{ config, lib, ... }:
let
  blackbox_host = config.services.prometheus.exporters.blackbox.listenAddress;
  blackbox_port = config.services.prometheus.exporters.blackbox.port;
in
{
  config.services.victoriametrics = {
    enable = true;
    extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ];

    scrapeConfigs = {
      forgejo = {
        targets = [ "127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}" ];
        extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
      };

      blackbox = {
        static_configs = lib.singleton {
          targets = lib.mapAttrsToList (vHost: _: "https://${vHost}") config.services.nginx.virtualHosts;
        };

        extraSettings = {
          metrics_path = "/probe";
          params.module = [ "http_2xx" ];

          relabel_configs = [
            {
              source_labels = [ "__address__" ];
              target_label = "__param_target";
            }
            {
              source_labels = [ "__param_target" ];
              target_label = "instance";
            }
            {
              target_label = "__address__";
              replacement = "${blackbox_host}:${toString blackbox_port}";
            }
          ];
        };
      };

      blackbox_turn = {
        targets = [ "turn.tlater.net:${toString config.services.coturn.tls-listening-port}" ];

        extraSettings = {
          metrics_path = "/probe";
          params.module = [ "turn_server" ];

          relabel_configs = [
            {
              source_labels = [ "__address__" ];
              target_label = "__param_target";
            }
            {
              source_labels = [ "__param_target" ];
              target_label = "instance";
            }
            {
              target_label = "__address__";
              replacement = "${blackbox_host}:${toString blackbox_port}";
            }
          ];
        };
      };

      blackbox_exporter.targets = [ "${blackbox_host}:${toString blackbox_port}" ];

      coturn.targets = [ "127.0.0.1:9641" ];

      crowdsec.targets =
        let
          address = config.security.crowdsec.settings.prometheus.listen_addr;
          port = config.security.crowdsec.settings.prometheus.listen_port;
        in
        [ "${address}:${toString port}" ];

      csFirewallBouncer.targets =
        let
          address =
            config.security.crowdsec.remediationComponents.firewallBouncer.settings.prometheus.listen_addr;
          port =
            config.security.crowdsec.remediationComponents.firewallBouncer.settings.prometheus.listen_port;
        in
        [ "${address}:${toString port}" ];

      # Configured in the hookshot listeners, but it's hard to filter
      # the correct values out of that config.
      matrixHookshot.targets = [ "127.0.0.1:9001" ];
    };
  };
}