diff --git a/playbooks/all.yml b/playbooks/all.yml
index 27bc4c56bd58841bd014ee8d0610831cac786d01..ce743592d781b83997a43007bf6d8daab89857ec 100644
--- a/playbooks/all.yml
+++ b/playbooks/all.yml
@@ -43,3 +43,6 @@
   roles:
     - float-infra-sso-server
 
+- hosts: assets
+  roles:
+    - float-infra-assetmon
diff --git a/plugins/inventory/float.py b/plugins/inventory/float.py
index 1e29228a735528e5aa5b1cd6b77d30af2c01a92d..4acc3355c839fe485b4f550b5f56566b800c299a 100644
--- a/plugins/inventory/float.py
+++ b/plugins/inventory/float.py
@@ -38,6 +38,9 @@ DEFAULT_SERVICE_CREDENTIALS = [
     {
         'name': 'auth-server',
     },
+    {
+        'name': 'assetmon-client',
+    },
 ]
 
 
diff --git a/roles/float-base-docker/tasks/main.yml b/roles/float-base-docker/tasks/main.yml
index d5d09ae6447e753f54914a69e05b90fb09eb97d8..6d08dcfc97f1605cf88ce9fbcd23a9539485abae 100644
--- a/roles/float-base-docker/tasks/main.yml
+++ b/roles/float-base-docker/tasks/main.yml
@@ -1,5 +1,10 @@
 ---
 
+- name: Configure asset tracking
+  template:
+    src: "assetmon.default.j2"
+    dest: "/etc/default/assetmon"
+
 - include_tasks: docker.yml
   when: "container_runtime == 'docker'"
 
diff --git a/roles/float-base-docker/templates/assetmon.default.j2 b/roles/float-base-docker/templates/assetmon.default.j2
new file mode 100644
index 0000000000000000000000000000000000000000..d9c0af49db20712cea487dc32d42c3bfffb4a609
--- /dev/null
+++ b/roles/float-base-docker/templates/assetmon.default.j2
@@ -0,0 +1 @@
+OPTIONS="--server=https://assets.{{ domain }}:3798 --tls-cert=/etc/credentials/x509/assetmon-client/client/cert.pem --tls-key=/etc/credentials/x509/assetmon-client/client/private_key.pem --tls-ca=/etc/credentials/x509/assetmon-client/ca.pem"
diff --git a/roles/float-base/tasks/apt.yml b/roles/float-base/tasks/apt.yml
index 054402a10f1d8560a8eb0eb2124f7cffd3276c6f..3e69364b4bec02247f55136ce5eb91763e0745c2 100644
--- a/roles/float-base/tasks/apt.yml
+++ b/roles/float-base/tasks/apt.yml
@@ -123,6 +123,7 @@
       - auditd
       - audisp-json
       - prometheus-node-exporter
+      - assetmon
 
 - name: Install extra packages
   apt:
diff --git a/roles/float-infra-assetmon/handlers/main.yml b/roles/float-infra-assetmon/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..acbc01c532a94d9dc5f59d034b72880e2f65788b
--- /dev/null
+++ b/roles/float-infra-assetmon/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- listen: reload assetmon
+  systemd:
+    name: docker-assets-http.service
+    state: restarted
diff --git a/roles/float-infra-assetmon/tasks/main.yml b/roles/float-infra-assetmon/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..0334b4e74a6ba39ff07ed4fe740a4751a2d668fa
--- /dev/null
+++ b/roles/float-infra-assetmon/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+
+- name: Create /etc/assetmon
+  file:
+    path: "/etc/assetmon"
+    state: directory
+    owner: root
+    group: docker-assets
+    mode: 0750
+
+- name: Configure asset tracking server
+  template:
+    src: "server.yml.j2"
+    dest: "/etc/assetmon/server.yml"
+    owner: root
+    group: docker-assets
+    mode: 0640
+  notify: reload assetmon
diff --git a/roles/float-infra-assetmon/templates/server.yml.j2 b/roles/float-infra-assetmon/templates/server.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..4b79449d89137b576065680938b103008791c05d
--- /dev/null
+++ b/roles/float-infra-assetmon/templates/server.yml.j2
@@ -0,0 +1,13 @@
+db_uri: /var/lib/assetmon/assets.db
+http_server:
+  request_timeout: 30
+  tls:
+    cert: "/etc/credentials/x509/assetmon/server/cert.pem"
+    key: "/etc/credentials/x509/assetmon/server/private_key.pem"
+    ca: "/etc/credentials/x509/assetmon/ca.pem"
+    acl:
+      allow:
+        - path: "/api/v1/.*"
+          cn: "assetmon-client.investici.org"
+        - path: ".*"
+          cn: ".*"
diff --git a/services.yml.default b/services.yml.default
index 4e87e25bd3bc6ef135898ed5ead9d440758f4bcf..a901d76726800efdc1adb590270330589b346e1b 100644
--- a/services.yml.default
+++ b/services.yml.default
@@ -339,3 +339,28 @@ acme:
   systemd_services:
     - acmeserver.service
 
+assets:
+  num_instances: 1
+  scheduling_group: backend
+  service_credentials:
+    - name: assetmon
+  containers:
+    - name: http
+      image: registry.git.autistici.org/ai3/tools/assetmon:master
+      volumes:
+        - /etc/assetmon/server.yml: /etc/assetmon/server.yml
+        - /var/lib/assetmon: /var/lib/assetmon
+      ports:
+        - 3798
+  monitoring_endpoints:
+    - job_name: assets
+      port: 3798
+      scheme: https
+  public_endpoints:
+    - name: assets
+      port: 3798
+      scheme: https
+  datasets:
+    - name: db
+      path: /var/lib/assetmon
+      owner: docker-assets
diff --git a/services.yml.no-elasticsearch b/services.yml.no-elasticsearch
index 8b6ccd28d76a919de576455c9e03b1bd818ffdbc..aac52c09261ec4b0c748e901d117e5529d15f491 100644
--- a/services.yml.no-elasticsearch
+++ b/services.yml.no-elasticsearch
@@ -267,3 +267,28 @@ acme:
   systemd_services:
     - acmeserver.service
 
+assets:
+  num_instances: 1
+  scheduling_group: backend
+  service_credentials:
+    - name: assetmon
+  containers:
+    - name: http
+      image: registry.git.autistici.org/ai3/tools/assetmon:master
+      volumes:
+        - /etc/assetmon/server.yml: /etc/assetmon/server.yml
+        - /var/lib/assetmon: /var/lib/assetmon
+      ports:
+        - 3798
+  monitoring_endpoints:
+    - job_name: assets
+      port: 3798
+      scheme: https
+  public_endpoints:
+    - name: assets
+      port: 3798
+      scheme: https
+  datasets:
+    - name: db
+      path: /var/lib/assetmon
+      owner: docker-assets