{ config, pkgs, lib, ... }: {

  services.nginx = {
    enable = true;
    statusPage = true;
    virtualHosts = {
      "prometheus.${config.networking.hostName}.private" = {
        extraConfig = ''
          allow ${config.tinc.private.subnet};
          deny all;
        '';
        locations."/" = { proxyPass = "http://localhost:${toString config.services.prometheus.port}"; };
      };
    };
  };

  services.prometheus = {
    checkConfig = "syntax-only";
    enable = true;
    # keep data for 30 days
    extraFlags = [ "--storage.tsdb.retention.time=90d" ];
  };
}