diff --git a/host_vars/dashboards.archlinux.org/misc b/host_vars/dashboards.archlinux.org/misc
index 628bfa1fe9dea99d402a1f29d971df1752e99e34..59ce6cb73df8ff51ec137005e552c135c587bda0 100644
--- a/host_vars/dashboards.archlinux.org/misc
+++ b/host_vars/dashboards.archlinux.org/misc
@@ -1,6 +1,5 @@
 ---
 filesystem: btrfs
 ipv4_address: 157.90.255.107
-prometheus_domain: dashboards.archlinux.org
 wireguard_address: 10.0.0.33
 wireguard_public_key: lLZtvFIrmtUXRXmw+qQC8LZ00NzN1wlvcI4grNWt2lE=
diff --git a/roles/grafana/templates/datasources.yaml.j2 b/roles/grafana/templates/datasources.yaml.j2
index 1abb6cf611ef0e983e1a2d86a4cdfa148d6dd145..c71602cb080a5016a9531aa142e717ea0612fd3e 100644
--- a/roles/grafana/templates/datasources.yaml.j2
+++ b/roles/grafana/templates/datasources.yaml.j2
@@ -9,7 +9,7 @@ datasources:
   basicAuthUser: {{ vault_prometheus_user }}
   secureJsonData:
     basicAuthPassword: {{ vault_prometheus_passwd }}
-  url: https://{{ prometheus_domain }}:9090
+  url: http://{{ prometheus_domain }}:9090
 {% else %}
 - name: Prometheus
   type: prometheus
diff --git a/roles/prometheus/defaults/main.yml b/roles/prometheus/defaults/main.yml
index e630bd84ea378c2cd9194d71f1c51c4b8d7988a9..fa3854f91cb325e93460b661fd3b29db55b22253 100644
--- a/roles/prometheus/defaults/main.yml
+++ b/roles/prometheus/defaults/main.yml
@@ -1,6 +1,6 @@
 monitoring_domain: monitoring.archlinux.org
 gitlab_runner_exporter_port: '9252'
-prometheus_domain: dashboards.archlinux.org
+prometheus_domain: "{{ hostvars['dashboards.archlinux.org']['wireguard_address'] }}"
 prometheus_mysqld_exporter_port: '9104'
 prometheus_receive_only: false
 
diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml
index 0cbf67b1953b15b712bfa78b329c33049b3d1cde..3c1aa21f9f6a686562af716b61d59d61d31147c0 100644
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@@ -3,17 +3,6 @@
 - name: install prometheus server
   pacman: name=prometheus,python-passlib,python-bcrypt state=present
 
-- name: install cert renewal hook
-  template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/renewal-hooks/deploy/prometheus owner=root group=root mode=0755
-  when: prometheus_receive_only
-
-- name: create ssl cert
-  include_role:
-    name: certificate
-  vars:
-    domains: ["{{ prometheus_domain }}"]
-  when: prometheus_receive_only
-
 - name: install prometheus configuration
   template: src=prometheus.yml.j2 dest=/etc/prometheus/prometheus.yml owner=root group=prometheus mode=640
   notify: reload prometheus
@@ -35,8 +24,9 @@
 - name: enable prometheus server service
   systemd: name=prometheus enabled=yes daemon_reload=yes state=started
 
-- name: open firewall holes for prometheus
-  ansible.posix.firewalld: service=prometheus permanent=true state=enabled immediate=yes
+- name: open prometheus port for monitoring.archlinux.org
+  ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+    rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=9090 accept"
   when: configure_firewall and prometheus_receive_only
   tags:
     - firewall
diff --git a/roles/prometheus/templates/letsencrypt.hook.d.j2 b/roles/prometheus/templates/letsencrypt.hook.d.j2
deleted file mode 100644
index d493a71e2a0925a496a7c6ffa2c27bfc6560c47c..0000000000000000000000000000000000000000
--- a/roles/prometheus/templates/letsencrypt.hook.d.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/bash
-set -o errexit -o nounset
-
-for domain in ${RENEWED_DOMAINS}; do
-  if [[ "{{ prometheus_domain }}" = "${domain}" ]]; then
-    umask 077
-    cp --dereference "${RENEWED_LINEAGE}/fullchain.pem" /etc/prometheus/server.crt.new
-    cp --dereference "${RENEWED_LINEAGE}/privkey.pem" /etc/prometheus/server.key.new
-    chown root:prometheus /etc/prometheus/server.{crt,key}.new
-    chmod 640 /etc/prometheus/server.{crt,key}.new
-    rename ".new" "" /etc/prometheus/server.{crt,key}.new
-    break
-  fi
-done
diff --git a/roles/prometheus/templates/prometheus.conf.j2 b/roles/prometheus/templates/prometheus.conf.j2
index dbff0daee7e9fb26db163ab60d47c4c06b17e276..50dd731a17f85ead91feb87ec1851917d24e658a 100644
--- a/roles/prometheus/templates/prometheus.conf.j2
+++ b/roles/prometheus/templates/prometheus.conf.j2
@@ -1,5 +1,5 @@
 {% if prometheus_receive_only %}
-PROMETHEUS_ARGS="--storage.tsdb.retention.time=365d --enable-feature=remote-write-receiver --web.config.file=/etc/prometheus/web-config.yml"
+PROMETHEUS_ARGS="--storage.tsdb.retention.time=365d --enable-feature=remote-write-receiver --web.config.file=/etc/prometheus/web-config.yml --web.listen-address={{ wireguard_address }}:9090"
 {% else %}
 PROMETHEUS_ARGS="--storage.tsdb.retention.time=365d"
 {% endif %}
diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2
index d301b3b8d35dd20dbfa816cc387585809f4732cf..a0549850d1422380ccb255bf0870b6155394f39a 100644
--- a/roles/prometheus/templates/prometheus.yml.j2
+++ b/roles/prometheus/templates/prometheus.yml.j2
@@ -14,7 +14,7 @@ alerting:
        - localhost:9093
 
 remote_write:
-- url: https://{{ prometheus_domain }}:9090/api/v1/write
+- url: http://{{ prometheus_domain }}:9090/api/v1/write
   write_relabel_configs:
   - source_labels: [__name__]
     regex: "archive_directory_size_bytes|archive_total_packages|rebuilderd_results|rebuilderd_workers|rebuilderd_queue_length|repository_directory_size_bytes|aur_.+"
@@ -31,7 +31,7 @@ scrape_configs:
         instance: "{{ ansible_fqdn }}"
 
   - job_name: prometheus-domain
-    scheme: https
+    scheme: http
     basic_auth:
       username: {{ vault_prometheus_user }}
       password: {{ vault_prometheus_passwd }}
@@ -39,7 +39,7 @@ scrape_configs:
     - targets: ['{{ prometheus_domain }}:9090']
       labels:
         job: prometheus
-        instance: "{{ prometheus_domain }}"
+        instance: "dashboards.archlinux.org"
 
   - job_name: loki
     static_configs:
diff --git a/roles/prometheus/templates/web-config.yml.j2 b/roles/prometheus/templates/web-config.yml.j2
index 1c304aa46a0c2787a4958a23152a0b2eb1eee385..13e8ad8e8643b97ab14ab274b488d33e19794b61 100644
--- a/roles/prometheus/templates/web-config.yml.j2
+++ b/roles/prometheus/templates/web-config.yml.j2
@@ -1,7 +1,3 @@
-tls_server_config:
-  cert_file: server.crt
-  key_file: server.key
-
 # Usernames and passwords required to connect to Prometheus.
 # Passwords are hashed with bcrypt: https://github.com/prometheus/exporter-toolkit/blob/46630604b0f1c5d64fbd3eb3010d91af38dc798b/docs/web-configuration.md#about-bcrypt
 basic_auth_users:
diff --git a/roles/prometheus_exporters/defaults/main.yml b/roles/prometheus_exporters/defaults/main.yml
index b66b5c4602da8ff860fd2d17f6aa9d73816a54f8..0fe0db5876cbd899da3dbc589af5628bf76f0f3e 100644
--- a/roles/prometheus_exporters/defaults/main.yml
+++ b/roles/prometheus_exporters/defaults/main.yml
@@ -1,7 +1,5 @@
 ---
 
-prometheus_domain: monitoring.archlinux.org
-
 prometheus_textfile_dir: /var/lib/node_exporter
 
 gitlab_runner_exporter_port: '9252'