{
  lib,
  config,
  nodes,
  ...
}: {
  options.pim.prometheus.enable = lib.mkEnableOption "prometheus";

  config = lib.mkIf config.pim.prometheus.enable {
    networking.firewall.allowedTCPPorts = [80];

    services.prometheus = {
      enable = true;

      scrapeConfigs = (
        let
          generated = lib.pipe nodes [
            (lib.filterAttrs (name: node: node.config.services.prometheus.exporters.node.enable))
            (lib.attrsets.mapAttrsToList
              (name: node: {
                job_name = name;
                static_configs = [
                  {
                    targets = ["${node.config.networking.fqdn}:${toString node.config.services.prometheus.exporters.node.port}"];
                  }
                ];
              }))
          ];

          pikvm = {
            job_name = "pikvm";
            metrics_path = "/api/export/prometheus/metrics";
            scheme = "https";
            tls_config.insecure_skip_verify = true;

            # We don't care about security here, it's behind a VPN.
            basic_auth = {
              username = "admin";
              password = "admin";
            };

            static_configs = [
              {
                targets = ["pikvm.dmz"];
              }
            ];
          };
        in
          generated ++ [pikvm]
      );
    };

    services.nginx = {
      enable = true;

      virtualHosts."${config.networking.fqdn}" = {
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.prometheus.port}";
          recommendedProxySettings = true;
        };
      };
    };
  };
}