diff --git a/ansible/group_vars/all/oas.yml b/ansible/group_vars/all/oas.yml
index ce3978d88e120a37d421a1045e1f0365b9997bc0..bc73c8ac4e04361e9ce0c328910ad7039aa1fa46 100644
--- a/ansible/group_vars/all/oas.yml
+++ b/ansible/group_vars/all/oas.yml
@@ -31,6 +31,9 @@ wordpress_mariadb_root_password: "{{ lookup('password', '{{ cluster_dir }}/secre
 # Grafana credentials
 grafana_admin_password: "{{ lookup('password', '{{ cluster_dir }}/secrets/grafana_admin_password chars=ascii_letters') }}"
 
+# Prometheus credentials
+prometheus_basic_auth: "{{ lookup('password', '{{ cluster_dir }}/secrets/prometheus_basic_auth chars=ascii_letters') }}"
+
 # Single sign-on passwords
 userpanel_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/userpanel_oauth_client_secret chars=ascii_letters') }}"
 nextcloud_oauth_client_secret: "{{ lookup('password', '{{ cluster_dir }}/secrets/nextcloud_oauth_client_secret chars=ascii_letters') }}"
diff --git a/ansible/roles/apps/tasks/prometheus.yml b/ansible/roles/apps/tasks/prometheus.yml
index b5daf515dd413017414298a772fa021e1b8574b9..a43a3cbebf5cba72e612e33830473f0b72bfac48 100644
--- a/ansible/roles/apps/tasks/prometheus.yml
+++ b/ansible/roles/apps/tasks/prometheus.yml
@@ -1,5 +1,23 @@
 ---
+- name: Generate htpasswd hash
+  shell: openssl passwd -apr1 "{{ prometheus_basic_auth }}"
+  register: prometheus_passwd
 
+- name: Create auth secret for basic auth
+  tags:
+    - prometheus
+    - config
+    - secret
+  k8s:
+    state: present
+    definition:
+      api_version: v1
+      kind: Secret
+      metadata:
+        namespace: "oas"
+        name: "prometheus-basic-auth"
+      data:
+        auth: "{{ ('admin:' + prometheus_passwd.stdout )  | b64encode }}"
 - name: Create Kubernetes secret with prometheus settings
   tags:
     - config
diff --git a/ansible/roles/apps/templates/settings/prometheus.yaml b/ansible/roles/apps/templates/settings/prometheus.yaml
index 8661895d357f493791bf360d9e792f09e43dbca9..4cad618302a52fb41d4efb1c15beddd5e5a96dc5 100644
--- a/ansible/roles/apps/templates/settings/prometheus.yaml
+++ b/ansible/roles/apps/templates/settings/prometheus.yaml
@@ -8,7 +8,19 @@ server:
   persistentVolume:
     existingClaim: "prometheus-server"
   retention: "10d"
-
+  ingress:
+    enabled: true
+    annotations:
+      nginx.ingress.kubernetes.io/auth-type: basic
+      nginx.ingress.kubernetes.io/auth-secret: prometheus-basic-auth
+      nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
+      kubernetes.io/tls-acme: "true"
+    hosts:
+      - "prometheus.{{ domain }}"
+    tls:
+      - secretName: prometheus-tls
+        hosts:
+          - "prometheus.{{ domain }}"
 
 serverFiles:
   alerting_rules.yml: