{ config, lib, pkgs, ... }: 
let
  cfg = config.services.ppNodeExporter;
  prometheusCaFile = pkgs.writeTextFile {
    name = "prometheus_ca.pem";
    text = cfg.prometheusCa;
  };
  yaml = pkgs.formats.yaml { };
  nodeWebConfig = yaml.generate "prometheus-node-exporter-webconfig.yml" {
      tls_server_config = {
        client_ca_file = prometheusCaFile;
        cert_file = cfg.prometheusNodeExporterCertFile;
        key_file = cfg.prometheusNodeExporterCertKeyFile;
        client_auth_type = "RequireAndVerifyClientCert";
      } // (if (cfg.prometheusNodeExporterAllowScrapperSans != null) then {
        client_allowed_sans = cfg.prometheusNodeExporterAllowScrapperSans;
      } else {});
  };
in {
  options.services.ppNodeExporter = {
    prometheusCa = lib.mkOption {
      type = lib.types.str;
      example = ''
        -----BEGIN CERTIFICATE-----
        MIIBaTCCAQ6gAwIBAgIUccDw/Xe2RC4p9gwdQMkcbPlS740wCgYIKoZIzj0EAwIw
        EjEQMA4GA1UEAwwHZXhhbXBsZTAeFw0yNTAyMjMxMTQzMTlaFw0zNTAyMjExMTQz
        MTlaMBIxEDAOBgNVBAMMB2V4YW1wbGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
        AARk2SGMdAzOR+I+xAJDXO2nm8N4oa8V/kqstJrvd3gGTVsk8b0/EA+6ZrFISL0t
        MroC27QCybMwRol9oalSVnoCo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
        /wQEAwIBhjAdBgNVHQ4EFgQUy13fD60aREMworuMEulXdkvTKOwwCgYIKoZIzj0E
        AwIDSQAwRgIhALcoP/hicosVELvPfnomcEsWXTkkIVGbu1NeS5I2L72YAiEAi3AG
        7/hpeMxkaE0d2D8pr6exVlZR7kDa9FgDpfu/+a0=
        -----END CERTIFICATE-----
      '';
      description = "The CA that issues the prometheus scrapper certificate";
    };
    prometheusNodeExporterCertFile = lib.mkOption {
      type = lib.types.path;
      default = "/etc/prometheus-node-exporter/node-exporter.pem";
      description = "The file of the certificate use by prometheus node exporter.";
    };
    prometheusNodeExporterCertKeyFile = lib.mkOption {
      type = lib.types.path;
      default = "/etc/prometheus-node-exporter/node-exporter.key";
      description = "The file of the key for the certificate used by prometheus node exporter.";
    };
    prometheusNodeExporterAllowScrapperSans = lib.mkOption {
      type = lib.types.nullOr (lib.types.listOf lib.types.str);
      default = null;
      example = [ "prometheus.example.com" ];
      description = "The list of Subject Alternative Names allowed to scrape node exporter. If not set, do not check Subject Names.";
    };
  };
  config = {
    system.activationScripts = {
      prometheusNodeExporterFilePermission.text =
      ''
        chmod 640 ${cfg.prometheusNodeExporterCertFile}
        chmod 640 ${cfg.prometheusNodeExporterCertKeyFile}
        chown root:${config.services.prometheus.exporters.node.group} ${cfg.prometheusNodeExporterCertFile}
        chown root:${config.services.prometheus.exporters.node.group} ${cfg.prometheusNodeExporterCertKeyFile}
      '';
    };
  
    services.prometheus = {
      exporters = {
        node = {
          enable = true;
          port = 9100; # default
          enabledCollectors = [ "systemd" ]; # logind ?
          extraFlags = [
            "--web.config.file=${nodeWebConfig}"
          ];
        };
      };
    };
  };
}