diff --git a/configs/nginx/nginx.conf.mako b/configs/nginx/nginx.conf.mako
index 65b46db11..21d4dfe00 100644
--- a/configs/nginx/nginx.conf.mako
+++ b/configs/nginx/nginx.conf.mako
@@ -62,6 +62,12 @@ http {
 		include /etc/kvmd/nginx/ssl.conf;
 		include /etc/kvmd/nginx/kvmd.ctx-server.conf;
 		include /usr/share/kvmd/extras/*/nginx.ctx-server.conf;
+
+		% if prometheus_use_separate_port:
+		location /api/export/prometheus/metrics {
+			return 404;
+		}
+		% endif
 	}
 
 	% else:
@@ -74,7 +80,30 @@ http {
 		include /etc/kvmd/nginx/certbot.ctx-server.conf;
 		include /etc/kvmd/nginx/kvmd.ctx-server.conf;
 		include /usr/share/kvmd/extras/*/nginx.ctx-server.conf;
+
+		% if prometheus_use_separate_port:
+		location /api/export/prometheus/metrics {
+			return 404;
+		}
+		% endif
 	}
 
 	% endif
+
+	% if prometheus_use_separate_port:
+	server {
+		listen ${prometheus_http_port};
+		% if ipv6_enabled:
+		listen [::]:${prometheus_http_port};
+		% endif
+
+		location /api/export/prometheus/metrics {
+			rewrite ^/api$ / break;
+			rewrite ^/api/(.*)$ /$1 break;
+			proxy_pass http://kvmd;
+			include /etc/kvmd/nginx/loc-proxy.conf;
+			auth_request off;
+		}
+	}
+	% endif
 }
diff --git a/kvmd/apps/__init__.py b/kvmd/apps/__init__.py
index 035b3cc46..3b667fe3f 100644
--- a/kvmd/apps/__init__.py
+++ b/kvmd/apps/__init__.py
@@ -752,6 +752,10 @@ def _get_config_scheme() -> dict:
                 "enabled": Option(True, type=valid_bool),
                 "port":    Option(443,  type=valid_port),
             },
+            "prometheus": {
+                "use_separate_port": Option(False, type=valid_bool),
+                "http_port":         Option(22091, type=valid_port),
+            },
         },
 
         "janus": {
diff --git a/kvmd/apps/ngxmkconf/__init__.py b/kvmd/apps/ngxmkconf/__init__.py
index 67c25bcb5..77d1cf0e9 100644
--- a/kvmd/apps/ngxmkconf/__init__.py
+++ b/kvmd/apps/ngxmkconf/__init__.py
@@ -54,6 +54,8 @@ def main(argv: (list[str] | None)=None) -> None:
         https_enabled=config.nginx.https.enabled,
         https_port=config.nginx.https.port,
         ipv6_enabled=network.is_ipv6_enabled(),
+        prometheus_use_separate_port=config.nginx.prometheus.use_separate_port,
+        prometheus_http_port=config.nginx.prometheus.http_port,
     )
 
     if options.print: