{
  roles.prometheus.perInstance =
    {
      settings,
      instanceName,
      roles,
      ...
    }:
    {

      nixosModule =
        {
          config,
          lib,
          # pkgs,
          ...
        }:
        {

          systemd.services.prometheus = {
            serviceConfig = {
              LoadCredential = "password:${config.clan.core.vars.generators.prometheus.files.password.path}";
              BindReadOnlyPaths = "%d/password:/etc/prometheus/password";
            };
          };

          services.prometheus = {

            enable = true;

            # TODO what do we set here? do we even need something?
            # TODO this should be a export
            # "https://prometheus.${config.clan.core.settings.tld}";
            webExternalUrl = settings.webExternalUrl;

            extraFlags = [ "--storage.tsdb.retention.time=30d" ];

            scrapeConfigs = [
              {
                job_name = "telegraf";
                scrape_interval = "60s";
                metrics_path = "/metrics";
                basic_auth.username = "prometheus";
                basic_auth.password_file = "/etc/prometheus/password";

                static_configs = [
                  {
                    # Scrape all machines with the `telegraf` role
                    # https://prometheus:<password>@<host>.<tld>:9273/metrics

                    # scheme = "https";
                    # scheme = "http";

                    targets = map (m: "${m}.${config.clan.core.settings.tld}:9273") (
                      lib.attrNames roles.telegraf.machines
                    );
                    labels.type = instanceName;
                  }
                ];
              }
            ];
          };
        };
    };
}