diff --git a/hosts/default.nix b/hosts/default.nix
index 378e990..f0a54d7 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -68,6 +68,8 @@
           self.nixosModules.unlock-zfs-on-boot
           self.nixosModules.core
           self.nixosModules.mail
+          self.nixosModules.prometheus-exporters
+          self.nixosModules.promtail
 
           self.inputs.simple-nixos-mailserver.nixosModule
         ];
diff --git a/hosts/flora-6/wireguard.nix b/hosts/flora-6/wireguard.nix
index c5bcd64..f37f898 100644
--- a/hosts/flora-6/wireguard.nix
+++ b/hosts/flora-6/wireguard.nix
@@ -28,6 +28,16 @@
             "fd00:fae:fae:fae:fae:1::/96"
           ];
         }
+        {
+          # metronom.pub.solar
+          endpoint = "49.13.236.167:51820";
+          publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo=";
+          allowedIPs = [
+            "10.7.6.3/32"
+            "fd00:fae:fae:fae:fae:3::/96"
+          ];
+          persistentKeepalive = 15;
+        }
       ];
     };
   };
diff --git a/modules/prometheus-exporters/default.nix b/modules/prometheus-exporters/default.nix
index 996a771..1c9a474 100644
--- a/modules/prometheus-exporters/default.nix
+++ b/modules/prometheus-exporters/default.nix
@@ -1,5 +1,8 @@
 { config, ... }:
 {
+  # Only expose prometheus exporter port via wireguard interface
+  networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 9002 ];
+
   services.prometheus = {
     exporters = {
       node = {
diff --git a/modules/prometheus/default.nix b/modules/prometheus/default.nix
index 564d650..62a3795 100644
--- a/modules/prometheus/default.nix
+++ b/modules/prometheus/default.nix
@@ -53,6 +53,12 @@
               instance = "nachtigall";
             };
           }
+          {
+            targets = [ "metronom.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" ];
+            labels = {
+              instance = "metronom";
+            };
+          }
         ];
       }
       {