diff --git a/modules/system/exports/home-assistant.nix b/modules/system/exports/home-assistant.nix
index d56b311e..84b1eca2 100644
--- a/modules/system/exports/home-assistant.nix
+++ b/modules/system/exports/home-assistant.nix
@@ -29,6 +29,7 @@ in {
   in {
     id = mkAlmostOptionDefault "home";
     displayName = mkAlmostOptionDefault "Home Assistant";
+    prometheus.exporter.metricsPath = "/api/prometheus";
     nixos = {
       serviceAttr = "home-assistant";
       assertions = mkIf config.enable [
@@ -42,6 +43,7 @@ in {
         port = mkAlmostOptionDefault 8123;
         protocol = "http";
         status.enable = true;
+        prometheus.exporter.enable = mkAlmostOptionDefault true;
       };
       homekit0 = {
         port = mkAlmostOptionDefault 21063;
diff --git a/nixos/access/home-assistant.nix b/nixos/access/home-assistant.nix
index 21401ab8..59170ee2 100644
--- a/nixos/access/home-assistant.nix
+++ b/nixos/access/home-assistant.nix
@@ -80,6 +80,10 @@ in {
             websocket.enable = true;
           };
         };
+        "/api/prometheus" = {
+          local.denyGlobal = true;
+          proxy.enable = true;
+        };
       };
     in {
       home-assistant = {...}: {
diff --git a/nixos/home-assistant.nix b/nixos/home-assistant.nix
index 4920fa30..cac8bdf5 100644
--- a/nixos/home-assistant.nix
+++ b/nixos/home-assistant.nix
@@ -165,7 +165,9 @@ in {
           password = "!secret mpd-shanghai-password";
         }
       ];
-      prometheus = {};
+      prometheus = {
+        requires_auth = mkDefault false;
+      };
       wake_on_lan = {};
     };
     grocy.enable = true;
diff --git a/systems/tei/cloudflared.nix b/systems/tei/cloudflared.nix
index 097fbb9c..0b6bba26 100644
--- a/systems/tei/cloudflared.nix
+++ b/systems/tei/cloudflared.nix
@@ -20,7 +20,7 @@ in {
           (nginx.virtualHosts.grocy.proxied.cloudflared.getIngress {})
           (nginx.virtualHosts.barcodebuddy.proxied.cloudflared.getIngress {})
           (
-            if home-assistant.reverseProxy.auth.enable
+            if nginx.virtualHosts.home-assistant.proxied.enable or false != false
             then (nginx.virtualHosts.home-assistant.proxied.cloudflared.getIngress {})
             else {
               ${home-assistant.domain} = assert home-assistant.enable && home-assistant.reverseProxy.enable; {
diff --git a/systems/tei/nixos.nix b/systems/tei/nixos.nix
index 098948b4..9c18c5d5 100644
--- a/systems/tei/nixos.nix
+++ b/systems/tei/nixos.nix
@@ -6,6 +6,7 @@
 }: let
   inherit (lib.modules) mkIf;
   inherit (lib.lists) optional;
+  hassOpenMetrics = true;
   hassVouchAuth = false;
   hassVouch = false;
 in {
@@ -29,7 +30,7 @@ in {
       nixos.barcodebuddy
       ./cloudflared.nix
     ]
-    ++ optional hassVouchAuth nixos.access.home-assistant;
+    ++ optional (hassVouchAuth || hassOpenMetrics) nixos.access.home-assistant;
 
   services.nginx = {
     proxied.enable = true;
@@ -37,7 +38,7 @@ in {
       zigbee2mqtt.proxied.enable = "cloudflared";
       grocy.proxied.enable = "cloudflared";
       barcodebuddy.proxied.enable = "cloudflared";
-      home-assistant = mkIf hassVouchAuth {
+      home-assistant = mkIf (hassVouchAuth || hassOpenMetrics) {
         proxied.enable = "cloudflared";
         vouch.enable = mkIf hassVouch true;
       };
@@ -47,6 +48,15 @@ in {
     reverseProxy.auth.enable = true;
   };
 
+  assertions = let
+    inherit (config.services) home-assistant;
+  in [
+    (mkIf home-assistant.enable {
+      assertion = hassOpenMetrics != home-assistant.config.prometheus.requires_auth or true;
+      message = "home-assistant.config.prometheus.requires_auth set incorrectly";
+    })
+  ];
+
   sops.defaultSopsFile = ./secrets.yaml;
 
   system.stateVersion = "23.11";