monitoring: add apiary metrics scraping with bearer token auth

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

services/monitoring/prometheus.nix

@@ -73,6 +73,15 @@ in
     };
   };
 
+  # Fetch apiary bearer token from Vault
+  vault.secrets.prometheus-apiary-token = {
+    secretPath = "hosts/monitoring01/apiary-token";
+    extractKey = "password";
+    owner = "prometheus";
+    group = "prometheus";
+    services = [ "prometheus" ];
+  };
+
   services.prometheus = {
     enable = true;
     # syntax-only check because we use external credential files (e.g., openbao-token)
@@ -233,6 +242,19 @@ in
           credentials_file = "/run/secrets/prometheus/openbao-token";
         };
       }
+      # Apiary external service
+      {
+        job_name = "apiary";
+        scheme = "https";
+        scrape_interval = "60s";
+        static_configs = [{
+          targets = [ "apiary.t-juice.club" ];
+        }];
+        authorization = {
+          type = "Bearer";
+          credentials_file = "/run/secrets/prometheus-apiary-token";
+        };
+      }
     ] ++ autoScrapeConfigs;
 
     pushgateway = {

terraform/vault/secrets.tf

@@ -147,6 +147,12 @@ locals {
       auto_generate = false
       data          = { api_key = var.sonarr_api_key }
     }
+
+    # Bearer token for scraping apiary metrics
+    "hosts/monitoring01/apiary-token" = {
+      auto_generate   = true
+      password_length = 64
+    }
   }
 }