{ config, ... }:
{
  services.prometheus = {
    enable = true;
    globalConfig = {
      scrape_interval = "15s";
    };
    # Only check the configuration syntax, because the check is run during the build phase
    # and secrets are not accessible to the build environment
    checkConfig = "syntax-only";

    scrapeConfigs = [
      {
        job_name = "saga";
        static_configs = [
          {
            targets = [
              "saga:${toString config.services.prometheus.exporters.node.port}" # node
            ];
          }
        ];
      }
      {
        job_name = "valkyrie";
        static_configs = [
          {
            targets = [
              "valkyrie:${toString config.services.prometheus.exporters.node.port}" # node
              "valkyrie:${toString config.services.prometheus.exporters.unbound.port}" # unbound
            ];
          }
        ];
      }
      {
        job_name = "incus";
        metrics_path = "/1.0/metrics";
        scheme = "https";
        tls_config = {
          ca_file = config.sops.secrets.metrics_ca.path;
          cert_file = config.sops.secrets.metrics_cert.path;
          key_file = config.sops.secrets.metrics_key.path;
        };
        static_configs = [ { targets = [ "odin:8443" ]; } ];
      }
    ];

    exporters = {
      node = {
        enable = true;
        enabledCollectors = [ "systemd" ];
      };
    };
  };
}