diff --git a/flake.lock b/flake.lock
index 5547141..da9fadd 100644
--- a/flake.lock
+++ b/flake.lock
@@ -44,4 +44,4 @@
   },
   "root": "root",
   "version": 7
-}
+}
\ No newline at end of file
diff --git a/sp-modules/monitoring/config-paths-needed.json b/sp-modules/monitoring/config-paths-needed.json
new file mode 100644
index 0000000..91fb203
--- /dev/null
+++ b/sp-modules/monitoring/config-paths-needed.json
@@ -0,0 +1,3 @@
+[
+  [ "selfprivacy", "modules", "monitoring" ]
+]
diff --git a/sp-modules/monitoring/flake.nix b/sp-modules/monitoring/flake.nix
new file mode 100644
index 0000000..b6b3f77
--- /dev/null
+++ b/sp-modules/monitoring/flake.nix
@@ -0,0 +1,9 @@
+{
+  description = "PoC SP module for Prometheus-based monitoring";
+
+  outputs = { self }: {
+    nixosModules.default = import ./module.nix;
+    configPathsNeeded =
+      builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
+  };
+}
diff --git a/sp-modules/monitoring/module.nix b/sp-modules/monitoring/module.nix
new file mode 100644
index 0000000..90bf806
--- /dev/null
+++ b/sp-modules/monitoring/module.nix
@@ -0,0 +1,33 @@
+{config, lib, ...}: let
+  cfg = config.selfprivacy.modules.monitoring;
+in {
+  options.selfprivacy.modules.monitoring = {
+    enable = lib.mkOption {
+      default = false;
+      type = lib.types.bool;
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    services.prometheus = {
+      enable = true;
+      port = 9001;
+      listenAddress = "127.0.0.1";
+      exporters = {
+        node = {
+          enable = true;
+          enabledCollectors = [ "systemd" ];
+          port = 9002;
+          listenAddress = "127.0.0.1";
+        };
+      };
+      scrapeConfigs = [
+        {
+          job_name = "node-exporter";
+          static_configs = [{
+            targets = [ "127.0.0.1:9002" ];
+          }];
+        }
+      ];
+    };
+  };
+}
\ No newline at end of file
diff --git a/sp-modules/roundcube/config-paths-needed.json b/sp-modules/roundcube/config-paths-needed.json
new file mode 100644
index 0000000..a650a1e
--- /dev/null
+++ b/sp-modules/roundcube/config-paths-needed.json
@@ -0,0 +1,5 @@
+[
+  ["selfprivacy", "domain"],
+  ["selfprivacy", "modules", "roundcube"],
+  ["mailserver", "fqdn"]
+]
diff --git a/sp-modules/roundcube/flake.nix b/sp-modules/roundcube/flake.nix
new file mode 100644
index 0000000..d335522
--- /dev/null
+++ b/sp-modules/roundcube/flake.nix
@@ -0,0 +1,9 @@
+{
+  description = "Roundcube is a web-based email client.";
+
+  outputs = { self }: {
+    nixosModules.default = import ./module.nix;
+    configPathsNeeded =
+      builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
+  };
+}
diff --git a/sp-modules/roundcube/module.nix b/sp-modules/roundcube/module.nix
new file mode 100644
index 0000000..1fd157d
--- /dev/null
+++ b/sp-modules/roundcube/module.nix
@@ -0,0 +1,39 @@
+{ config, lib, ... }:
+let
+  domain = config.selfprivacy.domain;
+  cfg = config.selfprivacy.modules.roundcube;
+in
+{
+  options.selfprivacy.modules.roundcube = {
+    enable = lib.mkOption {
+      default = false;
+      type = lib.types.bool;
+    };
+    subdomain = lib.mkOption {
+      default = "roundcube";
+      type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    services.roundcube = {
+      enable = true;
+      # this is the url of the vhost, not necessarily the same as the fqdn of
+      # the mailserver
+      hostName = "${cfg.subdomain}.${config.selfprivacy.domain}";
+      extraConfig = ''
+        # starttls needed for authentication, so the fqdn required to match
+        # the certificate
+        $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
+        $config['smtp_user'] = "%u";
+        $config['smtp_pass'] = "%p";
+      '';
+    };
+    services.nginx.virtualHosts."${cfg.subdomain}.${domain}" = {
+      forceSSL = true;
+      useACMEHost = domain;
+    };
+  };
+}
+