{
  pkgs,
  lib,
  configVars,
  ...
}: let
  containerName = "metrics-server";
  containerIp = configVars.networking.addresses.metrics-server.ip;
  dockerContainerIp = configVars.networking.addresses.docker.ip;
  semitaIp = configVars.networking.addresses.semita.ip;
  gatewayIp = configVars.networking.addresses.gateway.ip;
  metricsServerContainerData = configVars.locations.metricsServerContainerData;
  pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
in {
  networking.nat.enable = true;
  networking.nat.internalInterfaces = ["ve-+"];
  networking.nat.externalInterface = "br0";

  services.restic.backups = {
    daily = {
      paths = [
        metricsServerContainerData
      ];
      exclude = [
      ];
    };
  };

  environment.persistence."/persist" = {
    hideMounts = true;
    directories = [
      "/var/lib/nixos-containers/${containerName}"
    ];
  };

  containers."${containerName}" = {
    enableTun = true;
    autoStart = true;
    privateNetwork = true;
    hostBridge = "br0";
    nixpkgs = pkgs.path;
    bindMounts = {
      "/var/lib/" = {
        hostPath = metricsServerContainerData;
        isReadOnly = false;
      };
    };

    config = {
      pkgs,
      lib,
      config,
      ...
    }: {
      networking = {
        defaultGateway = "${gatewayIp}";
        interfaces.eth0.ipv4.addresses = [
          {
            "address" = "${containerIp}";
            "prefixLength" = 24;
          }
        ];
        firewall = {
          enable = true;
          allowedTCPPorts = [
            config.services.prometheus.port
            config.services.grafana.port
          ];
        };
        useHostResolvConf = lib.mkForce false;
      };

      services.resolved.enable = true;

      imports = [
      ];

      environment.systemPackages = [
        pkgs.vim
        pkgs.git
      ];

      services.prometheus = {
        enable = true;
        port = 9001;
        scrapeConfigs = [
          {
            job_name = "node_exporter";
            static_configs = [
              {
                targets = [
                  "${dockerContainerIp}:9100"
                  "${semitaIp}:9100"
                ];
              }
            ];
          }
        ];
      };

      services.grafana = {
        enable = true;
        port = 2342;
        addr = "0.0.0.0";
      };

      services.prometheus = {
        exporters = {
          node = {
            enable = true;
            enabledCollectors = ["systemd"];
            port = 9002;
          };
        };
      };

      services.openssh = {
        enable = true;
        settings.PasswordAuthentication = false;
      };

      users.users = {
        root = {
          openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
        };
      };

      system.stateVersion = "24.05";
    };
  };
}