diff --git a/flake.lock b/flake.lock
index 7a4ef7f..c638de5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -538,11 +538,11 @@
     },
     "nix-secrets": {
       "locked": {
-        "lastModified": 1737144220,
-        "narHash": "sha256-ZamN1/yIJ1sUMnnGyFCMR2jJFzPFj4KNR3/6GGUdpKc=",
+        "lastModified": 1737144574,
+        "narHash": "sha256-g0B0+UkiRusGm5QkGC6uHa7Ybq6J7RgeF4aa/nrCeLg=",
         "ref": "refs/heads/master",
-        "rev": "b414d256f0ad8ab3e2d6cf9689ba9f7ad9d4d267",
-        "revCount": 210,
+        "rev": "471fa5ee6f6d12f02c0e06a6fd595b7646139da4",
+        "revCount": 211,
         "type": "git",
         "url": "ssh://git@git.bitlab21.com/sam/nix-secrets.git"
       },
diff --git a/hosts/common/optional/nixos-containers/metrics-server.nix b/hosts/common/optional/nixos-containers/metrics-server.nix
new file mode 100644
index 0000000..5a0a35d
--- /dev/null
+++ b/hosts/common/optional/nixos-containers/metrics-server.nix
@@ -0,0 +1,126 @@
+{
+  pkgs,
+  lib,
+  inputs,
+  configVars,
+  ...
+}: let
+  containerName = "metrics-server";
+  containerIp = configVars.networking.addresses.metrics-server.ip;
+  gatewayIp = configVars.networking.addresses.gateway.ip;
+  metricsServerContainerData = configVars.locations.metricsServerContainerData;
+  pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
+  arion = inputs.arion;
+in {
+  networking.nat.enable = true;
+  networking.nat.internalInterfaces = ["ve-+"];
+  networking.nat.externalInterface = "br0";
+
+  services.restic.backups = {
+    daily = {
+      paths = [
+        metricsServerContainerData
+      ];
+      exclude = [
+      ];
+    };
+  };
+
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    directories = [
+      "/var/lib/nixos-containers/${containerName}"
+    ];
+  };
+
+  containers."${containerName}" = {
+    enableTun = true;
+
+    # # configuration to run docker/podman in systemd-nspawn container
+    # # https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12
+    # additionalCapabilities = [
+    #   ''all" --system-call-filter="add_key keyctl bpf" --capability="all''
+    # ];
+    # extraFlags = ["--private-users-ownership=chown"];
+    # allowedDevices = [
+    # ];
+    # ######
+
+    autoStart = true;
+    privateNetwork = true;
+    hostBridge = "br0";
+    nixpkgs = pkgs.path;
+    bindMounts = {
+      "/var/lib/" = {
+        hostPath = metricsServerContainerData;
+        isReadOnly = false;
+      };
+    };
+
+    config = {
+      pkgs,
+      lib,
+      config,
+      ...
+    }: {
+      networking = {
+        defaultGateway = "${gatewayIp}";
+        interfaces.eth0.ipv4.addresses = [
+          {
+            "address" = "${containerIp}";
+            "prefixLength" = 24;
+          }
+        ];
+        firewall = {
+          enable = true;
+          allowedTCPPorts = [
+            config.services.prometheus.port
+          ];
+        };
+        useHostResolvConf = lib.mkForce false;
+      };
+
+      services.resolved.enable = true;
+
+      imports = [
+      ];
+
+      environment.systemPackages = [
+        pkgs.vim
+        pkgs.git
+      ];
+
+      services.prometheus = {
+        enable = true;
+        port = 9001;
+      };
+
+      services.grafana = {
+        enable = true;
+        domain = "grafana.hm";
+        port = 2342;
+        addr = "127.0.0.1";
+      };
+
+      services.nginx.virtualHosts.${config.services.grafana.domain} = {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
+          proxyWebsockets = true;
+        };
+      };
+
+      services.openssh = {
+        enable = true;
+        settings.PasswordAuthentication = false;
+      };
+
+      users.users = {
+        root = {
+          openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
+        };
+      };
+
+      system.stateVersion = "24.05";
+    };
+  };
+}
diff --git a/hosts/common/optional/nixos-containers/pihole.nix b/hosts/common/optional/nixos-containers/pihole.nix
index 924c758..457ede4 100644
--- a/hosts/common/optional/nixos-containers/pihole.nix
+++ b/hosts/common/optional/nixos-containers/pihole.nix
@@ -8,7 +8,7 @@
   containerName = "pihole";
   containerIp = configVars.networking.addresses.pihole.ip;
   gatewayIp = configVars.networking.addresses.gateway.ip;
-  piholeContainerData = configVars.locations.dockerContainerData;
+  piholeContainerData = configVars.locations.piholeContainerData;
   pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
   arion = inputs.arion;
 in {
diff --git a/vars/default.nix b/vars/default.nix
index ab11a57..70892b7 100644
--- a/vars/default.nix
+++ b/vars/default.nix
@@ -8,6 +8,7 @@
     mediaDataMountPoint = "/media/media";
     photosDataMountPoint = "/media/photos";
 
+    metricsServerContainerData = "/mnt/main-ssd/metrics-server";
     dockerContainerData = "/mnt/main-ssd/docker";
     piholeContainerData = "/mnt/main-ssd/docker/pihole";
     bitcoinNodeContainerData = "/mnt/main-ssd/nix-bitcoin";