diff --git a/secrets/loki-htpasswd.age b/secrets/metrics-push-htpasswd.age
similarity index 100%
rename from secrets/loki-htpasswd.age
rename to secrets/metrics-push-htpasswd.age
diff --git a/secrets/promtail-password.age b/secrets/metrics-push-password.age
similarity index 100%
rename from secrets/promtail-password.age
rename to secrets/metrics-push-password.age
diff --git a/services/monitoring/lgtm/loki.nix b/services/monitoring/lgtm/loki.nix
index d862046..8168abd 100644
--- a/services/monitoring/lgtm/loki.nix
+++ b/services/monitoring/lgtm/loki.nix
@@ -12,8 +12,8 @@ in
 
   config = mkIf cfg.enable {
     age.secrets = {
-      loki-htpasswd = {
-        file = ../../../secrets/loki-htpasswd.age;
+      metrics-push-htpasswd = {
+        file = ../../../secrets/metrics-push-htpasswd.age;
         owner = "nginx";
       };
       loki-environment.file = ../../../secrets/loki-environment.age;
@@ -93,7 +93,7 @@ in
       forceSSL = true;
       locations."/loki/api/v1/push" = {
         proxyPass = "http://localhost:${toString config.services.loki.configuration.server.http_listen_port}";
-        basicAuthFile = config.age.secrets.loki-htpasswd.path;
+        basicAuthFile = config.age.secrets.metrics-push-htpasswd.path;
       };
     };
   };
diff --git a/services/monitoring/lgtm/prometheus.nix b/services/monitoring/lgtm/prometheus.nix
index ca07352..54667ce 100644
--- a/services/monitoring/lgtm/prometheus.nix
+++ b/services/monitoring/lgtm/prometheus.nix
@@ -34,7 +34,13 @@ in
   options.bagel.services.prometheus.enable = mkEnableOption "Prometheus scraper";
 
   config = mkIf cfg.enable {
-    age.secrets.mimir-environment.file = ../../../secrets/mimir-environment.age;
+    age.secrets = {
+      metrics-push-htpasswd = {
+        file = ../../../secrets/metrics-push-htpasswd.age;
+        owner = "nginx";
+      };
+      mimir-environment.file = ../../../secrets/mimir-environment.age;
+    };
 
     services.prometheus = {
       enable = true;
@@ -109,8 +115,9 @@ in
     services.nginx.virtualHosts."mimir.forkos.org" = {
       enableACME = true;
       forceSSL = true;
-      locations."/" = {
+      locations."/api/v1/push" = {
         proxyPass = "http://localhost:${toString mimirPort}";
+        basicAuthFile = config.age.secrets.metrics-push-htpasswd.path;
       };
     };
   };
diff --git a/services/monitoring/promtail.nix b/services/monitoring/promtail.nix
index fe30173..c5e9c71 100644
--- a/services/monitoring/promtail.nix
+++ b/services/monitoring/promtail.nix
@@ -12,7 +12,7 @@ in
 
   config = mkIf cfg.enable {
     age.secrets.promtail-password = {
-      file = ../../secrets/promtail-password.age;
+      file = ../../secrets/metrics-push-password.age;
       owner = "promtail";
     };