diff --git a/data/common/common.yaml b/data/common/common.yaml
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -4326,3 +4326,9 @@
 netbox::vhost::ssl_honorcipherorder: "%{hiera('apache::ssl_honorcipherorder')}"
 netbox::vhost::ssl_cipher: "%{hiera('apache::ssl_cipher')}"
 netbox::vhost::hsts_header: "%{hiera('apache::hsts_header')}"
+
+opnsense::hosts:
+  - pushkin.internal.softwareheritage.org
+  - glyptotek.internal.softwareheritage.org
+opnsense::prometheus::port: 9100
+opnsense::prometheus::metrics_path: /metrics
diff --git a/site-modules/profile/manifests/opnsense/metrics_scraper.pp b/site-modules/profile/manifests/opnsense/metrics_scraper.pp
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/manifests/opnsense/metrics_scraper.pp
@@ -0,0 +1,20 @@
+# Configure the export_scrape_config for the firewalls
+class profile::opnsense::metrics_scraper {
+  $fw_hosts = lookup('opnsense::hosts')
+  $fw_prometheus_port = lookup('opnsense::prometheus::port')
+  $fw_prometheus_metrics_path = lookup('opnsense::prometheus::metrics_path')
+
+  $fw_hosts.each | $host | {
+
+    $static_labels = lookup('prometheus::static_labels', Hash)
+
+    $target = "${host}:${fw_prometheus_port}"
+
+    profile::prometheus::export_scrape_config { $host :
+      target       => $target,
+      scheme       => 'http',
+      metrics_path => $fw_prometheus_metrics_path,
+    }
+  }
+
+}
diff --git a/site-modules/role/manifests/swh_sysadmin.pp b/site-modules/role/manifests/swh_sysadmin.pp
--- a/site-modules/role/manifests/swh_sysadmin.pp
+++ b/site-modules/role/manifests/swh_sysadmin.pp
@@ -23,4 +23,6 @@
   include profile::sentry::reverse_proxy
 
   include profile::weekly_report_bot
+
+  include profile::opnsense::metrics_scraper
 }