{
  lib,
  config,
  nodes,
  ...
}: {
  options.pim.prometheus.enable = lib.mkEnableOption "prometheus";

  config = lib.mkIf config.pim.prometheus.enable {
    networking.firewall.allowedTCPPorts = [80];

    services.prometheus = {
      enable = true;

      scrapeConfigs = let
        node = {
          job_name = "node";
          static_configs = [
            {
              targets = lib.pipe nodes [
                (lib.filterAttrs (_name: node: node.config.services.prometheus.exporters.node.enable))
                (lib.attrsets.mapAttrsToList
                  (_name: node: "${node.config.networking.fqdn}:${toString node.config.services.prometheus.exporters.node.port}"))
              ];
            }
          ];
        };

        pikvm = {
          job_name = "pikvm";
          metrics_path = "/api/export/prometheus/metrics";
          scheme = "https";
          tls_config.insecure_skip_verify = true;

          # We don't care about security here, it's behind a VPN.
          basic_auth = {
            username = "admin";
            password = "admin";
          };

          static_configs = [
            {
              targets = ["pikvm.dmz"];
            }
          ];
        };
      in [node pikvm];
    };

    services.nginx = {
      enable = true;

      virtualHosts."${config.networking.fqdn}" = {
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.prometheus.port}";
          recommendedProxySettings = true;
        };
      };
    };
  };
}