diff --git a/lib/presets/track-service-metrics.nix b/lib/presets/track-service-metrics.nix
index 5cc8ed9..b73a6d1 100644
--- a/lib/presets/track-service-metrics.nix
+++ b/lib/presets/track-service-metrics.nix
@@ -1,4 +1,4 @@
-{
+listenAddress: {
 	systemd.extraConfig = ''
 		DefaultCPUAccounting=yes
 		DefaultIOAccounting=yes
@@ -11,13 +11,13 @@
 	services.cadvisor = {
 		enable = true;
 		port = 9333;
-		listenAddress = "0.0.0.0";
+		listenAddress = listenAddress;
 		storageDriver = "stdout";
 	};
 
 	virtualisation.docker.enable = false;
 
 	networking.firewall.allowedTCPPorts = [
-		9333
+		/* 9333 */
 	];
 }
diff --git a/networks/default.nix b/networks/default.nix
index 1272667..ebb40dd 100644
--- a/networks/default.nix
+++ b/networks/default.nix
@@ -8,7 +8,7 @@ in {
 	workbot = {config, lib, pkgs, ...}@args:
 		{
 			imports = [
-				(import ../lib/presets/track-service-metrics.nix)
+				(import ../lib/presets/track-service-metrics.nix "127.0.0.1")
 				(vpnConfiguration "workbot")
 			];
 
@@ -121,14 +121,14 @@ in {
 							static_configs = [{
 								targets = [
 									"localhost:9100"
-									"${hosts.osmium.ipv4}:9100"
-									"${hosts.nijaxor.ipv4}:9100"
+									"${hosts.osmium.internalIpv4}:9100"
+									"${hosts.nijaxor.internalIpv4}:9100"
 								];
 							}];
 							relabel_configs = [
 								(nameInstance "localhost:9100" "workbot")
-								(nameInstance "${hosts.osmium.ipv4}:9100" "osmium")
-								(nameInstance "${hosts.nijaxor.ipv4}:9100" "nijaxor")
+								(nameInstance "${hosts.osmium.internalIpv4}:9100" "osmium")
+								(nameInstance "${hosts.nijaxor.internalIpv4}:9100" "nijaxor")
 							];
 						} {
 							job_name = "systemd";
@@ -136,14 +136,14 @@ in {
 							static_configs = [{
 								targets = [
 									"localhost:9333"
-									"${hosts.osmium.ipv4}:9333"
-									"${hosts.nijaxor.ipv4}:9333"
+									"${hosts.osmium.internalIpv4}:9333"
+									"${hosts.nijaxor.internalIpv4}:9333"
 								];
 							}];
 							relabel_configs = [
 								(nameInstance "localhost:9333" "workbot")
-								(nameInstance "${hosts.osmium.ipv4}:9333" "osmium")
-								(nameInstance "${hosts.nijaxor.ipv4}:9333" "nijaxor")
+								(nameInstance "${hosts.osmium.internalIpv4}:9333" "osmium")
+								(nameInstance "${hosts.nijaxor.internalIpv4}:9333" "nijaxor")
 							];
 						}
 					];
@@ -151,6 +151,7 @@ in {
 					exporters = {
 						node = {
 							enable = true;
+							listenAddress = "127.0.0.1";
 							enabledCollectors = [
 								"systemd"
 							];
@@ -183,7 +184,7 @@ in {
 						rev = "d7a09deda0916fa99920156e928d281a5bd3d97a";
 						sha256 = "08xjcwmbzdmkzbz1al3vkryiix1y2zqc8yv4lsrw21dz0c5zl726";
 					})
-					(import ../lib/presets/track-service-metrics.nix)
+					(import ../lib/presets/track-service-metrics.nix hosts.osmium.internalIpv4)
 					(import ../lib/presets/low-ram-nix.nix)
 					(vpnConfiguration "osmium")
 				];
@@ -214,7 +215,7 @@ in {
 					networking.firewall.allowedTCPPorts = [
 						80
 						443
-						9100 # Prometheus node exporter
+						/* 9100 # Prometheus node exporter */
 					];
 
 					environment.systemPackages = with pkgs; [
@@ -224,6 +225,7 @@ in {
 					services.prometheus.exporters = {
 						node = {
 							enable = true;
+							listenAddress = hosts.osmium.internalIpv4;
 							enabledCollectors = [
 								"systemd"
 							];
@@ -247,18 +249,19 @@ in {
 		{
 			imports = [
 				(import ../lib/presets/low-ram-nix.nix)
-				(import ../lib/presets/track-service-metrics.nix)
+				(import ../lib/presets/track-service-metrics.nix hosts.nijaxor.internalIpv4)
 				(vpnConfiguration "nijaxor")
 			];
 
 			config = {
 				networking.firewall.allowedTCPPorts = [
-					9100 # Prometheus node exporter
+					/* 9100 # Prometheus node exporter */
 				];
 
 				services.prometheus.exporters = {
 					node = {
 						enable = true;
+						listenAddress = hosts.nijaxor.internalIpv4;
 						enabledCollectors = [
 							"systemd"
 						];