diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix
index ce3ab3d..ab35ad3 100644
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@@ -34,6 +34,19 @@
               client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
             '';
           };
+          "~ ^/_synapse/admin" = {
+            # Only proxy to the local host on IPv4, because localhost doesn't seem to work
+            # even if matrix-synapse is listening on ::1 as well.
+            proxyPass = "http://127.0.0.1:8008";
+            extraConfig = ''
+              # Restrict access to admin API.
+              allow 172.21.87.0/24; # management VPN
+              deny all;
+              # Nginx by default only allows file uploads up to 1M in size
+              # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+              client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
+            '';
+          };
         };
         extraConfig = ''
           listen 0.0.0.0:8443 http2 ssl proxy_protocol;
@@ -51,8 +64,18 @@
             port = 80;
           }
         ];
-        locations."/" = {
-          proxyPass = "http://localhost:8080";
+        locations = {
+          "/" = {
+            proxyPass = "http://localhost:8080";
+          };
+          "~ ^/api/admin" = {
+            proxyPass = "http://localhost:8082";
+            extraConfig = ''
+              # Restrict access to admin API.
+              allow 172.21.87.0/24; # management VPN
+              deny all;
+            '';
+          };
         };
         extraConfig = ''
           listen 0.0.0.0:8443 http2 ssl proxy_protocol;