diff --git a/modules/nixos/monitoring/source/promtail.nix b/modules/nixos/monitoring/source/promtail.nix
index b4062ea9..40b8138a 100644
--- a/modules/nixos/monitoring/source/promtail.nix
+++ b/modules/nixos/monitoring/source/promtail.nix
@@ -3,8 +3,9 @@
   lib,
   ...
 }: let
-  inherit (builtins) toJSON toString;
+  inherit (builtins) toString;
   inherit (lib.options) mkOption;
+  inherit (lib.modules) mkIf;
   inherit (lib.types) port;
   cfg = config.services.promtail;
 in {
@@ -20,4 +21,7 @@ in {
       "--server.http-listen-port=${toString cfg.settings.httpListenPort}"
     ];
   };
+  config.networking.firewall.interfaces.lan = mkIf cfg.enable {
+    allowedTCPPorts = [ cfg.settings.httpListenPort ];
+  };
 }
diff --git a/nixos/monitoring.nix b/nixos/monitoring.nix
index bc93ae3a..1c3734e2 100644
--- a/nixos/monitoring.nix
+++ b/nixos/monitoring.nix
@@ -1,7 +1,19 @@
-_: {
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkMerge;
+  inherit (config.services) grafana loki prometheus;
+in {
   services = {
     grafana.enable = true;
     loki.enable = true;
     prometheus.enable = true;
   };
+  networking.firewall.interfaces.lan.allowedTCPPorts = mkMerge [
+    (mkIf grafana.enable [ grafana.port ])
+    (mkIf loki.enable [ loki.settings.httpListenPort loki.settings.grpcListenPort ])
+    (mkIf prometheus.enable [ prometheus.port ])
+  ];
 }