diff --git a/ops/modules/o11y/grafana.nix b/ops/modules/o11y/grafana.nix
index 941f1098b..53c026f89 100644
--- a/ops/modules/o11y/grafana.nix
+++ b/ops/modules/o11y/grafana.nix
@@ -17,9 +17,10 @@ in
 
         settings = {
           server = {
+            protocol = "socket";
+            socket = "/run/grafana/web.sock";
+            socket_gid = config.ids.gids.nginx;
             domain = "status.snix.dev";
-            http_addr = "127.0.0.1";
-            http_port = 2342;
             root_url = "https://status.snix.dev/";
           };
 
@@ -140,6 +141,9 @@ in
       };
     };
 
+    systemd.services.grafana.serviceConfig.RuntimeDirectory = "grafana";
+    systemd.services.grafana.serviceConfig.SupplementaryGroups = "nginx";
+
     infra.monitoring.alloy.exporters.grafana.port = 2342;
   };
 }
diff --git a/ops/modules/www/status.snix.dev.nix b/ops/modules/www/status.snix.dev.nix
index 0a3caceea..4ed0daaa1 100644
--- a/ops/modules/www/status.snix.dev.nix
+++ b/ops/modules/www/status.snix.dev.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ ... }:
 
 {
   imports = [
@@ -6,20 +6,17 @@
   ];
 
   config = {
-    services.nginx =
-      let
-        scfg = config.services.grafana.settings.server;
-      in
-      {
-        enable = true;
-        virtualHosts."${scfg.domain}" = {
-          enableACME = true;
-          forceSSL = true;
-          locations."/" = {
-            proxyPass = "http://${scfg.http_addr}:${toString scfg.http_port}";
-            proxyWebsockets = true;
-          };
+    services.nginx = {
+      enable = true;
+      upstreams.grafana.servers."unix:/run/grafana/web.sock" = { };
+      virtualHosts."status.snix.dev" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://grafana/";
+          proxyWebsockets = true;
         };
       };
+    };
   };
 }