diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix
index 4f0c8b8..d1190d6 100644
--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@@ -162,6 +162,7 @@
           zones = {
             "irc.jakstys.lt".accountKey = accountKey;
             "hdd.jakstys.lt".accountKey = accountKey;
+            "grafana.jakstys.lt".accountKey = accountKey;
             "bitwarden.jakstys.lt".accountKey = accountKey;
           };
         };
@@ -232,10 +233,11 @@
             abort @denied
             reverse_proxy ${fwminex-jakst}:${toString myData.ports.hass}
           '';
-          "grafana.jakstys.lt:80".extraConfig = ''
-            @denied not remote_ip ${myData.subnets.tailscale.cidr}
-            abort @denied
-            reverse_proxy ${fwminex-jakst}:${toString myData.ports.grafana}
+          "grafana.jakstys.lt".extraConfig = ''
+              @denied not remote_ip ${myData.subnets.tailscale.cidr}
+              abort @denied
+              reverse_proxy ${fwminex-jakst}:${toString myData.ports.grafana}
+            tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem
           '';
           "bitwarden.jakstys.lt".extraConfig = ''
             @denied not remote_ip ${myData.subnets.tailscale.cidr}
@@ -389,21 +391,26 @@
     caddy =
       let
         irc = config.mj.services.nsd-acme.zones."irc.jakstys.lt";
+        grafana = config.mj.services.nsd-acme.zones."grafana.jakstys.lt";
         bitwarden = config.mj.services.nsd-acme.zones."bitwarden.jakstys.lt";
       in
       {
         serviceConfig.LoadCredential = [
           "irc.jakstys.lt-cert.pem:${irc.certFile}"
           "irc.jakstys.lt-key.pem:${irc.keyFile}"
+          "grafana.jakstys.lt-cert.pem:${grafana.certFile}"
+          "grafana.jakstys.lt-key.pem:${grafana.keyFile}"
           "bitwarden.jakstys.lt-cert.pem:${bitwarden.certFile}"
           "bitwarden.jakstys.lt-key.pem:${bitwarden.keyFile}"
         ];
         after = [
           "nsd-acme-irc.jakstys.lt.service"
+          "nsd-acme-grafana.jakstys.lt.service"
           "nsd-acme-bitwarden.jakstys.lt.service"
         ];
         requires = [
           "nsd-acme-irc.jakstys.lt.service"
+          "nsd-acme-grafana.jakstys.lt.service"
           "nsd-acme-bitwarden.jakstys.lt.service"
         ];
       };
@@ -451,6 +458,7 @@
       pathConfig = {
         PathChanged = [
           config.mj.services.nsd-acme.zones."irc.jakstys.lt".certFile
+          config.mj.services.nsd-acme.zones."grafana.jakstys.lt".certFile
           config.mj.services.nsd-acme.zones."bitwarden.jakstys.lt".certFile
         ];
         Unit = "cert-watcher.service";