{
  pkgs,
  lib,
  configVars,
  ...
}: let
  containerName = "metrics-server";
  containerIp = configVars.networking.addresses.metrics-server.ip;

  dockerContainerIp = configVars.networking.addresses.docker.ip;
  smWorkerIp = configVars.networking.addresses.sm-worker.ip;
  merlinIp = configVars.networking.addresses.merlin.ip;
  bdWorker = configVars.networking.addresses.bd-worker.ip;
  pihole = configVars.networking.addresses.pihole.ip;
  bitcoinNode = configVars.networking.addresses.bitcoin-node.ip;
  postres = configVars.networking.addresses.postgres.ip;
  backupServer = configVars.networking.addresses.backup-server.ip;

  http_endpoints = configVars.metrics-server.blackbox.http_endpoints;

  gatewayIp = configVars.networking.addresses.gateway.ip;
  metricsServerContainerData = configVars.locations.metricsServerContainerData;
  pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
in {
  networking.nat.enable = true;
  networking.nat.internalInterfaces = ["ve-+"];
  networking.nat.externalInterface = "br0";

  services.restic.backups = {
    daily = {
      paths = [
        metricsServerContainerData
      ];
    };
  };

  environment.persistence."/persist" = {
    hideMounts = true;
    directories = [
      "/var/lib/nixos-containers/${containerName}"
    ];
  };

  containers."${containerName}" = {
    enableTun = true;
    autoStart = true;
    privateNetwork = true;
    hostBridge = "br0";
    nixpkgs = pkgs.path;
    bindMounts = {
      "/var/lib/" = {
        hostPath = metricsServerContainerData;
        isReadOnly = false;
      };
    };

    config = {
      pkgs,
      lib,
      config,
      ...
    }: {
      networking = {
        defaultGateway = "${gatewayIp}";
        interfaces.eth0.ipv4.addresses = [
          {
            "address" = "${containerIp}";
            "prefixLength" = 24;
          }
        ];
        firewall = {
          enable = true;
          allowedTCPPorts = [
            config.services.prometheus.port
            config.services.grafana.port
            config.services.prometheus.exporters.blackbox.port
          ];
        };
        useHostResolvConf = lib.mkForce false;
      };

      services.resolved.enable = true;

      imports = [
      ];

      environment.systemPackages = [
        pkgs.vim
        pkgs.git
      ];

      services.prometheus = {
        enable = true;
        port = 9001;
        scrapeConfigs = [
          {
            job_name = "node_exporter";
            static_configs = [
              {
                targets = [
                  "${dockerContainerIp}:9100"
                  "${smWorkerIp}:9100"
                  "${merlinIp}:9100"
                  "${bdWorker}:9100"
                  "${pihole}:9100"
                  "${bitcoinNode}:9100"
                  "${postres}:9100"
                  "${backupServer}:9100"
                ];
              }
            ];
          }

          {
            job_name = "blackbox";
            scrape_interval = "30s";
            scrape_timeout = "15s";
            metrics_path = "/probe";
            params.module = ["http_basic"];
            relabel_configs = [
              {
                source_labels = ["__address__"];
                target_label = "__param_target";
              }
              {
                source_labels = ["__param_target"];
                target_label = "instance";
              }
              {
                target_label = "__address__";
                replacement = "${config.services.prometheus.exporters.blackbox.listenAddress}:${toString config.services.prometheus.exporters.blackbox.port}";
              }
            ];
            static_configs = [
              {targets = http_endpoints;}
            ];
          }
        ];
      };

      services.grafana = {
        enable = true;
        settings.server = {
          http_port = 2342;
          http_addr = "0.0.0.0";
        };
      };

      services.prometheus = {
        exporters = {
          blackbox = {
            enable = true;
            configFile = pkgs.writeText "blackbox-conf.yaml" ''
              modules:
                http_basic:
                  prober: http
                  timeout: 5s
                  http:
                    preferred_ip_protocol: ip4
                    valid_http_versions: ["HTTP/1.1", "HTTP/2"]
                    method: GET
                    # fail_if_ssl: false
                    # fail_if_not_ssl: true
                    # tls_config:
                    #   insecure_skip_verify: true
                tcp_connect:
                  prober: tcp
                  tcp:
                    preferred_ip_protocol: ip4

            '';
          };
          node = {
            enable = true;
            enabledCollectors = ["systemd"];
            port = 9002;
          };
        };
      };

      services.openssh = {
        enable = true;
        settings.PasswordAuthentication = false;
      };

      users.users = {
        root = {
          openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
        };
      };

      system.stateVersion = "24.05";
    };
  };
}