{ config, lib, pkgs, ... }:

with lib;

let
  cfg = config.clerie.monitoring;

  monitoring-network-base = "fd00:327:327:327::";

in

{
  options = {
    clerie.monitoring = {
      enable = mkEnableOption "clerie's Monitoring";
      id = mkOption {
        type = types.str;
        description = "ID of the Monitoring Interface (it is actually a part of an ip address)";
      };
      pubkey = mkOption {
        type = types.str;
        description = "Public Key of the monitoring wireguard interface of this host";
      };
      privateKeyFile = mkOption {
        type = with types; nullOr str;
        default = null;
        description = "Path to private key file, pulls secret from secret store when null";
      };
      serviceLevel = mkOption {
        type = types.str;
        default = "infra";
        description = "Service level this instance is assigned to";
      };
      bird = mkEnableOption "Monitor bird";
      blackbox = mkEnableOption "Monitor blackbox";
      nixos = mkOption {
        type = types.bool;
        default = true;
        description = "Monitor NixOS";
      };
    };
  };

  config = mkIf cfg.enable {
    networking.wireguard.enable = true;
    networking.wireguard.interfaces = {
      wg-monitoring = {
        ips = [ "${monitoring-network-base}${cfg.id}/64" ];
        peers = [
          {
            endpoint = "[2001:638:904:ffca::7]:54523";
            persistentKeepalive = 25;
            allowedIPs = [ "${monitoring-network-base}/64" ];
            publicKey = "eyhJKV41E1F0gZHBNqyzUnj72xg5f3bdDduVtpPN4AY=";
          }
        ];
        privateKeyFile = if cfg.privateKeyFile != null then cfg.privateKeyFile else
          config.sops.secrets.wg-monitoring.path;
      };
    };

    services.prometheus.exporters.node = {
      enable = true;
      #listenAddress = "${monitoring-network-base}${cfg.id}";
      openFirewall = true;
      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9100";
      enabledCollectors = [
       "systemd"
      ];
      extraFlags = [
        "--collector.textfile.directory=/var/lib/prometheus-node-exporter/textfiles"
      ];
    };

    systemd.tmpfiles.rules = [
      "d /var/lib/prometheus-node-exporter/textfiles - - - - -"
    ];

    systemd.services."prometheus-node-exporter".serviceConfig.RestrictAddressFamilies = [ "AF_NETLINK" ];

    services.prometheus.exporters.bird = mkIf cfg.bird {
      enable = true;
      openFirewall = true;
      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9324";
    };

    services.prometheus.exporters.blackbox = mkIf cfg.blackbox {
      enable = true;
      openFirewall = true;
      firewallFilter = "-i wg-monitoring -p tcp -m tcp --dport 9115";
      configFile = pkgs.writeText "blackbox.yml" ''
        modules:
          icmp6:
            prober: icmp
            icmp:
              preferred_ip_protocol: ip6
              ip_protocol_fallback: false
          icmp4:
            prober: icmp
            icmp:
              preferred_ip_protocol: ip4
              ip_protocol_fallback: false
      '';
    };


    services.nixos-exporter = {
      enable = true;
      listen = "[::]:9152";
    };

    networking.firewall.extraCommands = ''
      ip46tables -A nixos-fw -i wg-monitoring -p tcp -m tcp --dport 9152 -m comment --comment nixos-exporter -j nixos-fw-accept
    '';
  };
}