diff --git a/docs/plans/nats-deploy-service.md b/docs/plans/nats-deploy-service.md
index c811cb8..dadbda7 100644
--- a/docs/plans/nats-deploy-service.md
+++ b/docs/plans/nats-deploy-service.md
@@ -240,6 +240,9 @@ All NKeys stored in Vault - MCP gets limited credentials, admin CLI gets full-ac
 
 Rather than defining `tier` in the listener config, use a central `homelab.host` module that provides host metadata for multiple consumers. This aligns with the approach proposed in `docs/plans/prometheus-scrape-target-labels.md`.
 
+**Status:** The `homelab.host` module is implemented in `modules/homelab/host.nix`.
+Hosts can be filtered by tier using `config.homelab.host.tier`.
+
 **Module definition (in `modules/homelab/host.nix`):**
 ```nix
 homelab.host = {
diff --git a/docs/plans/prometheus-scrape-target-labels.md b/docs/plans/prometheus-scrape-target-labels.md
index 2261dc8..c0b159c 100644
--- a/docs/plans/prometheus-scrape-target-labels.md
+++ b/docs/plans/prometheus-scrape-target-labels.md
@@ -58,6 +58,9 @@ This implementation uses a shared `homelab.host` module that provides host metad
 
 ### 1. Create `homelab.host` module
 
+**Status:** Step 1 (Create `homelab.host` module) is complete. The module is in
+`modules/homelab/host.nix` with tier, priority, role, and labels options.
+
 Create `modules/homelab/host.nix` with shared host metadata options:
 
 ```nix
diff --git a/flake.nix b/flake.nix
index 4c68d79..ebcbd6c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -58,6 +58,7 @@
         )
         sops-nix.nixosModules.sops
         nixos-exporter.nixosModules.default
+        ./modules/homelab
       ];
       allSystems = [
         "x86_64-linux"
diff --git a/hosts/jump/configuration.nix b/hosts/jump/configuration.nix
index a0923c2..0979c9d 100644
--- a/hosts/jump/configuration.nix
+++ b/hosts/jump/configuration.nix
@@ -8,6 +8,9 @@
     ];
 
   nixpkgs.config.allowUnfree = true;
+
+  homelab.host.role = "bastion";
+
   # Use the systemd-boot EFI boot loader.
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/sda";
diff --git a/hosts/nix-cache01/configuration.nix b/hosts/nix-cache01/configuration.nix
index 097362b..7d9394b 100644
--- a/hosts/nix-cache01/configuration.nix
+++ b/hosts/nix-cache01/configuration.nix
@@ -13,6 +13,11 @@
 
   homelab.dns.cnames = [ "nix-cache" "actions1" ];
 
+  homelab.host = {
+    priority = "low";
+    role = "build-host";
+  };
+
   fileSystems."/nix" = {
     device = "/dev/disk/by-label/nixcache";
     fsType = "xfs";
diff --git a/hosts/ns1/configuration.nix b/hosts/ns1/configuration.nix
index 5dca77a..c5b9e88 100644
--- a/hosts/ns1/configuration.nix
+++ b/hosts/ns1/configuration.nix
@@ -49,6 +49,11 @@
   ];
   vault.enable = true;
 
+  homelab.host = {
+    role = "dns";
+    labels.dns_role = "primary";
+  };
+
   nix.settings.tarball-ttl = 0;
   environment.systemPackages = with pkgs; [
     vim
diff --git a/hosts/ns2/configuration.nix b/hosts/ns2/configuration.nix
index 29c9697..c49c5e5 100644
--- a/hosts/ns2/configuration.nix
+++ b/hosts/ns2/configuration.nix
@@ -49,6 +49,11 @@
   ];
   vault.enable = true;
 
+  homelab.host = {
+    role = "dns";
+    labels.dns_role = "secondary";
+  };
+
   environment.systemPackages = with pkgs; [
     vim
     wget
diff --git a/hosts/template/configuration.nix b/hosts/template/configuration.nix
index 33ec69a..e974a49 100644
--- a/hosts/template/configuration.nix
+++ b/hosts/template/configuration.nix
@@ -11,6 +11,11 @@
   # Template host - exclude from DNS zone generation
   homelab.dns.enable = false;
 
+  homelab.host = {
+    tier = "test";
+    priority = "low";
+  };
+
 
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/sda";
diff --git a/hosts/template2/configuration.nix b/hosts/template2/configuration.nix
index 97a1aef..9b921be 100644
--- a/hosts/template2/configuration.nix
+++ b/hosts/template2/configuration.nix
@@ -32,6 +32,11 @@
     datasource_list = [ "ConfigDrive" "NoCloud" ];
   };
 
+  homelab.host = {
+    tier = "test";
+    priority = "low";
+  };
+
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
   networking.hostName = "nixos-template2";
diff --git a/hosts/testvm01/configuration.nix b/hosts/testvm01/configuration.nix
index f8e174c..95f9233 100644
--- a/hosts/testvm01/configuration.nix
+++ b/hosts/testvm01/configuration.nix
@@ -16,6 +16,11 @@
   # Test VM - exclude from DNS zone generation
   homelab.dns.enable = false;
 
+  homelab.host = {
+    tier = "test";
+    priority = "low";
+  };
+
   nixpkgs.config.allowUnfree = true;
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
diff --git a/hosts/vault01/configuration.nix b/hosts/vault01/configuration.nix
index 9aa7fc9..1b1faef 100644
--- a/hosts/vault01/configuration.nix
+++ b/hosts/vault01/configuration.nix
@@ -16,6 +16,8 @@
 
   homelab.dns.cnames = [ "vault" ];
 
+  homelab.host.role = "vault";
+
   nixpkgs.config.allowUnfree = true;
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
diff --git a/hosts/vaulttest01/configuration.nix b/hosts/vaulttest01/configuration.nix
index b315e09..fd2bb57 100644
--- a/hosts/vaulttest01/configuration.nix
+++ b/hosts/vaulttest01/configuration.nix
@@ -39,6 +39,12 @@ in
     ../../common/vm
   ];
 
+  homelab.host = {
+    tier = "test";
+    priority = "low";
+    role = "vault";
+  };
+
   nixpkgs.config.allowUnfree = true;
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
diff --git a/modules/homelab/default.nix b/modules/homelab/default.nix
index b945a3d..a803d45 100644
--- a/modules/homelab/default.nix
+++ b/modules/homelab/default.nix
@@ -2,6 +2,7 @@
 {
   imports = [
     ./dns.nix
+    ./host.nix
     ./monitoring.nix
   ];
 }
diff --git a/modules/homelab/host.nix b/modules/homelab/host.nix
new file mode 100644
index 0000000..226f138
--- /dev/null
+++ b/modules/homelab/host.nix
@@ -0,0 +1,28 @@
+{ lib, ... }:
+{
+  options.homelab.host = {
+    tier = lib.mkOption {
+      type = lib.types.enum [ "test" "prod" ];
+      default = "prod";
+      description = "Deployment tier - controls which credentials can deploy to this host";
+    };
+
+    priority = lib.mkOption {
+      type = lib.types.enum [ "high" "low" ];
+      default = "high";
+      description = "Alerting priority - low priority hosts have relaxed thresholds";
+    };
+
+    role = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      description = "Primary role of this host (dns, database, monitoring, etc.)";
+    };
+
+    labels = lib.mkOption {
+      type = lib.types.attrsOf lib.types.str;
+      default = { };
+      description = "Additional free-form labels (e.g., dns_role = 'primary')";
+    };
+  };
+}
diff --git a/scripts/create-host/templates/configuration.nix.j2 b/scripts/create-host/templates/configuration.nix.j2
index 4135a5e..909d319 100644
--- a/scripts/create-host/templates/configuration.nix.j2
+++ b/scripts/create-host/templates/configuration.nix.j2
@@ -13,6 +13,11 @@
     ../../common/vm
   ];
 
+  # Host metadata (adjust as needed)
+  homelab.host = {
+    tier = "test";  # Start in test tier, move to prod after validation
+  };
+
   nixpkgs.config.allowUnfree = true;
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/vda";
diff --git a/system/default.nix b/system/default.nix
index d440db3..7e3c80f 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -12,7 +12,5 @@
     ./sops.nix
     ./sshd.nix
     ./vault-secrets.nix
-
-    ../modules/homelab
   ];
 }