diff --git a/arty.yml b/arty.yml
index 9e6b711..4df3a03 100644
--- a/arty.yml
+++ b/arty.yml
@@ -135,6 +135,12 @@ envs:
     DROP_TRAEFIK_ENABLED: true
     DROP_COMPOSE_PROJECT_NAME: drop
     DROP_TRAEFIK_HOST: drop.pivoine.art
+    # Netdata
+    NETDATA_TRAEFIK_ENABLED: true
+    NETDATA_COMPOSE_PROJECT_NAME: netdata
+    NETDATA_IMAGE: netdata/netdata:latest
+    NETDATA_TRAEFIK_HOST: netdata.pivoine.art
+    NETDATA_HOSTNAME: netdata.pivoine.art
     # Proxy
     PROXY_COMPOSE_PROJECT_NAME: proxy
     PROXY_DOCKER_IMAGE: traefik:latest
diff --git a/compose.yaml b/compose.yaml
index dfdfb9b..2d5f0a3 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -14,6 +14,7 @@ include:
   - jelly/compose.yaml
   - drop/compose.yaml
   - restic/compose.yaml
+  - netdata/compose.yaml
   - umami/compose.yaml
   - sablier/compose.yaml
   - proxy/compose.yaml
diff --git a/netdata/compose.yaml b/netdata/compose.yaml
new file mode 100644
index 0000000..d068fca
--- /dev/null
+++ b/netdata/compose.yaml
@@ -0,0 +1,60 @@
+services:
+  netdata:
+    image: ${NETDATA_IMAGE:-netdata/netdata:latest}
+    container_name: ${NETDATA_COMPOSE_PROJECT_NAME}_app
+    restart: unless-stopped
+    hostname: ${NETDATA_HOSTNAME:-netdata.pivoine.art}
+    cap_add:
+      - SYS_PTRACE
+      - SYS_ADMIN
+    security_opt:
+      - apparmor:unconfined
+    volumes:
+      - netdata_config:/etc/netdata
+      - netdata_lib:/var/lib/netdata
+      - netdata_cache:/var/cache/netdata
+      - /etc/passwd:/host/etc/passwd:ro
+      - /etc/group:/host/etc/group:ro
+      - /etc/localtime:/etc/localtime:ro
+      - /proc:/host/proc:ro
+      - /sys:/host/sys:ro
+      - /etc/os-release:/host/etc/os-release:ro
+      - /var/log:/host/var/log:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    environment:
+      - NETDATA_CLAIM_TOKEN=${NETDATA_CLAIM_TOKEN:-}
+      - NETDATA_CLAIM_URL=${NETDATA_CLAIM_URL:-}
+      - NETDATA_CLAIM_ROOMS=${NETDATA_CLAIM_ROOMS:-}
+    networks:
+      - compose_network
+    labels:
+      - 'traefik.enable=${NETDATA_TRAEFIK_ENABLED}'
+      # HTTP to HTTPS redirect
+      - 'traefik.http.middlewares.${NETDATA_COMPOSE_PROJECT_NAME}-redirect-web-secure.redirectscheme.scheme=https'
+      - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web.middlewares=${NETDATA_COMPOSE_PROJECT_NAME}-redirect-web-secure'
+      - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web.rule=Host(`${NETDATA_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web.entrypoints=web'
+      # HTTPS router
+      - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web-secure.rule=Host(`${NETDATA_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web-secure.tls.certresolver=resolver'
+      - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web-secure.entrypoints=web-secure'
+      - 'traefik.http.middlewares.${NETDATA_COMPOSE_PROJECT_NAME}-compress.compress=true'
+      - 'traefik.http.routers.${NETDATA_COMPOSE_PROJECT_NAME}-web-secure.middlewares=${NETDATA_COMPOSE_PROJECT_NAME}-compress,security-headers@file'
+      # Service
+      - 'traefik.http.services.${NETDATA_COMPOSE_PROJECT_NAME}.loadbalancer.server.port=19999'
+      - 'traefik.docker.network=${NETWORK_NAME}'
+      # Watchtower
+      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
+
+volumes:
+  netdata_config:
+    name: ${NETDATA_COMPOSE_PROJECT_NAME}_config
+  netdata_lib:
+    name: ${NETDATA_COMPOSE_PROJECT_NAME}_lib
+  netdata_cache:
+    name: ${NETDATA_COMPOSE_PROJECT_NAME}_cache
+
+networks:
+  compose_network:
+    name: ${NETWORK_NAME}
+    external: true