{ config, ... }:

let
  host = "prometheus.hackens.org";
  port = 9091;
in

{
  services.prometheus = {
    enable = true;

    inherit port;

    checkConfig = "syntax-only";
    enableReload = true;

    listenAddress = "127.0.0.1";

    webConfigFile = config.age.secrets."prometheus-webconf".path;

    webExternalUrl = "https://${host}";

    retentionTime = "5y";

    extraFlags = "--storage.tsdb.retention.size=2GB";

    rules = [ ''
      groups:
        - name: Chrony
          rules:
            - record: instance:chrony_clock_error_seconds:abs
              expr: >
                abs(chrony_tracking_last_offset_seconds)
                +
                chrony_tracking_root_dispersion_seconds
                +
                (0.5 * chrony_tracking_root_delay_seconds)
    ''];

    scrapeConfigs = [
      {
        job_name = "prometheus";
        static_configs = [ { targets = [ "localhost:9090" ]; } ];
      }
      {
        job_name = "chrony";
        static_configs = [ { targets = [ "10.10.10.3:9123" ]; } ];
      }
      {
        job_name = "kfet";
        static_configs = [ { targets = [ "127.0.0.1:9802" ]; } ];
      }
    ];
  };

  services.nginx.virtualHosts.${host} = {
    enableACME = true;
    forceSSL = true;

    locations."/" = {
      proxyPass = "http://127.0.0.1:${builtins.toString port}";
      proxyWebsockets = true;
      recommendedProxySettings = true;
    };
  };
}