diff --git a/modules/services/default.nix b/modules/services/default.nix
index aa497ec..bdc414a 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -10,5 +10,6 @@
     ./nginx.nix
     ./fileshelter.nix
     ./wireguard.nix
+    ./kop-monitor.nix
   ];
 }
diff --git a/modules/services/kop-monitor.nix b/modules/services/kop-monitor.nix
new file mode 100644
index 0000000..9670d7f
--- /dev/null
+++ b/modules/services/kop-monitor.nix
@@ -0,0 +1,42 @@
+{ config, pkgs, lib, inputs, ... }:
+with lib;
+let cfg = config.custom.services.kop-monitor;
+in {
+  options.custom.services.kop-monitor = {
+    enable = mkEnableOption "Enables monitor";
+  };
+  config = lib.mkIf cfg.enable {
+    age.secrets.webhook = {
+      file = ../../secrets/webhook.age;
+    };
+    # service that runs all the time, pkgs.kop-monitor
+    systemd.services.kop-monitor = {
+      description = "Kop Monitor";
+      wants = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.kop-monitor}/bin/monitor";
+        DynamicUser = true;
+        Restart = "on-failure";
+        RestartSec = "5s";
+        EnvironmentFile = config.age.secrets.webhook.path;
+        PrivateMounts = mkDefault true;
+        PrivateTmp = mkDefault true;
+        PrivateUsers = mkDefault true;
+        ProtectClock = mkDefault true;
+        ProtectControlGroups = mkDefault true;
+        ProtectHome = mkDefault true;
+        ProtectHostname = mkDefault true;
+        ProtectKernelLogs = mkDefault true;
+        ProtectKernelModules = mkDefault true;
+        ProtectKernelTunables = mkDefault true;
+        ProtectSystem = mkDefault "strict";
+        # Needs network access
+        PrivateNetwork = mkDefault false;
+      };
+
+    };
+  };
+}
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 0fe1874..90c37c8 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -4,5 +4,5 @@
   ente-frontend = pkgs.callPackage ./ente-frontend/default.nix { };
   kop-website =
     pkgs.callPackage ./website/default.nix { inherit kop-hub ente-frontend; };
-  kop-monitor = pkgs.callPackage ./monitor/default.nix { };
+  kop-monitor = pkgs.callPackage ./kop-monitor/default.nix { };
 }
diff --git a/pkgs/monitor/default.nix b/pkgs/kop-monitor/default.nix
similarity index 83%
rename from pkgs/monitor/default.nix
rename to pkgs/kop-monitor/default.nix
index 9748564..4c5b55c 100644
--- a/pkgs/monitor/default.nix
+++ b/pkgs/kop-monitor/default.nix
@@ -16,5 +16,5 @@ rustPlatform.buildRustPackage {
   nativeBuildInputs = with pkgs; [ pkg-config ];
   buildInputs = with pkgs; [ openssl ];
 
-  cargoHash = "sha256-/bpxo5LUrdMJBzI6N4Dr+f7/pH6fE+fayzZW3CZ/lwA=";
+  cargoHash = "sha256-PI2bLMnT71JVeDZp/Es4jhwTPuSRvrz2j5wyNPLKkFY=";
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index b5bf342..d6c0178 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -26,4 +26,5 @@ in
   "step-ca-key.age".publicKeys = [ mini-pc server kop ];
   "grafana-contact-points.age".publicKeys = [ mini-pc server kop ];
   "fileshelter-conf.age".publicKeys = [ mini-pc server kop ];
+  "webhook.age".publicKeys = [ mini-pc server kop ];
 }
diff --git a/secrets/webhook.age b/secrets/webhook.age
new file mode 100644
index 0000000..e90d370
Binary files /dev/null and b/secrets/webhook.age differ
diff --git a/systems/mini-pc/configuration.nix b/systems/mini-pc/configuration.nix
index 45436fe..df801ca 100644
--- a/systems/mini-pc/configuration.nix
+++ b/systems/mini-pc/configuration.nix
@@ -52,6 +52,7 @@
     };
     services = {
       acme.enable = true;
+      kop-monitor.enable = true;
       nginx.enable = true;
       ente.enable = true;
       fileshelter.enable = true;