monitoring: add apiary metrics scraping with bearer token auth

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 16:36:26 +01:00
parent 4d614d8716
commit 1942591d2e
2 changed files with 28 additions and 0 deletions
--- a/services/monitoring/prometheus.nix
+++ b/services/monitoring/prometheus.nix
@@ -73,6 +73,15 @@ in
    };
  };

+  # Fetch apiary bearer token from Vault
+  vault.secrets.prometheus-apiary-token = {
+    secretPath = "hosts/monitoring01/apiary-token";
+    extractKey = "password";
+    owner = "prometheus";
+    group = "prometheus";
+    services = [ "prometheus" ];
+  };
+
  services.prometheus = {
    enable = true;
    # syntax-only check because we use external credential files (e.g., openbao-token)
@@ -233,6 +242,19 @@ in
          credentials_file = "/run/secrets/prometheus/openbao-token";
        };
      }
+      # Apiary external service
+      {
+        job_name = "apiary";
+        scheme = "https";
+        scrape_interval = "60s";
+        static_configs = [{
+          targets = [ "apiary.t-juice.club" ];
+        }];
+        authorization = {
+          type = "Bearer";
+          credentials_file = "/run/secrets/prometheus-apiary-token";
+        };
+      }
    ] ++ autoScrapeConfigs;

    pushgateway = {