diff --git a/makefu/1systems/pnp.nix b/makefu/1systems/pnp.nix
index 549658983..a8df522f2 100644
--- a/makefu/1systems/pnp.nix
+++ b/makefu/1systems/pnp.nix
@@ -10,6 +10,7 @@
       <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
       ../2configs/base.nix
       ../2configs/cgit-retiolum.nix
+      ../2configs/graphite-standalone.nix
     ];
   krebs.build.host = config.krebs.hosts.pnp;
   krebs.build.user = config.krebs.users.makefu;
@@ -38,8 +39,13 @@
   hardware.enableAllFirmware = true;
   hardware.cpu.amd.updateMicrocode = true;
 
-# networking.firewall is enabled by default
-  networking.firewall.allowedTCPPorts = [ 80 ];
+  networking.firewall.allowedTCPPorts = [
+  # nginx runs on 80
+                                          80
+  # graphite-web runs on 8080, carbon cache runs on 2003 tcp and udp
+                                          8080 2003
+                                        ];
+  networking.firewall.allowedUDPPorts = [ 2003 ];
   networking.firewall.rejectPackets = true;
   networking.firewall.allowPing = true;
 
diff --git a/makefu/2configs/graphite-web.nix b/makefu/2configs/graphite-web.nix
new file mode 100644
index 000000000..daa1d49a3
--- /dev/null
+++ b/makefu/2configs/graphite-web.nix
@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+{
+  imports = [ ];
+  services.graphite = {
+    web = {
+      enable = true;
+      host = "0.0.0.0";
+    };
+    carbon = {
+      enableCache = true;
+      storageSchemas = ''
+        [carbon]
+        pattern = ^carbon\.
+        retentions = 60:90d
+
+        [default]
+        pattern = .*
+        retentions = 60s:30d,300s:1y
+        '';
+    };
+  };
+}