diff --git a/roles/telegraf/handlers/main.yml b/roles/telegraf/handlers/main.yml
new file mode 100644
index 0000000..c456d17
--- /dev/null
+++ b/roles/telegraf/handlers/main.yml
@@ -0,0 +1,10 @@
+- name: update package cache
+  package:
+    update_cache: yes
+  when: "'handler' not in ansible_skip_tags"
+
+- name: restart telegraf
+  service:
+    name: telegraf
+    state: restarted
+  when: "'handler' not in ansible_skip_tags"
diff --git a/roles/telegraf/tasks/debian.yml b/roles/telegraf/tasks/debian.yml
new file mode 100644
index 0000000..a53989f
--- /dev/null
+++ b/roles/telegraf/tasks/debian.yml
@@ -0,0 +1,31 @@
+- name: Add influxdb repository
+  deb822_repository:
+    name: influxdata
+    uris: https://repos.influxdata.com/debian
+    suites: stable
+    components: main
+    architectures: amd64
+    signed_by: https://repos.influxdata.com/influxdata-archive.key
+  notify: update package cache
+
+- meta: flush_handlers
+
+- name: Install telegraf
+  package:
+    name: telegraf
+
+- name: Configure telegraf
+  when: not ansible_check_mode
+  template:
+    dest: /etc/telegraf/telegraf.d/output.conf
+    src: output.conf.j2
+    owner: telegraf
+    group: telegraf
+    mode: 0640
+  notify: restart telegraf
+
+- name: Enable telegraf
+  service:
+    name: telegraf
+    enabled: true
+    state: started
diff --git a/roles/telegraf/tasks/main.yml b/roles/telegraf/tasks/main.yml
new file mode 100644
index 0000000..0193aa9
--- /dev/null
+++ b/roles/telegraf/tasks/main.yml
@@ -0,0 +1,11 @@
+- name: Get influxdb info
+  set_fact:
+    influxdb_info: '{{ lookup("passwordstore", "vm/"~influxdb_host, returnall=true, missing="empty") | from_yaml }}'
+
+- name: Create influxdb token for this host
+  include_tasks: token.yml
+  when: 'not ansible_check_mode and "influxdb_token" not in password'
+
+- name: Install telegraf on Debian
+  include_tasks: debian.yml
+  when: ansible_os_family == "Debian"
diff --git a/roles/telegraf/tasks/token.yml b/roles/telegraf/tasks/token.yml
new file mode 100644
index 0000000..6343331
--- /dev/null
+++ b/roles/telegraf/tasks/token.yml
@@ -0,0 +1,53 @@
+- name: Get influxdb organization ID
+  delegate_to: localhost
+  uri:
+    url: '{{ influxdb_info.influxdb_url }}/api/v2/orgs'
+    headers:
+      Authorization: Token {{ influxdb_info.influxdb_operator_token }}
+  register: response
+
+- name: Parse influxdb orgID
+  set_fact:
+    influxdb_orgID: '{{ response.json.orgs | selectattr("name", "==", influxdb_info.influxdb_org) | map(attribute="id") | first }}'
+
+- name: Get influxdb bucket ID
+  delegate_to: localhost
+  uri:
+    url: '{{ influxdb_info.influxdb_url }}/api/v2/buckets?orgID={{ influxdb_orgID }}'
+    headers:
+      Authorization: Token {{ influxdb_info.influxdb_operator_token }}
+  register: response
+
+- name: Parse influxdb bucketID
+  set_fact:
+    influxdb_bucketID: '{{ response.json.buckets | selectattr("name", "==", "servers") | map(attribute="id") | first }}'
+
+- name: Create influxdb token
+  delegate_to: localhost
+  uri:
+    url: '{{ influxdb_info.influxdb_url }}/api/v2/authorizations'
+    method: POST
+    body_format: json
+    status_code: 201
+    headers:
+      Authorization: Token {{ influxdb_info.influxdb_operator_token }}
+      Content-Type: application/json
+    body: |
+      {
+        "description": "{{ inventory_hostname }}",
+        "orgID": "{{ influxdb_orgID }}",
+        "permissions": [{ "action": "write", "resource": { "type": "buckets", "id": "{{ influxdb_bucketID }}" } }]
+      }
+  register: response
+
+- name: Parse influxdb token
+  set_fact:
+    influxdb_token: '{{ response.json.token }}'
+
+# Ansible’s passwordstore lookup plugin should be able to do that but is pretty broken,
+# so we do it manually.
+- name: Store influxdb token in password store
+  delegate_to: localhost
+  command:
+    cmd: 'pass insert --force --multiline {{ ("vm/" if is_virtual else "host/")~inventory_hostname }}'
+    stdin: '{{ password | to_nice_yaml(sort_keys=false) }}influxdb_token: {{ influxdb_token }}'
diff --git a/roles/telegraf/templates/output.conf.j2 b/roles/telegraf/templates/output.conf.j2
new file mode 100644
index 0000000..25ba0de
--- /dev/null
+++ b/roles/telegraf/templates/output.conf.j2
@@ -0,0 +1,5 @@
+[[outputs.influxdb_v2]]
+ urls = ["{{ influxdb_info.influxdb_url }}"]
+ organization = "{{ influxdb_info.influxdb_org }}"
+ bucket = "{{ influxdb_info.influxdb_bucket }}"
+ token = "{{ influxdb_token | default(password.influxdb_token) }}"
diff --git a/setup.yml b/setup.yml
index 99aa1f8..cacdc35 100644
--- a/setup.yml
+++ b/setup.yml
@@ -26,6 +26,7 @@
   roles:
     - debian
     - frr
+    - telegraf
     - ceph
 
 - hosts: pve-rc-*, pve-lab-*