# Define a function which returns a value which fills in all the holes left by
# ``monitoring.nix``.
{
  # A set mapping VPN IP addresses as strings to lists of hostnames as
  # strings.  The system's ``/etc/hosts`` will be populated with this
  # information.  Apart from helping with normal forward resolution, this
  # *also* gives us reverse resolution from the VPN IPs to hostnames which
  # allows Grafana to show us hostnames instead of VPN IP addresses.
  hostsMap

  # See ``customize-issuer.nix``.
, publicKeyPath
, privateKeyPath
, monitoringvpnIPv4
, domain
, letsEncryptAdminEmail

  # A list of VPN IP addresses as strings indicating which clients will be
  # allowed onto the VPN.
, vpnClientIPs

  # A list of VPN clients (IP addresses or hostnames) as strings indicating
  # which nodes to scrape "nodeExporter" metrics from.
, nodeExporterTargets

  # A list of VPN clients (IP addresses or hostnames) as strings indicating
  # which nodes to scrape "nginxExporter" metrics from.
, nginxExporterTargets ? []

  # A list of VPN clients (IP addresses or hostnames) as strings indicating
  # which nodes to scrape PaymentServer metrics from.
, paymentExporterTargets ? []

  # A string containing the GSuite OAuth2 ClientID to use to authenticate
  # logins to Grafana.
, googleOAuthClientID

  # A string giving the NixOS state version for the system.
, stateVersion
, ...
}:
{ config, ... }: {
  # See customize-issuer.nix for an explanatoin of targetHost value.
  deployment.targetHost = "${config.networking.hostName}.${config.networking.domain}";

  deployment.secrets = {
    "monitoringvpn-private-key".source = "${privateKeyPath}/monitoringvpn/server.key";
    "monitoringvpn-preshared-key".source = "${privateKeyPath}/monitoringvpn/preshared.key";
    "grafana-google-sso-secret".source = "${privateKeyPath}/grafana-google-sso.secret";
  };

  networking.domain = domain;
  networking.hosts = hostsMap;

  services.private-storage.monitoring.vpn.server = {
    enable = true;
    ip = monitoringvpnIPv4;
    inherit vpnClientIPs;
    pubKeysPath = "${publicKeyPath}/monitoringvpn";
  };

  services.private-storage.monitoring.prometheus = {
    inherit nodeExporterTargets;
    inherit nginxExporterTargets;
    inherit paymentExporterTargets;
  };

  services.private-storage.monitoring.grafana = {
    inherit letsEncryptAdminEmail;
    inherit googleOAuthClientID;
    domain = "${config.networking.hostName}.${config.networking.domain}";
  };

  system.stateVersion = stateVersion;
}