+  ansible.builtin.user:
+    name: _blackboxexporter
+    groups: hostkey
+    append: true
+  notify: Restart blackbox_exporter
+
+- name: Create main config
+  ansible.builtin.copy:
+    dest: /etc/blackbox_exporter/blackbox.yml
+    src: blackbox.yml
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart blackbox_exporter
+
+- name: Create web-config
+  ansible.builtin.template:
+    dest: /etc/blackbox_exporter/web-config.yml
+    src: web-config.yml.j2
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart blackbox_exporter
+
+- name: Enable service
+  ansible.builtin.service:
+    name: blackbox_exporter
+    state: started
+    arguments: >
+      --config.file=/etc/blackbox_exporter/blackbox.yml
+      --web.config.file=/etc/blackbox_exporter/web-config.yml
+    enabled: true
diff --git a/roles/blackbox_exporter/templates/web-config.yml.j2 b/roles/blackbox_exporter/templates/web-config.yml.j2
new file mode 100644
index 0000000..03e5466
--- /dev/null
+++ b/roles/blackbox_exporter/templates/web-config.yml.j2
@@ -0,0 +1,11 @@
+---
+tls_server_config:
+  key_file: {{ tls_private }}/{{ inventory_hostname }}.key
+  cert_file: {{ tls_certs }}/{{ inventory_hostname }}.crt
+  client_ca_file: {{ tls_certs }}/ca.crt
+  client_auth_type: RequireAndVerifyClientCert
+  client_allowed_sans:
+{% for host in groups['prometheus'] %}
+    - {{ host }}
+{% endfor %}
+  min_version: TLS13