diff --git a/nixos/default.nix b/nixos/default.nix
index 85325f4..7dca1d6 100644
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -95,6 +95,8 @@
     };
   };
 
+  networking.firewall.allowedTCPPorts = [ 9002 ];
+
   users.users.${primaryUser} = {
     home = "/home/${primaryUser}";
     shell = pkgs.fish;
diff --git a/nixos/roles/monitoring.nix b/nixos/roles/monitoring.nix
index 092cf4e..20c5ac3 100644
--- a/nixos/roles/monitoring.nix
+++ b/nixos/roles/monitoring.nix
@@ -1,22 +1,41 @@
 { config, ... }:
+let
+  serverIP = builtins.head (
+    builtins.match "([0-9.]+)/.*" config.systemd.network.networks."10-ethernet".networkConfig.Address
+  );
+in
 {
   services = {
     grafana = {
       enable = true;
-      domain = "grafana.cyperpunk.de";
-      port = 2342;
-      addr = "127.0.0.1";
-      settings.security.secret_key = "$__file{${config.sops.secrets.grafana_secret_key.path}}";
+      settings = {
+        server = {
+          domain = serverIP; # "grafana.cyperpunk.de";
+          http_port = 2342;
+          http_addr = "127.0.0.1";
+          serve_from_sub_path = false;
+        };
+        security = {
+          secret_key = "$__file{${config.sops.secrets.grafana_secret_key.path}}";
+          allow_embedding = true;
+        };
+        auth = {
+          disable_login_form = false;
+        };
+      };
     };
 
     # nginx reverse proxy
-    nginx.virtualHosts.${config.services.grafana.domain} = {
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
-        proxyWebsockets = true;
-        extraConfig = ''
-          proxy_set_header Host ${config.services.grafana.domain};
-        '';
+    nginx = {
+      enable = true;
+      virtualHosts.${config.services.grafana.settings.server.domain} = {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_set_header Host ${config.services.grafana.settings.server.domain};
+          '';
+        };
       };
     };
 
@@ -28,9 +47,15 @@
           job_name = config.networking.hostName;
           static_configs = [
             {
-              targets = [
-                "${config.networking.primaryIPAddress}:${toString config.services.prometheus.exporters.node.port}"
-              ];
+              targets = [ "${serverIP}:${toString config.services.prometheus.exporters.node.port}" ];
+            }
+          ];
+        }
+        {
+          job_name = "cyper-desktop";
+          static_configs = [
+            {
+              targets = [ "192.168.2.40:${toString config.services.prometheus.exporters.node.port}" ];
             }
           ];
         }
@@ -38,5 +63,8 @@
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ 80 ];
+  networking.firewall.allowedTCPPorts = [
+    80
+    9001
+  ];
 }
diff --git a/nixos/sops.nix b/nixos/sops.nix
index e62ce7f..c4fd0e5 100644
--- a/nixos/sops.nix
+++ b/nixos/sops.nix
@@ -4,6 +4,10 @@
     defaultSopsFile = ../secrets/secrets.yaml;
     defaultSopsFormat = "yaml";
     age.keyFile = "/home/${primaryUser}/.config/nix/secrets/keys.txt";
-    grafana_secret_key = { };
+    secrets = {
+      grafana_secret_key = {
+        owner = "grafana";
+      };
+    };
   };
 }