diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml
index 40c5721..e07c209 100644
--- a/roles/haproxy/defaults/main.yml
+++ b/roles/haproxy/defaults/main.yml
@@ -1,2 +1,4 @@
 haproxy_ssl_default_ciphers: '{{ haproxy_default_ssl_default_ciphers }}'
 haproxy_ssl_default_server_ciphers: '{{ haproxy_default_ssl_default_server_ciphers|d("") }}'
+haproxy_stats_port: 8118
+haproxy_enable_stats: true
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
index 9346f1e..627ec9e 100644
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@@ -29,6 +29,15 @@
     dest: /etc/haproxy/conf.d/20-defaults.cfg
     mode: u=rw,go=r
   notify: restart haproxy
+- name: ensure haproxy stats frontend is configured
+  template:
+    src: stats.cfg.j2
+    dest: /etc/haproxy/conf.d/30-stats.cfg
+    mode: u=rw,go=r
+  notify: reload haproxy
+  tags:
+  - config
+  - stats
 
 - name: ensure haproxy starts at boot
   service:
@@ -43,3 +52,17 @@
     state: started
   tags:
   - service
+
+- name: ensure firewall is configured for haproxy stats
+  firewalld:
+    port: '{{ haproxy_stats_port }}/tcp'
+    immediate: '{{ item == "immediate" }}'
+    permanent: '{{ item == "permanent" }}'
+    state: enabled
+  loop:
+  - immediate
+  - permanent
+  when: host_uses_firewalld|d(true) and haproxy_enable_stats
+  tags:
+  - firewalld
+  - stats
diff --git a/roles/haproxy/templates/stats.cfg.j2 b/roles/haproxy/templates/stats.cfg.j2
new file mode 100644
index 0000000..d3e00ad
--- /dev/null
+++ b/roles/haproxy/templates/stats.cfg.j2
@@ -0,0 +1,10 @@
+{% if haproxy_enable_stats %}
+frontend stats
+    bind *:{{ haproxy_stats_port }}
+    http-request use-service prometheus-exporter if { path /metrics }
+    stats enable
+    stats uri /stats
+    stats refresh 10s
+{% else %}
+# HAProxy stats frontend is disabled.
+{% endif %}