nixos/hosts/web-arm/modules/victoriametrics.nix

{ config, lib, ... }:
with lib;
let
  # configure_prom = builtins.toFile "prometheus.yml" ''
  #   scrape_configs:
  #   - job_name: 'server'
  #     stream_parse: true
  #     static_configs:
  #     - targets:
  #       - ${config.networking.hostName}:9100
  # '';
  configure_prom = builtins.toFile "prometheus.yml" ''
    scrape_configs:
    # System metrics
    - job_name: 'node'
      stream_parse: true
      static_configs:
      - targets:
        - ${config.networking.hostName}:9100

    # Systemd service monitoring
    - job_name: 'systemd'
      metrics_path: /metrics
      params:
        collect[]:
          - 'systemd.service.state'
          - 'systemd.service.start_time_seconds'
          - 'systemd.unit_file.state'
      static_configs:
      - targets:
        - ${config.networking.hostName}:9100
      relabel_configs:
        # Filter for specific services we want to monitor
        - source_labels: [__name__]
          regex: 'node_systemd_unit_state'
          action: keep
        - source_labels: [name]
          regex: '(container@git|microvm@git-runner-|postfix|dovecot|openldap|wireguard-wg_cloonar).*\.service'
          action: keep
    ${concatStringsSep "\n" config.services.victoriametrics.extraScrapeConfigs}
  '';
in {
  options.services.victoriametrics = {
    extraScrapeConfigs = mkOption {
      type = types.listOf types.str;
      default = [];
      description = "Additional Prometheus scrape job YAML snippets for Blackbox Exporter probes";
    };
  };

  config = {
    services.prometheus.exporters.node.enable = true;

    sops.secrets.victoria-nginx-password.owner = "nginx";

    services.victoriametrics = {
      enable = true;
      extraOptions = [
        "-promscrape.config=${configure_prom}"
      ];
    };

    services.nginx.virtualHosts."victoria-server.cloonar.com" = {
      forceSSL = true;
      enableACME = true;
      acmeRoot = null;
      locations."/" = {
        proxyWebsockets = true;
        extraConfig = ''
          auth_basic "Victoria password";
          auth_basic_user_file ${config.sops.secrets.victoria-nginx-password.path};

          proxy_read_timeout 1800s;
          proxy_redirect off;
          proxy_connect_timeout 1600s;

          access_log off;
          proxy_pass http://127.0.0.1:8428;
        '';
      };
    };
  };
}