diff --git a/hosts/nas/apps.nix b/hosts/nas/apps.nix
index 897d687..a4ee6c6 100644
--- a/hosts/nas/apps.nix
+++ b/hosts/nas/apps.nix
@@ -10,6 +10,8 @@
     ./apps/paperless-ai
     ./apps/traefik
     ../../modules
+
+    ./apps/netdata
   ];
 
   nas-apps = {
diff --git a/hosts/nas/apps/netdata/default.nix b/hosts/nas/apps/netdata/default.nix
new file mode 100644
index 0000000..fe2872e
--- /dev/null
+++ b/hosts/nas/apps/netdata/default.nix
@@ -0,0 +1,41 @@
+{ config, pkgs, ... }:
+{
+  services.netdata = {
+    enable = true;
+    # package = pkgs.netdataCloud;
+    package = pkgs.netdata.override {
+      withCloudUi = true;
+    };
+    configDir."python.d.conf" = pkgs.writeText "python.d.conf" ''
+      samba: yes
+    '';
+    # claimTokenFile = config.sops.secrets."jallen-nas/netdata-token".path;
+
+    config = {
+      # enable machine learning plugin
+      ml = {
+        "enabled" = "yes";
+      };
+
+      # enable samba plugin
+      plugins = {
+        "enable running new plugins" = "yes";
+        "ioping.plugin" = "yes";
+        "freeipmi.plugin" = "yes";
+        "perf.plugin" = "yes";
+      };
+    };
+  };
+
+  # add samba and sudo to path of python plugin
+  systemd.services.netdata.path = [  pkgs.samba "/run/wrappers" ];
+
+  # permit to run sudo smbstatus -P
+  security.sudo.extraConfig = ''
+    netdata ALL=(root) NOPASSWD: ${pkgs.samba}/bin/smbstatus
+  '';
+
+  # as documented here : https://github.com/netdata/netdata/blob/master/system/netdata.service.in
+  # review capabilityset above if other plugins are non functional
+  systemd.services.netdata.serviceConfig.CapabilityBoundingSet = ["CAP_SETGID"];
+}
diff --git a/hosts/nas/networking.nix b/hosts/nas/networking.nix
index 954fab4..38d70dc 100644
--- a/hosts/nas/networking.nix
+++ b/hosts/nas/networking.nix
@@ -5,6 +5,7 @@ let
     9000 # authentik
     2342 # grafana
     51820 # wireguard
+    19999 # netdata
   ];
 in
 {
diff --git a/hosts/nas/sops.nix b/hosts/nas/sops.nix
index 9647570..5998714 100644
--- a/hosts/nas/sops.nix
+++ b/hosts/nas/sops.nix
@@ -65,6 +65,10 @@
     restartUnits = [ "open-webui.service" ];
   };
 
+  sops.secrets."jallen-nas/netdata-token" = {
+    restartUnits = [ "netdata.service" ];
+  };
+
   sops.secrets."jallen-nas/paperless/secret" = {
     restartUnits = [ "container@paperless.service" ];
   };
diff --git a/modules/samba/default.nix b/modules/samba/default.nix
index a685559..6128b79 100644
--- a/modules/samba/default.nix
+++ b/modules/samba/default.nix
@@ -65,6 +65,7 @@ in
               "fruit:time machine" = if share.enableTimeMachine then "yes" else "no";
               "vfs objects" = "catia fruit streams_xattr";
               "fruit:time machine max size" = share.timeMachineMaxSize;
+              # "smbd profiling level" = "on";
             };
         in
         mapAttrs' make cfg.shares;
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 84f75d7..91b5000 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -26,6 +26,7 @@ jallen-nas:
         secret: ENC[AES256_GCM,data:qrwi13OLSM1Oww4pttfblrjvsdPR,iv:IITw2M6YfoSP3nECeUPWlhr56n7u03ivp8+fx5MDd54=,tag:4thPUaa2ueO95LOB5SiL6w==,type:str]
         authentik-client-id: ENC[AES256_GCM,data:8kHTmnT4kbxrN7Kyet1eu1KB+jA7bBx1Zs64cn5VZm0VjdSfYOwxxA==,iv:iTgsd9XWnRCQoBxj0QVjbIrSjPoYdnXv4lmn3qfllUA=,tag:CDAWMAOQ6X2sbu8RD8oiBw==,type:str]
         authentik-client-secret: ENC[AES256_GCM,data:WROqpqGQrZ8+Xy6v4dxABfqWs4lPDnl/OdsD2xvw5nqZ8mD66IJMx5eoS9UJ1aIOAr0bvQCUyMtC+xzSMcEORCmMoxT7qfg2rV6KZgRzDtRGt1loYdHECXpz1hGAc87YwiD8fVrEsuTAmlK8N6tmmfie5o6QakcFeoTpZSlAUJ0=,iv:fQg5itx52OIZeqBSylSbwtR7FD/8kF0YiDZ0jguIKus=,tag:yIm8q0PJQVDt7F4IIljbdg==,type:str]
+    netdata-token: ENC[AES256_GCM,data:kQiSTLxIztDoka5aa4/ymdp6Xyhc9VC2hwmr/afelGifjN7V7MgzhlMT6xfKoIQ+6RboH6kq50pS5A0AmY/ojog8QEP3k6zGjEsvlV3kNCGWvBU97L+7PH4okIApSYu+Hq996121rSOof+Pgk5mbG7Of5DZGeAJPXe9Dc9Z0cSLJrO6s6zCd,iv:0csCFa1XshbuGp0O3Kxs/NvQsJmadB091ZPSPAnuBL4=,tag:roTlcbeRwA/26G2GkhaaqA==,type:str]
     wireguard:
         private: ENC[AES256_GCM,data:/nOkn5nMrEEeKi1ySo9fAp+r1lQL02k0FZA99hUIKq7THvVWNaQ/Z6paoJU=,iv:iCTfGSdjJ0wMwv/34dv2ygKSm3qAJq6czOErMaFqHtg=,tag:EJZzBlVB5FSvveo5MWtC1g==,type:str]
         public: ENC[AES256_GCM,data:rOmyhwpolxNV2JroLdh90gYAuCGNZu/gY5NBxkHHNJ+qEblmDsom9alNHMQ=,iv:bF+XCO9lPHopLCEILTT4gA349d/Sa5qReSKN70EA3d4=,tag:Yx2TL/37n5Uohlwnlx97vg==,type:str]
@@ -65,8 +66,8 @@ sops:
             UGhsN2N0Mjl3UEJvUVlGRlJiN05WaUkKW37lU4G4CLTo6JoHC2OyhKsG/FuO+BiN
             pzlVJwzRnmAqwklRbc6RMbQLl2EQrp6KQcgYsUxCMH9OQ/9WJ98dxQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-22T23:41:50Z"
-    mac: ENC[AES256_GCM,data:Sim5O8dLkq4k4TTTqCSvtiPxUpIJKKhhBcUsQFPkvyaHfLriDawhDANFY9c2DZHIDN0pQJuQ8h/a3AsXqq+lfXAtOGQeMkrDaEG6L9rk22QPKpXcPlRfF940r1CUYY1bmjxSd6+8fIYJPyPE7svPzseIyPFfmM9vNZmOhyXmeJ4=,iv:v0UoG3iGWzZS46LctHKF+4cEw/6Er0NKOKJiIX8OD6Y=,tag:LUk7aUdbIjdX1w6aeu5h5A==,type:str]
+    lastmodified: "2025-01-25T05:08:43Z"
+    mac: ENC[AES256_GCM,data:TFwJdmF0M4s3etKYXZAsMsEqcn7pt2Z6wgxPnLOpukFCGpNBorVsSWiFa/0UbvpZ7QRzNIEucEGAk0rspgnk0t+1EDxsW/UqXmieoLIQy317UHI/PVPprG6HPH/PHPCyhp/U4ddM94lKbxnEgf4kQDmL8Hl90vSWQs+8hOoByUk=,iv:1MjcEx4InMaDFStTLLvb/e0vAWyXoVb24dh2XwHvg3A=,tag:ZQQsuON1DFFD4aRWD2GTyg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.3