{ config, ... } :
let
  inherit (config.networking) domain;
  prometheus_host = "prometheus.${domain}";
  prometheus_port = 9090; # netstat -nlp | grep 9090
in {
  security.acme.certs."${domain}".extraDomainNames = [ prometheus_host];

  services.prometheus = {
    enable = true;
    port = prometheus_port;
    globalConfig.scrape_interval = "15s";
    scrapeConfigs = [
      {
        job_name = "chrysalis";
        static_configs = [{
          targets = [
            "127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
            "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}"
            "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}"
          ];
        }];
      }
    ];
    exporters = {
      nginx.enable = true;
      redis.enable = true;
      domain.enable = true;
      postgres.enable = true;
      nginxlog.enable = true;
      jitsi.enable = true;
      node = {
        enable = true;
        enabledCollectors = [ "systemd" ];
        port = 9002;
      };
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts."${prometheus_host}" = {
      serverName = prometheus_host;
      forceSSL = true;
      useACMEHost = domain;
      locations."/" = {
#        proxyPass = "http://127.0.0.1:${builtins.toString config.services.prometheus.port}";
        return = "307 https://${domain}"; # nuh uh, no raw prometheus access for you!
      };
    };
  };
}