{
  pkgs,
  lib,
  ...
}:

{
  imports = [
    ./lxc-base.nix
  ];

  config = {
    my.vm = {
      name = "metrics01";
      ip4 = "192.168.0.6";
    };

    environment.systemPackages = with pkgs; [
      grafana-to-ntfy
    ];

    networking.extraHosts = ''
      192.168.0.2    xalicas
      192.168.0.3    proxmox
      192.168.0.4    craft01
      192.168.0.5    lab01
      192.168.0.6    metrics01
      192.168.0.100  unifi
    '';

    networking.firewall.allowedTCPPorts = [ 3000 ];

    services.grafana = {
      enable = true;
      settings = {
        server = {
          http_addr = "0.0.0.0";
          http_port = 3000;

          enable_gzip = true;
          enforce_domain = false;
          domain = "metrics.rperce.net";
        };
      };
    };

    ## grafana-to-ntfy config is broken in nixpkgs, so we hardcode our own
    systemd.services.grafana-to-ntfy = {
      wantedBy = [ "multi-user.target" ];
      script = "exec ${lib.getExe pkgs.grafana-to-ntfy}";
      environment = {
        NTFY_URL = "https://ntfy.sh/99ecef2d-05c1-4e73-9cc5-c9a1e6d0adf0";
        BAUTH_USER = "grafana";
        BAUTH_PASS = "grafana";
      };
      serviceConfig = {
        DynamicUser = true;
        CapabilityBoundingSet = [ "" ];
        DeviceAllow = "";
        LockPersonality = true;
        PrivateDevices = true;
        PrivateUsers = true;
        ProcSubset = "pid";
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectProc = "invisible";
        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
          "AF_UNIX"
        ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        MemoryDenyWriteExecute = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = [
          "@system-service"
          "~@privileged"
        ];
        UMask = "0077";
      };
    };

    services.prometheus = {
      enable = true;
      port = 9001;
      scrapeConfigs = [
        {
          job_name = "nodes";
          static_configs = [
            {
              targets = [
                "xalicas:9100"
                "proxmox:9100"
                "craft01:9100"
                "lab01:9100"
                "127.0.0.1:9100"
                "unifi:9100"
              ];
            }
          ];
        }
        { job_name = "nut";
          metrics_path = "/ups_metrics";
          params = { ups = [ "minirack-1500va" ]; };
          static_configs = [{
            targets = [
              "127.0.0.1:9199"
            ];
            labels = {
              ups = "minirack-1500va";
            };
          }];
        }
        { job_name = "minecraft";
          static_configs = [{
            targets = [
              "craft01:25585"
            ];
          }];
        }
      ];
    };

    services.prometheus.exporters.nut = {
      enable = true;
      nutServer = "xalicas";
      nutVariables = [
        "battery.charge" "battery.charge.low" "battery.charge.warning"
        "battery.runtime" "battery.runtime.low"
        "ups.load" "ups.power" "ups.power.nominal" "ups.realpower"
        "ups.realpower.nominal" "ups.status"
      ];
    };

    services.borgbackup.jobs.grafana = {
      paths = [ "/var/lib/grafana/data/grafana.db" ];
      archiveBaseName = null;
      encryption.mode = "none";
      environment.BORG_RSH = "ssh -i /home/admin/.ssh/id_ed25519";
      repo = "ssh://backup@xalicas/./grafana";
      compression = "auto,zstd";
      startAt = "daily";
    };
  };
}