diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix
index dd653b0..faec1b7 100644
--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@@ -178,6 +178,8 @@
       enable = true;
       email = "motiejus+acme@jakstys.lt";
       virtualHosts."grafana.jakstys.lt".extraConfig = ''
+        @denied not remote_ip ${myData.tailscale_subnet.cidr}
+        abort @denied
         reverse_proxy 127.0.0.1:3000
         tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem
       '';