diff --git a/cluster/services/ipfs/default.nix b/cluster/services/ipfs/default.nix
index 1567603..468922b 100644
--- a/cluster/services/ipfs/default.nix
+++ b/cluster/services/ipfs/default.nix
@@ -1,4 +1,4 @@
-{ config, depot, lib, tools, ... }:
+{ config, depot, lib, ... }:
 
 {
   hostLinks = lib.genAttrs config.services.ipfs.nodes.node (name: let
@@ -25,8 +25,9 @@
     nodes = {
       node = [ "VEGAS" "prophet" ];
       clusterPeer = [ "VEGAS" "prophet" ];
-      gateway = [ "VEGAS" ];
+      gateway = [ "VEGAS" "prophet" ];
       io-tweaks = [ "VEGAS" ];
+      remote-api = [ "VEGAS" ];
     };
     nixos = {
       node = [
@@ -40,6 +41,7 @@
         ./cluster.nix
       ];
       io-tweaks = ./io-tweaks.nix;
+      remote-api = ./remote-api.nix;
     };
   };
 }
diff --git a/cluster/services/ipfs/gateway.nix b/cluster/services/ipfs/gateway.nix
index b1edc90..f0f2cba 100644
--- a/cluster/services/ipfs/gateway.nix
+++ b/cluster/services/ipfs/gateway.nix
@@ -1,13 +1,19 @@
-{ config, depot, tools, ... }:
+{ config, lib, tools, ... }:
 with tools.nginx;
 let
   inherit (tools.meta) domain;
-  cfg = config.services.ipfs;
   gw = config.links.ipfsGateway;
+  cfg = config.services.ipfs;
+  metrics = config.links.ipfsMetrics;
 in
 {
   users.users.nginx.extraGroups = [ cfg.group ];
 
+  links.ipfsMetrics = {
+    protocol = "http";
+    path = "/debug/metrics/prometheus";
+  };
+
   services.nginx.virtualHosts = {
     "top-level.${domain}".locations = {
       "~ ^/ip[fn]s" = {
@@ -18,37 +24,17 @@ in
         '';
       };
     };
-
-    "lain-ipfs.${domain}" = vhosts.basic // {
-      locations = {
-        "= /".return = "404";
-        "~ ^/ip[fn]s" = {
-          proxyPass = gw.url;
-          extraConfig = ''
-            add_header X-Content-Type-Options "";
-            add_header Access-Control-Allow-Origin *;
-          '';
-        };
-        "/ipfs".extraConfig = "expires max;";
-      };
-    };
-    "ipfs.admin.${domain}" = vhosts.basic // {
-      locations."/api".proxyPass = "http://unix:/run/ipfs/ipfs-api.sock:";
-      locations."/ipns/webui.ipfs.${domain}".proxyPass = "${gw.url}/ipns/webui.ipfs.${domain}";
-      locations."= /".return = "302 /ipns/webui.ipfs.${domain}";
-      locations."/debug/metrics/prometheus" = {
-        proxyPass = "http://unix:/run/ipfs/ipfs-api.sock:";
-        extraConfig = ''
-          access_log off;
-          auth_request off;
-          allow ${depot.config.hours.VEGAS.interfaces.primary.addr};
-          deny all;
-        '';
+    ipfs-metrics = {
+      serverName = null;
+      listen = lib.singleton {
+        addr = metrics.ipv4;
+        inherit (metrics) port;
       };
+      extraConfig = "access_log off;";
+      locations."/".return = "204";
+      locations."${metrics.path}".proxyPass = "http://unix:/run/ipfs/ipfs-api.sock:";
     };
   };
-  services.oauth2_proxy.nginx.virtualHosts = [ "ipfs.admin.${domain}" ];
-
   security.acme.certs."ipfs.${domain}" = {
     domain = "*.ipfs.${domain}";
     extraDomainNames = [ "*.ipns.${domain}" ];
diff --git a/cluster/services/ipfs/remote-api.nix b/cluster/services/ipfs/remote-api.nix
new file mode 100644
index 0000000..9b4458c
--- /dev/null
+++ b/cluster/services/ipfs/remote-api.nix
@@ -0,0 +1,20 @@
+{ config, tools, ... }:
+with tools.nginx;
+let
+  inherit (tools.meta) domain;
+  cfg = config.services.ipfs;
+  gw = config.links.ipfsGateway;
+in
+{
+  users.users.nginx.extraGroups = [ cfg.group ];
+
+  services.nginx.virtualHosts = {
+    "ipfs.admin.${domain}" = vhosts.basic // {
+      locations."/api".proxyPass = "http://unix:/run/ipfs/ipfs-api.sock:";
+      locations."/ipns/webui.ipfs.io".proxyPass = "${gw.url}/ipns/webui.ipfs.io";
+      locations."= /".return = "302 /ipns/webui.ipfs.io";
+    };
+  };
+
+  services.oauth2_proxy.nginx.virtualHosts = [ "ipfs.admin.${domain}" ];
+}