{ ... }:
{
  _class = "clan.service";
  manifest.name = "clan-core/monitoring";
  manifest.description = "Monitoring service for the nodes in your clan";
  manifest.readme = builtins.readFile ./README.md;

  roles.telegraf = {
    description = "Placeholder role to apply the telegraf monitoring agent";
    interface =
      { lib, ... }:
      {
        options.allowAllInterfaces = lib.mkOption {
          type = lib.types.nullOr lib.types.bool;
          default = null;
          description = "Deprecated. Has no effect.";
        };

        options.interfaces = lib.mkOption {
          type = lib.types.nullOr (lib.types.listOf lib.types.str);
          default = null;
          description = "Deprecated. Has no effect.";
        };
      };
  };

  roles.prometheus = {
    description = "Prometheus monitoring daemon. Will collect metrics from all hosts with the telegraf role";
    interface =
      { lib, ... }:
      {
        options.webExternalUrl = lib.mkOption {
          type = lib.types.nullOr lib.types.str;
          default = null;
          example = "https://prometheus.tld";
          description = "The URL under which Prometheus is externally reachable";
        };
      };
  };

  imports = [
    ./telegraf.nix
    ./prometheus.nix
  ];

  perMachine.nixosModule =
    { pkgs, ... }:
    {
      clan.core.vars.generators."prometheus" = {

        share = true;

        files.password.restartUnits = [
          "telegraf.service"
          "prometheus.service"
        ];

        files.password-env.restartUnits = [ "telegraf.service" ];

        runtimeInputs = [
          pkgs.coreutils
          pkgs.xkcdpass
        ];

        script = ''
          xkcdpass --numwords 6 --delimiter - --count 1 | tr -d "\n" > $out/password
          printf 'BASIC_AUTH_PWD=%s\n' "$(cat $out/password)" > $out/password-env
        '';
      };
    };
}