diff --git a/newinfra/nix/hive.nix b/newinfra/nix/hive.nix
index 1348555..232b5e1 100644
--- a/newinfra/nix/hive.nix
+++ b/newinfra/nix/hive.nix
@@ -21,7 +21,9 @@
         };
         dns2 = {
           publicIPv4 = "128.140.3.7";
-          publicIPv6 = "2a01:4f8:c2c:d616::";
+          # somehow this doesnt quite work yet, keep it out of DNS records
+          #publicIPv6 = "2a01:4f8:c2c:d616::";
+          publicIPv6 = null;
         };
         vps1 = {
           publicIPv4 = "161.97.165.1";
@@ -43,7 +45,9 @@
         };
         vps4 = {
           publicIPv4 = "195.201.147.17";
-          publicIPv6 = "2a01:4f8:1c1c:cb18::";
+          # somehow this doesnt quite work yet, keep it out of DNS records
+          #publicIPv6 = "2a01:4f8:1c1c:cb18::1";
+          publicIPv6 = null;
           wg = {
             privateIP = "10.0.0.4";
             publicKey = "+n2XKKaSFdCanEGRd41cvnuwJ0URY0HsnpBl6ZrSBRs=";
@@ -163,6 +167,7 @@
       ./modules/wg-mesh
       ./modules/ingress
       ./modules/garage
+      ./modules/prometheus
     ];
 
     deployment.tags = [ "eu" "apps" "wg" ];
diff --git a/newinfra/nix/modules/default/default.nix b/newinfra/nix/modules/default/default.nix
index 3a5980a..99973ec 100644
--- a/newinfra/nix/modules/default/default.nix
+++ b/newinfra/nix/modules/default/default.nix
@@ -21,6 +21,13 @@
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
 
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9100 ];
+  services.prometheus.exporters = {
+    node = {
+      enable = true;
+    };
+  };
+
   services.openssh = {
     enable = true;
     openFirewall = true;
diff --git a/newinfra/nix/modules/ingress/base.Caddyfile b/newinfra/nix/modules/ingress/base.Caddyfile
index e429899..7ff7ce4 100644
--- a/newinfra/nix/modules/ingress/base.Caddyfile
+++ b/newinfra/nix/modules/ingress/base.Caddyfile
@@ -10,8 +10,17 @@
 
 		insecure true
 	}
+
+	servers {
+		metrics
+	}
 }
 
 http:// {
 	respond "This is an HTTPS-only server, silly you. Go to https:// instead." 418
 }
+
+# HTTP
+:9010 {
+	metrics /metrics
+}
diff --git a/newinfra/nix/modules/ingress/default.nix b/newinfra/nix/modules/ingress/default.nix
index ea925d1..38e02eb 100644
--- a/newinfra/nix/modules/ingress/default.nix
+++ b/newinfra/nix/modules/ingress/default.nix
@@ -15,6 +15,8 @@ in
 {
   environment.systemPackages = [ caddy ];
 
+  networking.firewall.interfaces.wg0.allowedTCPPorts = [ 9010 ]; # metrics
+
   networking.firewall = {
     allowedTCPPorts = [
       80 # HTTP
@@ -54,7 +56,7 @@ in
             if name == "vps1" || name == "vps3" || name == "vps4" then ''
             noratrieb.dev {
                 encode zstd gzip
-                header -Last-Modified
+                header -Last-Modified2a01:4f8:1c1c:cb18::
                 root * ${import ./caddy-static-prepare {
                   name = "website";
                   src = website { inherit pkgs slides blog; };
diff --git a/newinfra/nix/modules/prometheus/default.nix b/newinfra/nix/modules/prometheus/default.nix
new file mode 100644
index 0000000..0fecef1
--- /dev/null
+++ b/newinfra/nix/modules/prometheus/default.nix
@@ -0,0 +1,32 @@
+{ ... }: {
+  services.prometheus = {
+    enable = true;
+    globalConfig = { };
+    scrapeConfigs = [
+      {
+        job_name = "prometheus";
+        static_configs = [
+          { targets = [ "localhost:9090" ]; }
+        ];
+      }
+      {
+        job_name = "node";
+        static_configs = [
+          { targets = [ "vps1.local:9100" ]; }
+          { targets = [ "vps3.local:9100" ]; }
+          { targets = [ "vps4.local:9100" ]; }
+          { targets = [ "vps5.local:9100" ]; }
+        ];
+      }
+      {
+        job_name = "caddy";
+        static_configs = [
+          { targets = [ "vps1.local:9010" ]; }
+          { targets = [ "vps3.local:9010" ]; }
+          { targets = [ "vps4.local:9010" ]; }
+          { targets = [ "vps5.local:9010" ]; }
+        ];
+      }
+    ];
+  };
+}