diff --git a/hosts/gerrit01/default.nix b/hosts/gerrit01/default.nix
index a9c48b4..cb05025 100755
--- a/hosts/gerrit01/default.nix
+++ b/hosts/gerrit01/default.nix
@@ -30,6 +30,7 @@
 
   bagel.services.gerrit = {
     enable = true;
+    pyroscope.enable = true;
     domains = [
       "cl.forkos.org"
     ];
diff --git a/services/gerrit/default.nix b/services/gerrit/default.nix
index bcc6478..bea5e08 100644
--- a/services/gerrit/default.nix
+++ b/services/gerrit/default.nix
@@ -12,6 +12,10 @@ in
 {
   options.bagel.services.gerrit = {
     enable = mkEnableOption "Gerrit";
+    pyroscope.enable = mkEnableOption ''Pyroscope client,
+      this will send profiling of all Java processes on the current host
+      to our Pyroscope instance.
+    '';
     domains = mkOption {
       type = types.listOf types.str;
       description = "List of domains that Gerrit will answer to";
@@ -41,6 +45,7 @@ in
 
   config = mkIf cfg.enable {
     networking.firewall.allowedTCPPorts = [ cfg.port ];
+    age.secrets.alloy-push-password.file = ../../secrets/metrics-push-password.age;
 
     environment.systemPackages = [ jdk pkgs.git ];
 
@@ -55,6 +60,64 @@ in
     };
     users.groups.git = {};
 
+    services.alloy = {
+      enable = cfg.pyroscope.enable;
+      extraFlags = [
+        # Debugging interface.
+        "--server.http.listen-addr=127.0.0.1:15555"
+      ];
+    };
+    systemd.services.alloy.serviceConfig = {
+      User = lib.mkForce "root";
+      Group = lib.mkForce "root";
+      DynamicUser = lib.mkForce false;
+    };
+    systemd.services.alloy.serviceConfig.LoadCredential = [ "password:${config.age.secrets.alloy-push-password.path}" ];
+    environment.etc."alloy/config.alloy".text = ''
+      pyroscope.write "production" {
+        endpoint {
+          url = "https://pyroscope.forkos.org"
+          basic_auth {
+            username = "promtail"
+            password_file = "/run/credentials/password"
+          }
+        }
+      }
+
+      discovery.process "all" {
+        refresh_interval = "60s"
+        discover_config {
+          cwd = true
+          exe = true
+          commandline = true
+          username = true
+          uid = true
+          container_id = true
+        }
+      }
+
+      discovery.relabel "java" {
+        targets = discovery.process.all.targets
+        rule {
+          action = "keep"
+          regex = ".*/java$"
+          source_labels = ["__meta_process_exe"]
+        }
+      }
+
+      pyroscope.java "java" {
+        targets = discovery.relabel.java.output
+        forward_to = [pyroscope.write.production.receiver]
+        profiling_config {
+          interval = "60s"
+          alloc = "512k"
+          cpu = true
+          sample_rate = 100
+          lock = "1ms"
+        }
+      }
+    '';
+
     services.gerrit = {
       enable = true;
       listenAddress = "[::]:4778"; # 4778 - grrt