{
  roles.telegraf.perInstance =
    { ... }:
    {

      nixosModule =
        {
          config,
          pkgs,
          ...
        }:
        {

          networking.firewall.allowedTCPPorts = [ 9273 ];

          services.telegraf = {
            enable = true;
            environmentFiles = [ config.clan.core.vars.generators.prometheus.files.password-env.path ];

            extraConfig = {
              agent.interval = "60s";
              inputs = {

                diskio = { };
                kernel_vmstat = { };
                system = { };
                mem = { };
                systemd_units = { };
                swap = { };

                exec =
                  let
                    nixosSystems = pkgs.writeShellScript "current-system" ''
                      printf "nixos_systems,current_system=%s,booted_system=%s,current_kernel=%s,booted_kernel=%s present=0\n" \
                        "$(readlink /run/current-system)" "$(readlink /run/booted-system)" \
                        "$(basename $(echo /run/current-system/kernel-modules/lib/modules/*))" \
                        "$(basename $(echo /run/booted-system/kernel-modules/lib/modules/*))"
                    '';
                  in
                  [
                    {
                      # Expose the path to current-system as metric. We use
                      # this to check if the machine is up-to-date.
                      commands = [ nixosSystems ];
                      data_format = "influx";
                    }
                  ];
              };
              # sadly there doesn't seem to exist a telegraf http_client output plugin
              outputs.prometheus_client = {
                listen = ":9273";
                metric_version = 2;
                basic_username = "prometheus";
                basic_password = "$${BASIC_AUTH_PWD}";
              };
            };
          };
        };
    };
}