diff --git a/data/common/common.yaml b/data/common/common.yaml
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -3235,6 +3235,8 @@
 thanos::release::version: 0.26.0
 thanos::release::digest: cf5ea95e19388736df83f0959bd036b8ad400af233d03ae6f90decc05161dccc
 thanos::release::digest_type: sha256
+thanos::port::http: 19191
+thanos::port::grpc: 19090
 
 thanos::tenant: "%{::subnet}"
 thanos::replica: "0"
@@ -3249,6 +3251,10 @@
     storage_account_key: "%{lookup('thanos::objstore::azure_account_key')}"
     container: "metrics-%{lookup('thanos::tenant')}-%{lookup('thanos::replica')}"
 
+thanos::query::stores:
+  - pergamon.internal.softwareheritage.org
+  - mmca.softwareheritage.org
+
 grafana::db::database: grafana
 grafana::db::username: grafana
 # grafana::db::password in private-data
diff --git a/data/subnets/vagrant.yaml b/data/subnets/vagrant.yaml
--- a/data/subnets/vagrant.yaml
+++ b/data/subnets/vagrant.yaml
@@ -95,6 +95,8 @@
     aliases:
       - inventory.internal.admin.swh.network
       - inventory.internal.softwareheritage.org
+  10.168.50.90:
+    host: thanos.internal.admin.swh.network
   10.168.100.18:
     host: banco.internal.softwareheritage.org
     aliases:
diff --git a/manifests/site.pp b/manifests/site.pp
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -122,6 +122,10 @@
   include role::swh_sentry
 }
 
+node 'thanos.internal.admin.swh.network' {
+  include role::swh_thanos_query
+}
+
 node /^jenkins-debian\d+\.internal\.softwareheritage\.org$/ {
   include role::swh_ci_agent_debian
 }
diff --git a/site-modules/profile/manifests/thanos/base.pp b/site-modules/profile/manifests/thanos/base.pp
--- a/site-modules/profile/manifests/thanos/base.pp
+++ b/site-modules/profile/manifests/thanos/base.pp
@@ -40,6 +40,5 @@
   -> file {$current_symlink:
     ensure      => 'link',
     target      => $install_dir,
-    notify      => Service[$service_name],
   }
 }
diff --git a/site-modules/profile/manifests/thanos/prometheus_sidecar.pp b/site-modules/profile/manifests/thanos/prometheus_sidecar.pp
--- a/site-modules/profile/manifests/thanos/prometheus_sidecar.pp
+++ b/site-modules/profile/manifests/thanos/prometheus_sidecar.pp
@@ -10,6 +10,9 @@
   $config_dir = '/etc/thanos-sidecar'
   $objstore_config_file = "${config_dir}/objstore.yml"
 
+  $port_http = lookup('thanos::port::http')
+  $port_grpc = lookup('thanos::port::grpc')
+
   $sidecar_arguments = {
     tsdb           => {
       path => '/var/lib/prometheus/metrics2',
@@ -24,8 +27,8 @@
     shipper        => {
       'upload-compacted' => true,
     },
-    'http-address' => '0.0.0.0:19191',
-    'grpc-address' => '0.0.0.0:19090',
+    'http-address' => "0.0.0.0:${port_http}",
+    'grpc-address' => "0.0.0.0:${port_grpc}",
   }
 
 
@@ -45,6 +48,8 @@
     content => inline_yaml($objstore_config),
   }
 
+  # Template uses:
+  # $sidecar_arguments
   systemd::unit_file {$unit_name:
     ensure  => present,
     content => template('profile/thanos/thanos-sidecar.service.erb'),
diff --git a/site-modules/profile/manifests/thanos/query.pp b/site-modules/profile/manifests/thanos/query.pp
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/manifests/thanos/query.pp
@@ -0,0 +1,33 @@
+# Thanos query
+class profile::thanos::query {
+  include profile::thanos::base
+
+  $service_name = 'thanos-query'
+  $unit_name = "${service_name}.service"
+
+  $port_http = lookup('thanos::port::http')
+  $stores = lookup('thanos::query::stores')
+  $port_grpc = lookup('thanos::port::grpc')
+
+  $query_cli_flags = [
+    "--http-address 0.0.0.0:${port_http}"
+  ] + map($stores) | $store | {
+    "--store ${store}:${port_grpc}"
+  }
+
+  systemd::unit_file {$unit_name:
+    ensure  => present,
+    content => template("profile/thanos/${unit_name}.erb"),
+    require => Class['profile::thanos::base'],
+    notify  => Service[$service_name]
+  }
+
+  # Template uses:
+  # $query_cli_flags
+  service {$service_name:
+    ensure  => 'running',
+    enable  => true,
+  }
+
+  Class['profile::thanos::base'] ~> Service[$service_name]
+}
diff --git a/site-modules/profile/templates/thanos/thanos-query.service.erb b/site-modules/profile/templates/thanos/thanos-query.service.erb
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/templates/thanos/thanos-query.service.erb
@@ -0,0 +1,39 @@
+# File managed by puppet (class profile::thanos::query)
+# Manual changes will be overwritten
+
+[Unit]
+Description=Thanos query
+
+[Service]
+Restart=on-failure
+User=prometheus
+ExecStart=/opt/thanos/current/thanos query <%= @query_cli_flags.join(" \\\n    ") %>
+ExecReload=/bin/kill -HUP $MAINPID
+TimeoutStopSec=20s
+SendSIGKILL=no
+
+# systemd hardening-options
+AmbientCapabilities=
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LimitMEMLOCK=0
+LimitNOFILE=8192
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target
diff --git a/site-modules/role/manifests/swh_thanos_query.pp b/site-modules/role/manifests/swh_thanos_query.pp
new file mode 100644
--- /dev/null
+++ b/site-modules/role/manifests/swh_thanos_query.pp
@@ -0,0 +1,4 @@
+# Thanos role
+class role::swh_thanos_query inherits role::swh_server {
+  include profile::thanos::query
+}