diff --git a/ansible/roles/forrest/files/prometheus/prometheus.yml b/ansible/roles/forrest/files/prometheus/prometheus.yml
index fe61be2..8ae4290 100644
--- a/ansible/roles/forrest/files/prometheus/prometheus.yml
+++ b/ansible/roles/forrest/files/prometheus/prometheus.yml
@@ -155,3 +155,13 @@ scrape_configs:
     static_configs:
       - targets:
           - speedtest_exporter:9516
+
+  - job_name: headscale
+    metrics_path: /metrics
+    static_configs:
+      - targets:
+          - "{{ nebula.clients.casey.ip }}:9090"
+    metric_relabel_configs:
+      - source_labels: [__name__]
+        regex: go_.+
+        action: drop
diff --git a/ansible/roles/headscale/files/headscale.yml b/ansible/roles/headscale/files/headscale.yml
index b3e6066..4abdb16 100644
--- a/ansible/roles/headscale/files/headscale.yml
+++ b/ansible/roles/headscale/files/headscale.yml
@@ -21,7 +21,7 @@ listen_addr: 127.0.0.1:8416
 # to keep this endpoint private to your internal
 # network
 #
-metrics_listen_addr: 127.0.0.1:9090
+metrics_listen_addr: "{{ private_ip }}:9090"
 
 # Address to listen for gRPC.
 # gRPC is used for controlling a headscale server
diff --git a/ansible/roles/ingress/files/nftables.conf b/ansible/roles/ingress/files/nftables.conf
index c7d340f..bc5119f 100644
--- a/ansible/roles/ingress/files/nftables.conf
+++ b/ansible/roles/ingress/files/nftables.conf
@@ -36,5 +36,8 @@ table inet filter {
         # Allow traffic from nebula to proxmox network
         ip saddr {{ nebula.cidr }} ip daddr {{ pve_hosts.internal_cidr }} accept
         ip saddr {{ pve_hosts.internal_cidr }} ip daddr {{ nebula.cidr }} ct state related,established accept
+
+        # Allow monitoring of nebula network
+        ip saddr {{ pve_hosts.forrest.ip }}/32 ip daddr {{ nebula.cidr }} accept
     }
 }