diff --git a/nix/modules/monitoring/default.nix b/nix/modules/monitoring/default.nix
index 2c8cf97..dd0d4a6 100644
--- a/nix/modules/monitoring/default.nix
+++ b/nix/modules/monitoring/default.nix
@@ -1,6 +1,7 @@
 { lib, pkgs, nixpkgs-unstable, config, machines, ... }:
 let
   cfg = config.lab.monitoring;
+  gatusPort = 8080;
 in
 {
   imports = [
@@ -24,10 +25,11 @@ in
 
   config = lib.mkIf cfg.enable {
     networking.firewall.allowedTCPPorts = [ config.services.prometheus.exporters.node.port ]
-      ++ lib.lists.optionals cfg.server.enable [ config.services.prometheus.port ];
+      ++ lib.lists.optionals cfg.server.enable [ 80 ];
 
     services.prometheus = {
       enable = cfg.server.enable;
+      webExternalUrl = "/prometheus";
 
       exporters = {
         node = {
@@ -39,6 +41,7 @@ in
         lib.attrsets.mapAttrsToList
           (name: machine:
             let
+              # TODO: should finally create my own lib...
               domain = if machine.isPhysical then "hyp" else "dmz";
             in
             {
@@ -54,10 +57,9 @@ in
     services.gatus = lib.mkIf cfg.server.enable {
       enable = true;
       package = pkgs.unstable.gatus;
-      openFirewall = true;
 
       settings = {
-        web.port = 4242;
+        web.port = gatusPort;
 
         storage = {
           type = "sqlite";
@@ -87,5 +89,23 @@ in
         chown gatus:gatus /srv/gatus
       '';
     };
+
+    services.nginx = lib.mkIf cfg.server.enable {
+      enable = true;
+
+      virtualHosts."${config.networking.fqdn}" = {
+        locations = {
+          "/" = {
+            proxyPass = "http://127.0.0.1:${toString gatusPort}";
+            recommendedProxySettings = true;
+          };
+
+          "/prometheus/" = {
+            proxyPass = "http://127.0.0.1:${toString config.services.prometheus.port}";
+            recommendedProxySettings = true;
+          };
+        };
+      };
+    };
   };
 }