diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index d7efd4c7d3f92d0120444374aa5250d68d4764a8..1306c37fe363478b7110146d25dc1e7ea590d3e2 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -183,6 +183,17 @@ in {
           proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
           proxyWebsockets = true;
         };
+        locations."/metrics" = {
+          # Only allow our monitoringvpn subnet
+          # And localhost since we're the monitoring server currently
+          extraConfig = ''
+            allow 172.23.23.0/24;
+            allow 127.0.0.1;
+            allow ::1;
+            deny all;
+          '';
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
+        };
       };
     };