From 1942591d2e90b4bb8a06b740e7dd032f7afe6ad7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sun, 15 Feb 2026 16:36:26 +0100
Subject: [PATCH] monitoring: add apiary metrics scraping with bearer token
 auth

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 services/monitoring/prometheus.nix | 22 ++++++++++++++++++++++
 terraform/vault/secrets.tf         |  6 ++++++
 2 files changed, 28 insertions(+)

diff --git a/services/monitoring/prometheus.nix b/services/monitoring/prometheus.nix
index 45b1384..1d9c196 100644
--- a/services/monitoring/prometheus.nix
+++ b/services/monitoring/prometheus.nix
@@ -73,6 +73,15 @@ in
     };
   };
 
+  # Fetch apiary bearer token from Vault
+  vault.secrets.prometheus-apiary-token = {
+    secretPath = "hosts/monitoring01/apiary-token";
+    extractKey = "password";
+    owner = "prometheus";
+    group = "prometheus";
+    services = [ "prometheus" ];
+  };
+
   services.prometheus = {
     enable = true;
     # syntax-only check because we use external credential files (e.g., openbao-token)
@@ -233,6 +242,19 @@ in
           credentials_file = "/run/secrets/prometheus/openbao-token";
         };
       }
+      # Apiary external service
+      {
+        job_name = "apiary";
+        scheme = "https";
+        scrape_interval = "60s";
+        static_configs = [{
+          targets = [ "apiary.t-juice.club" ];
+        }];
+        authorization = {
+          type = "Bearer";
+          credentials_file = "/run/secrets/prometheus-apiary-token";
+        };
+      }
     ] ++ autoScrapeConfigs;
 
     pushgateway = {
diff --git a/terraform/vault/secrets.tf b/terraform/vault/secrets.tf
index e461a37..d9e6ef8 100644
--- a/terraform/vault/secrets.tf
+++ b/terraform/vault/secrets.tf
@@ -147,6 +147,12 @@ locals {
       auto_generate = false
       data          = { api_key = var.sonarr_api_key }
     }
+
+    # Bearer token for scraping apiary metrics
+    "hosts/monitoring01/apiary-token" = {
+      auto_generate   = true
+      password_length = 64
+    }
   }
 }