{ config, pkgs, ... }: {
  imports = [
    ./hardware.nix
    ./networking.nix # generated at runtime by nixos-infect
  ];

  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  networking.hostName = "monitoring";
  networking.domain = "";
  services.openssh.enable = true;
  users.users.root.openssh.authorizedKeys.keys = [
    ''ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDjEgtIWPA5Ncs/KOcMeT6Q/HACJJetDOLjMvXXwUE+08oTX1EpHrWPpy8J+UHKIyErCNPYq8dgtrbhnMRlxHqI='' 
  ];
  networking.firewall.enable = false;

  services.grafana = {
    enable = true;
    settings.server = {
      domain = "grafana.gmem.ca";
      http_port = 2342;
      http_addr = "127.0.0.1";
    };
  };
  services.prometheus = {
    enable = true;
    globalConfig = {
      scrape_interval = "15s";
    };
    port = 9001;
    extraFlags = [ "--web.enable-remote-write-receiver" ];
    scrapeConfigs = [
      {
        job_name = "desktop";
        static_configs = [ { targets = [ "london:9100" ]; } ];
      }
      {
	      job_name = "nas";
        static_configs = [ { targets = [ "vancouver:9100" ]; } ];
      }
      {
        job_name = "monitoring";
        static_configs = [ { targets = [ "localhost:9100" ]; } ];
      }
      {
	      job_name = "speedtest-exporter";
	      scrape_interval = "1h";
	      scrape_timeout = "1m";
        static_configs = [ { targets = [ "vancouver:9798" ]; } ];
      }
      {
        job_name = "forgejo";
        static_configs = [ { targets = [ "git.gmem.ca" ]; } ];
      }
      {
	      job_name = "blackbox";
        metrics_path = "/probe";
        params = { "modules" = [ "http_2xx" ]; };
        static_configs = [ { targets = [ "google.com" "gabrielsimmer.com" "artbybecki.com" ]; } ];
  	    relabel_configs = [ 
          { source_labels = ["__address__"];    target_label = "__param_target"; }
          { source_labels = ["__param_target"]; target_label = "instance"; }
          { source_labels = []; target_label = "__address__"; replacement = "vancouver:9115"; } ];
      }
    ];
    exporters.node = {
      enable = true;
      listenAddress = "127.0.0.1";
      enabledCollectors = [
        "systemd" "processes"
      ];
    };
  };
  services.tailscale.enable = true;
  
  # nginx reverse proxy
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedBrotliSettings = true;
    recommendedZstdSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;
    recommendedProxySettings = true;
    virtualHosts.${config.services.grafana.domain} = {
      default = true;
      enableACME = true;
      forceSSL = true;
      locations."/" = {
	      
        proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
        proxyWebsockets = true;
      };
    };
  };
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "acme@gmem.ca";

  system.stateVersion = "23.11";
}