diff --git a/roles/node_exporter/defaults/main.yml b/roles/node_exporter/defaults/main.yml
new file mode 100644
index 0000000..b5364e3
--- /dev/null
+++ b/roles/node_exporter/defaults/main.yml
@@ -0,0 +1,2 @@
+# node_exporter_password:
+# node_exporter_textfile_directory:
diff --git a/roles/node_exporter/handlers/main.yml b/roles/node_exporter/handlers/main.yml
new file mode 100644
index 0000000..bd54ff5
--- /dev/null
+++ b/roles/node_exporter/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart Node Exporter
+  ansible.builtin.systemd_service:
+    name: prometheus-node-exporter
+    state: restarted
+  become: true
diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml
new file mode 100644
index 0000000..2278dc4
--- /dev/null
+++ b/roles/node_exporter/tasks/main.yml
@@ -0,0 +1,83 @@
+---
+- name: Node Exporter | PATCH | Install node-exporter
+  become: true
+  ansible.builtin.dnf:
+    name: node-exporter
+    state: present
+
+- name: Node Exporter | PATCH | Generate private TLS key
+  community.crypto.openssl_privatekey:
+    path: /etc/ssl/node-exporter.key
+    size: 4096
+    owner: prometheus
+    group: root
+    mode: '0440'
+  become: true
+
+- name: Node Exporter | PATCH | Create certificate signing request
+  community.crypto.openssl_csr:
+    path: /etc/ssl/node-exporter.csr
+    privatekey_path: /etc/ssl/node-exporter.key
+    common_name: "{{ inventory_hostname }}"
+    subject_alt_name: "DNS:{{ inventory_hostname }}"
+    owner: root
+    group: root
+    mode: '0400'
+  become: true
+
+- name: Generate self-signed certificate
+  community.crypto.x509_certificate:
+    provider: selfsigned
+    path: /etc/ssl/node-exporter.crt
+    privatekey_path: /etc/ssl/node-exporter.key
+    csr_path: /etc/ssl/node-exporter.csr
+    owner: prometheus
+    group: root
+    mode: '0440'
+  become: true
+
+- name: Node Exporter | PATCH | Install node-exporter web configuration
+  become: true
+  ansible.builtin.template:
+    src: etc/node-exporter-web.yml
+    dest: /etc/node-exporter-web.yml
+    owner: root
+    group: root
+    mode: "0444"
+
+- name: Node Exporter | PATCH | Set command line arguments
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/default/prometheus-node-exporter
+    regexp: "^ARGS"
+    line: "ARGS='--web.config.file=\"/etc/node-exporter-web.yml\"{% if node_exporter_textfile_directory is defined %} --collector.textfile.directory {{ node_exporter_textfile_directory }}{% endif %}'"
+  notify: Restart Node Exporter
+
+- name: Node Exporter | PATCH | Ensure node-exporter is enabled and running
+  become: true
+  ansible.builtin.systemd_service:
+    name: prometheus-node-exporter
+    masked: false
+    enabled: true
+    state: started
+
+- name: Node Exporter | PATCH | Create firewalld service file for node-exporter
+  become: true
+  ansible.builtin.template:
+    src: etc/firewalld/services/node-exporter.xml
+    dest: /etc/firewalld/services/node-exporter.xml
+    owner: root
+    group: root
+    mode: '0400'
+  notify: Reload firewalld
+
+- name: Node Exporter | Flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Node Exporter | PATCH | Enable node-exporter service in firewalld permanently
+  become: true
+  ansible.posix.firewalld:
+    service: node-exporter
+    permanent: true
+    state: enabled
+    immediate: true
diff --git a/roles/node_exporter/templates/etc/firewalld/services/node-exporter.xml b/roles/node_exporter/templates/etc/firewalld/services/node-exporter.xml
new file mode 100644
index 0000000..26852ff
--- /dev/null
+++ b/roles/node_exporter/templates/etc/firewalld/services/node-exporter.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>Node Exporter</short>
+  <description>Exposes metrics for Prometheus scraping</description>
+  <port protocol="tcp" port="9100"/>
+</service>
diff --git a/roles/node_exporter/templates/etc/node-exporter-web.yml b/roles/node_exporter/templates/etc/node-exporter-web.yml
new file mode 100644
index 0000000..786c1ce
--- /dev/null
+++ b/roles/node_exporter/templates/etc/node-exporter-web.yml
@@ -0,0 +1,17 @@
+---
+tls_server_config:
+  cert_file: /etc/ssl/node-exporter.crt
+  key_file: /etc/ssl/node-exporter.key
+
+  min_version: "TLS13"
+  max_version: "TLS13"
+
+http_server_config:
+  headers:
+    X-Frame-Options: deny
+    X-Content-Type-Options: nosniff
+
+{% if node_exporter_password is defined %}
+basic_auth_users:
+  metrics: "{{ node_exporter_password | password_hash(hashtype='bcrypt') }}"
+{% endif %}