{ ... }:
{
  homelab.monitoring.scrapeTargets = [
    {
      job_name = "nats";
      port = 7777;
    }
  ];

  services.prometheus.exporters.nats = {
    enable = true;
    url = "http://localhost:8222";
    extraFlags = [
      "-varz" # General server info
      "-connz" # Connection info
      "-jsz=all" # JetStream info
    ];
  };

  services.nats = {
    enable = true;
    jetstream = true;
    serverName = "nats1";
    settings = {
      http_port = 8222;
      accounts = {
        ADMIN = {
          users = [
            {
              nkey = "UA44ZINQKUBTV7CX3RE7MVHOEQOQK2VQGCI4GL4M7XBJB4S66URHLW7A";
            }
          ];
        };

        HOMELAB = {
          jetstream = "enabled";
          users = [
            # alerttonotify (full access to HOMELAB account)
            {
              nkey = "UASLNKLWGICRTZMIXVD3RXLQ57XRIMCKBHP5V3PYFFRNO3E3BIJBCYMZ";
            }
            # nixos-exporter (restricted to nixos-exporter subjects)
            {
              nkey = "UBCL3ODHVERVZJNGUJ567YBBKHQZOV3LK3WO6TVVSGQOCTK2NQ3IJVRV"; # Replace with public key from: nix develop -c nk -gen user -pubout
              permissions = {
                publish = [ "nixos-exporter.>" ];
                subscribe = [ "nixos-exporter.>" ];
              };
            }
          ];
        };

        DEPLOY = {
          users = [
            # Shared listener (all hosts use this)
            {
              nkey = "UCCZJSUGLCSLBBKHBPL4QA66TUMQUGIXGLIFTWDEH43MGWM3LDD232X4";
              permissions = {
                subscribe = [
                  "deploy.test.>"
                  "deploy.prod.>"
                  "deploy.discover"
                ];
                publish = [
                  "deploy.responses.>"
                  "deploy.discover"
                ];
              };
            }
            # Test deployer (MCP without admin)
            {
              nkey = "UBR66CX2ZNY5XNVQF5VBG4WFAF54LSGUYCUNNCEYRILDQ4NXDAD2THZU";
              permissions = {
                publish = [
                  "deploy.test.>"
                  "deploy.discover"
                  "build.>"
                ];
                subscribe = [
                  "deploy.responses.>"
                  "deploy.discover"
                  "build.responses.>"
                ];
              };
            }
            # Admin deployer (full access)
            {
              nkey = "UD2BFB7DLM67P5UUVCKBUJMCHADIZLGGVUNSRLZE2ZC66FW2XT44P73Y";
              permissions = {
                publish = [
                  "deploy.>"
                  "build.>"
                ];
                subscribe = [
                  "deploy.>"
                  "build.responses.>"
                ];
              };
            }
            # Builder (subscribes to build requests, publishes responses)
            {
              nkey = "UB4PUHGKAWAK6OS62FX7DOQTPFFJTLZZBTKCOCAXDP75H3NSMWAEDJ7E";
              permissions = {
                subscribe = [ "build.>" ];
                publish = [ "build.responses.>" ];
              };
            }
            # Scheduler (publishes build requests, subscribes to responses)
            {
              nkey = "UDQ5SFEGDM66AQGLK7KQDW6ZOC2QCXE2P6EJQ6VPBSR2CRCABPOVWRI4";
              permissions = {
                publish = [ "build.>" ];
                subscribe = [ "build.responses.>" ];
              };
            }
          ];
        };
      };
      system_account = "ADMIN";
      jetstream = {
        max_mem = "1G";
        max_file = "1G";
      };
    };
  };
}