diff --git a/data/common/common.yaml b/data/common/common.yaml
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -3242,6 +3242,8 @@
 thanos::sidecar::port_http: "%{lookup('thanos::port::http')}"
 thanos::sidecar::port_grpc: "%{lookup('thanos::port::grpc')}"
 thanos::query::port_http: "%{lookup('thanos::port::http')}"
+thanos::gateway::port_http: 19192
+thanos::gateway::port_grpc: 19093
 
 thanos::tenant: "%{::subnet}"
 thanos::replica: "0"
diff --git a/site-modules/profile/manifests/thanos/prometheus_sidecar.pp b/site-modules/profile/manifests/thanos/prometheus_sidecar.pp
--- a/site-modules/profile/manifests/thanos/prometheus_sidecar.pp
+++ b/site-modules/profile/manifests/thanos/prometheus_sidecar.pp
@@ -1,7 +1,11 @@
-# Thanos prometheus sidecar
+# Thanos prometheus sidecar and gateway services
 class profile::thanos::prometheus_sidecar {
   include profile::thanos::base
 
+  ##########
+  # sidecar (push historical and live data to data store
+  ##########
+
   $service_name = 'thanos-sidecar'
   $unit_name = "${service_name}.service"
 
@@ -15,10 +19,11 @@
 
   $internal_ip = ip_for_network(lookup('internal_network'))
   $grpc_address = "${internal_ip}:${port_grpc}"
+  $datadir = '/var/lib/prometheus/metrics2'
 
   $sidecar_arguments = {
     tsdb           => {
-      path => '/var/lib/prometheus/metrics2',
+      path => $datadir,
     },
     prometheus     => {
       # use the listen address for the prometheus server
@@ -65,6 +70,51 @@
     require => Service['prometheus'],
   }
 
+  Class['profile::thanos::base'] ~> Service[$service_name]
+  # Ensure prometheus is configured properly before starting the sidecar
+  Exec['restart-prometheus'] -> Service[$service_name]
+
+  ##########
+  # gateway (allow access to historical data)
+  ##########
+
+  $gateway_service_name = 'thanos-gateway'
+  $gateway_unit_name = "${gateway_service_name}.service"
+  $gateway_port_http = lookup('thanos::gateway::port_http')
+  $gateway_port_grpc = lookup('thanos::gateway::port_grpc')
+  $gateway_grpc_address = "${internal_ip}:${gateway_port_grpc}"
+
+    # thanos store \
+  #   --objstore.config-file bucket_config.yaml \  # Bucket to fetch data from
+
+  $gateway_arguments = {
+    'data-dir'     => $datadir,
+    objstore       => {
+      'config-file' => $objstore_config_file,
+    },
+    'http-address' => "${internal_ip}:${gateway_port_http}",
+    'grpc-address' => $gateway_grpc_address,
+  }
+
+  # Template uses:
+  # $gateway_arguments
+  systemd::unit_file {$gateway_unit_name:
+    ensure  => present,
+    content => template('profile/thanos/gateway.service.erb'),
+    require => Class['profile::thanos::base'],
+    notify  => Service[$gateway_service_name]
+  }
+
+  service {$gateway_service_name:
+    ensure  => 'running',
+    enable  => true,
+    require => Service['prometheus'],
+  }
+
+  ########
+  # query (query data stores)
+  ########
+
   $config_filepath = "${config_dir}/sd.yaml"
   @@concat { $config_filepath:
     ensure         => present,
@@ -76,6 +126,7 @@
     tag            => 'thanos',
   }
 
+  # sidecar grpc address
   @@::concat::fragment { $grpc_address:
     target  => $config_filepath,
     content => "  - ${grpc_address}\n",
@@ -83,7 +134,11 @@
     tag     => 'thanos',
   }
 
-  Class['profile::thanos::base'] ~> Service[$service_name]
-  # Ensure prometheus is configured properly before starting the sidecar
-  Exec['restart-prometheus'] -> Service[$service_name]
+  # gateway grpc address
+  @@::concat::fragment { $gateway_grpc_address:
+    target  => $config_filepath,
+    content => "  - ${gateway_grpc_address}\n",
+    order   => 2,
+    tag     => 'thanos',
+  }
 }
diff --git a/site-modules/profile/templates/thanos/gateway.service.erb b/site-modules/profile/templates/thanos/gateway.service.erb
new file mode 100644
--- /dev/null
+++ b/site-modules/profile/templates/thanos/gateway.service.erb
@@ -0,0 +1,39 @@
+# File managed by puppet (class profile::thanos::gateway)
+# Manual changes will be overwritten
+
+[Unit]
+Description=Thanos gateway
+
+[Service]
+Restart=on-failure
+User=prometheus
+ExecStart=/opt/thanos/current/thanos store <%= scope.call_function('flatten_to_argument_list', [@gateway_arguments]).join(" \\\n    ") %>
+ExecReload=/bin/kill -HUP $MAINPID
+TimeoutStopSec=20s
+SendSIGKILL=no
+
+# systemd hardening-options
+AmbientCapabilities=
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LimitMEMLOCK=0
+LimitNOFILE=8192
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target