# Similar to ``issuer.nix`` but for a "monitoring"-type system.  Holes are
# filled by ``customize-monitoring.nix``.
{ lib, config, nodes, ...}:
let
  inherit (config.grid) publicKeyPath privateKeyPath monitoringvpnIPv4;

  # This collects information about monitored hosts from their configuration for use below.
  monitoringHosts = lib.mapAttrsToList (name: node: rec {
    inherit name;
    vpnIPv4 = node.config.grid.monitoringvpnIPv4;
    vpnHostName = "${name}.monitoringvpn";
    hostNames = [name vpnHostName];
  }) nodes;

  # A set mapping VPN IP addresses as strings to lists of hostnames as
  # strings.  The system's ``/etc/hosts`` will be populated with this
  # information.  Apart from helping with normal forward resolution, this
  # *also* gives us reverse resolution from the VPN IPs to hostnames which
  # allows Grafana to show us hostnames instead of VPN IP addresses.
  hostsMap = lib.listToAttrs (map (node: lib.nameValuePair node.vpnIPv4 node.hostNames) monitoringHosts);
  # A list of VPN IP addresses as strings indicating which clients will be
  # allowed onto the VPN.
  vpnClientIPs = lib.remove monitoringvpnIPv4 (map (node: node.vpnIPv4) monitoringHosts);
  # A list of VPN clients (IP addresses or hostnames) as strings indicating
  # which nodes to scrape "nodeExporter" metrics from.
  nodeExporterTargets = map (node: node.name) monitoringHosts;
in {
  imports = [
    ../../nixos/modules/monitoring/vpn/server.nix
    ../../nixos/modules/monitoring/server/grafana.nix
    ../../nixos/modules/monitoring/server/prometheus.nix
    ../../nixos/modules/monitoring/exporters/node.nix
    ../../nixos/modules/monitoring/exporters/blackbox.nix
    # Loki 0.3.0 from Nixpkgs 19.09 is too old and does not work:
    # ../../nixos/modules/monitoring/server/loki.nix
  ];

  config = {
    deployment = {
      secrets = {
        "monitoringvpn-private-key" = {
          destination = "/run/keys/monitoringvpn/server.key";
          source = "${privateKeyPath}/monitoringvpn/server.key";
          owner.user = "root";
          owner.group = "root";
          permissions = "0400";
          action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
        };
        "monitoringvpn-preshared-key" = {
          destination = "/run/keys/monitoringvpn/preshared.key";
          source = "${privateKeyPath}/monitoringvpn/preshared.key";
          owner.user = "root";
          owner.group = "root";
          permissions = "0400";
          action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
        };
      };
    };

    networking.hosts = hostsMap;

    services.private-storage.monitoring.vpn.server = {
      enable = true;
      ip = monitoringvpnIPv4;
      inherit vpnClientIPs;
      pubKeysPath = "${publicKeyPath}/monitoringvpn";
    };

    services.private-storage.monitoring.prometheus = {
      inherit nodeExporterTargets;
    };
  };
}