diff --git a/coreos-config/group_vars/all/networks.yaml b/coreos-config/group_vars/all/networks.yaml
new file mode 100644
index 0000000..5367659
--- /dev/null
+++ b/coreos-config/group_vars/all/networks.yaml
@@ -0,0 +1,3 @@
+docker:
+  internal_networks:
+    - metrics
diff --git a/coreos-config/plays/common.yaml b/coreos-config/plays/common.yaml
index 580b3a4..aecb84b 100644
--- a/coreos-config/plays/common.yaml
+++ b/coreos-config/plays/common.yaml
@@ -81,6 +81,14 @@
         dest: /home/core/.docker/config.json
         mode: '0600'
         owner: core
+- name: Setup internal networks
+  hosts: all
+  tasks:
+    - name: Setup network
+      community.docker.docker_network:
+        name: "{{ item }}"
+        internal: true
+      loop: "{{ docker.internal_networks | default([]) }}"
 - name: Setup Push Monitoring
   hosts: all
   tags:
diff --git a/coreos-config/plays/services/hedgedoc/docker-compose.yaml b/coreos-config/plays/services/hedgedoc/docker-compose.yaml
index 7a3f78d..40cab47 100644
--- a/coreos-config/plays/services/hedgedoc/docker-compose.yaml
+++ b/coreos-config/plays/services/hedgedoc/docker-compose.yaml
@@ -66,6 +66,7 @@ services:
         condition: service_healthy
     networks:
       - backend
+      - metrics
 
 volumes:
   database:
@@ -73,4 +74,6 @@ volumes:
 networks:
   backend:
     internal: true
+  metrics:
+    external: true
 ...
diff --git a/coreos-config/plays/services/matrix/docker-compose.yaml b/coreos-config/plays/services/matrix/docker-compose.yaml
index a6b4def..c3f3db3 100644
--- a/coreos-config/plays/services/matrix/docker-compose.yaml
+++ b/coreos-config/plays/services/matrix/docker-compose.yaml
@@ -31,6 +31,7 @@ services:
     networks:
       - default
       - backend
+      - metrics
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.http-synapse.rule=Host(`synapse.{{ matrix.baseurl }}`)"
@@ -211,6 +212,8 @@ services:
 networks:
   backend:
     internal: true
+  metrics:
+    external: true
 
 volumes:
   synapse_data:
diff --git a/coreos-config/plays/services/miniflux/docker-compose.yaml b/coreos-config/plays/services/miniflux/docker-compose.yaml
index 76a6b3f..bdefc22 100644
--- a/coreos-config/plays/services/miniflux/docker-compose.yaml
+++ b/coreos-config/plays/services/miniflux/docker-compose.yaml
@@ -35,6 +35,7 @@ services:
       - backend
       - pantalaimon
       - default
+      - metrics
 
   db:
     image: postgres:13
@@ -42,8 +43,6 @@ services:
     environment:
       - POSTGRES_USER={{ miniflux.db.user }}
       - POSTGRES_PASSWORD={{ miniflux.db.password }}
-    labels:
-      - "com.centurylinklabs.watchtower.scope=update"
     volumes:
       - database:/var/lib/postgresql/data
     healthcheck:
@@ -61,4 +60,6 @@ networks:
     internal: true
   pantalaimon:
     external: true
+  metrics:
+    external: true
 ...
diff --git a/coreos-config/plays/services/prometheus/docker-compose.yaml b/coreos-config/plays/services/prometheus/docker-compose.yaml
index 7ff543b..e399320 100644
--- a/coreos-config/plays/services/prometheus/docker-compose.yaml
+++ b/coreos-config/plays/services/prometheus/docker-compose.yaml
@@ -24,6 +24,7 @@ services:
     networks:
       - backend
       - alertmanager
+      - metrics
 
   prometheus-docker-sd:
     image: registry.tobiasmanske.de/prometheus-docker-sd:latest
@@ -136,7 +137,7 @@ services:
       - "^/(sys|proc|dev|host|etc|rootfs/var/lib/docker/containers|rootfs/var/lib/docker/overlay2|rootfs/run/docker/netns|rootfs/var/lib/docker/aufs)($$|/)"
       - '--collector.systemd'
     networks:
-      - backend
+      - metrics
     restart: unless-stopped
 
   cadvisor:
@@ -154,7 +155,7 @@ services:
       - /sys:/sys:ro
       - /var/lib/docker/:/var/lib/docker:ro
     networks:
-      - backend
+      - metrics
     restart: unless-stopped
 
   loki:
@@ -186,6 +187,7 @@ services:
       - "prometheus-scrape.port=8080"
     networks:
       - backend
+      - metrics
 
   mimir:
     image: grafana/mimir:latest
@@ -202,6 +204,7 @@ services:
       - "prometheus-scrape.port=8080"
     networks:
       - backend
+      - metrics
 
 volumes:
   prom_data:
@@ -216,3 +219,5 @@ networks:
   backend:
     internal: true
   alertmanager:
+  metrics:
+    external: true
diff --git a/coreos-config/plays/services/traefik/docker-compose.yaml b/coreos-config/plays/services/traefik/docker-compose.yaml
index 829bc56..c69c6d6 100644
--- a/coreos-config/plays/services/traefik/docker-compose.yaml
+++ b/coreos-config/plays/services/traefik/docker-compose.yaml
@@ -20,11 +20,14 @@ services:
     labels:
       - "prometheus-scrape.enabled=true"
       - "prometheus-scrape.port=9091"
+      - "prometheus-scrape.hostname=tobiasmanske.de"
 
 {% if deploy_traefik_fa %}
   traefik-fa:
     image: quay.io/oauth2-proxy/oauth2-proxy:latest
     restart: unless-stopped
+    networks:
+      - metrics
     depends_on:
       - traefik
     labels:
@@ -71,4 +74,6 @@ volumes:
 networks:
   default:
     driver: bridge
+  metrics:
+    external: true
 ...
diff --git a/coreos-config/plays/services/traefik/dynamic.yaml b/coreos-config/plays/services/traefik/dynamic.yaml
index 135adaf..6ef2f15 100644
--- a/coreos-config/plays/services/traefik/dynamic.yaml
+++ b/coreos-config/plays/services/traefik/dynamic.yaml
@@ -6,7 +6,7 @@ http:
           - "127.0.0.1/32"
           - "192.168.0.0/16"
           - "172.16.0.0/16"
-          - "10.254.1.0/24"
+          - "10.254.1.0/16"
     auth-headers:
       headers:
         sslRedirect: true