diff --git a/services/gerrit/default.nix b/services/gerrit/default.nix
index 74722a0..5b4f8c5 100644
--- a/services/gerrit/default.nix
+++ b/services/gerrit/default.nix
@@ -221,5 +221,12 @@ in
       };
       environment.REVWALK_USE_PRIORITY_QUEUE = "true";
     };
+
+    age.secrets.gerrit-prometheus-bearer-token.file = ../../secrets/gerrit-prometheus-bearer-token.age;
+    bagel.monitoring.grafana-agent.exporters.gerrit = {
+      port = 4778;  # grrt
+      bearerTokenFile = config.age.secrets.gerrit-prometheus-bearer-token.path;
+      scrapeConfig.metrics_path = "/plugins/metrics-reporter-prometheus/metrics";
+    };
   };
 }
diff --git a/services/monitoring/agent.nix b/services/monitoring/agent.nix
index 5c44126..b7aa3d7 100644
--- a/services/monitoring/agent.nix
+++ b/services/monitoring/agent.nix
@@ -20,12 +20,40 @@ in
         internally, which ends up exported as `job` label
         on all metrics of that exporter.
       '';
-      type = types.attrsOf (types.submodule {
+      type = types.attrsOf (types.submodule ({ config, name, ... }: {
         options.port = mkOption {
           description = "Exporter port";
           type = types.int;
         };
-      });
+        options.bearerTokenFile = mkOption {
+          description = "File containing a bearer token";
+          type = types.nullOr types.path;
+          default = null;
+        };
+
+        options.scrapeConfig = mkOption {
+          description = "Prometheus scrape config";
+          type = types.attrs;
+        };
+        config.scrapeConfig = lib.mkMerge [{
+          job_name = name;
+          static_configs = [
+            { targets = [ "localhost:${toString config.port}" ]; }
+          ];
+        } (lib.mkIf (config.bearerTokenFile != null) {
+          authorization.credentials_file = "\${CREDENTIALS_DIRECTORY}/${name}-bearer-token";
+        })];
+
+        options.secrets = mkOption {
+          description = "Secrets required for scrape config";
+          type = types.attrs;
+          internal = true;
+          default = {};
+        };
+        config.secrets = lib.mkIf (config.bearerTokenFile != null) {
+          "${name}-bearer-token" = config.bearerTokenFile;
+        };
+      }));
       default = {};
     };
   };
@@ -35,7 +63,8 @@ in
 
     services.grafana-agent = {
       enable = true;
-      credentials.password = config.age.secrets.grafana-agent-password.path;
+      credentials = lib.mkMerge ([{ password = config.age.secrets.grafana-agent-password.path; }] ++
+        lib.mapAttrsToList (name: value: value.secrets) config.bagel.monitoring.grafana-agent.exporters);
       settings = {
         metrics = {
           global.remote_write = [
@@ -51,12 +80,7 @@ in
           configs = [
             {
               name = config.networking.hostName;
-              scrape_configs = lib.mapAttrsToList (name: value: {
-                job_name = name;
-                static_configs = [
-                  { targets = [ "localhost:${toString value.port}" ]; }
-                ];
-              }) config.bagel.monitoring.grafana-agent.exporters;
+              scrape_configs = lib.mapAttrsToList (name: value: value.scrapeConfig) config.bagel.monitoring.grafana-agent.exporters;
             }
           ];
         };