diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml
index 707a9e9a5..d1790a8b2 100644
--- a/roles/custom/matrix-media-repo/defaults/main.yml
+++ b/roles/custom/matrix-media-repo/defaults/main.yml
@@ -33,6 +33,16 @@ matrix_media_repo_container_network: "{{ matrix_docker_network }}"
 # Use this to expose this container to another reverse proxy, which runs in a different container network.
 matrix_media_repo_container_additional_networks: []
 
+# Controls whether the matrix-media-repo container exposes its HTTP port (tcp/8000 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8000"), or empty string to not expose.
+matrix_media_repo_container_http_host_bind_port: ""
+
+# Controls whether the matrix-media-repo container exposes its metrics port (tcp/9000 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9000"), or empty string to not expose.
+matrix_media_repo_container_metrics_host_bind_port: ""
+
 # Extra arguments for the Docker container
 matrix_media_repo_container_extra_arguments: []
 
diff --git a/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2 b/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2
index ac33e3fee..091337962 100644
--- a/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2
+++ b/roles/custom/matrix-media-repo/templates/media-repo/systemd/matrix-media-repo.service.j2
@@ -23,9 +23,11 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--network={{ matrix_docker_network }} \
-			-p {{ matrix_media_repo_port }}:{{ matrix_media_repo_port }} \
-			{% if matrix_media_repo_metrics_enabled %}
-			-p {{ matrix_media_repo_metrics_port }}:{{ matrix_media_repo_metrics_port }} \
+			{% if matrix_media_repo_container_http_host_bind_port %}
+			-p {{ matrix_media_repo_container_http_host_bind_port }}:{{ matrix_media_repo_port }} \
+			{% endif %}
+			{% if matrix_media_repo_metrics_enabled and matrix_media_repo_container_metrics_host_bind_port %}
+			-p {{ matrix_media_repo_container_metrics_host_bind_port }}:{{ matrix_media_repo_metrics_port }} \
 			{% endif %}
 			-v {{ matrix_media_repo_base_path }}:/data:z \
 			--workdir='/data' \