diff --git a/services/monitoring/pyroscope/default.nix b/services/monitoring/pyroscope/default.nix
index 3ed665f..84aa40d 100644
--- a/services/monitoring/pyroscope/default.nix
+++ b/services/monitoring/pyroscope/default.nix
@@ -2,6 +2,7 @@
 let
   inherit (lib) mkEnableOption mkIf;
   cfg = config.bagel.services.pyroscope;
+  pyroscopePort = config.services.pyroscope.settings.server.http_listen_port;
 in
 {
   options.bagel.services.pyroscope = {
@@ -15,6 +16,21 @@ in
 
   config = mkIf cfg.enable {
     age.secrets.pyroscope-secrets.file = ../../../secrets/pyroscope-secrets.age;
+    services.nginx = {
+      upstreams.pyroscope = {
+        servers."127.0.0.1:${toString pyroscopePort}" = {};
+        extraConfig = "keepalive 16;";
+      };
+
+      virtualHosts."pyroscope.forkos.org" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/api/v1/push" = {
+          proxyPass = "http://pyroscope";
+          basicAuthFile = config.age.secrets.metrics-push-htpasswd.path;
+        };
+      };
+    };
     services.pyroscope = {
       enable = true;
       secretFile = config.age.secrets.pyroscope-secrets.path;
@@ -37,6 +53,7 @@ in
           };
         };
         server = {
+          http_listen_port = 4040;
           grpc_listen_port = 9097;
           grpc_server_max_recv_msg_size = 104857600;
           grpc_server_max_send_msg_size = 104857600;