infra/services/monitoring/pyroscope/default.nix

{ lib, config, ... }:
let
  inherit (lib) mkEnableOption mkIf;
  cfg = config.bagel.services.pyroscope;
  pyroscopePort = config.services.pyroscope.settings.server.http_listen_port;
in
{
  options.bagel.services.pyroscope = {
    enable = mkEnableOption "pyroscope server";
  };

  # TODO: send me to nixpkgs
  imports = [
    ./module.nix
  ];

  config = mkIf cfg.enable {
    age.secrets.pyroscope-secrets.file = ../../../secrets/floral/pyroscope-secrets.age;
    services.nginx = {
      upstreams.pyroscope = {
        servers."127.0.0.1:${toString pyroscopePort}" = {};
        extraConfig = "keepalive 16;";
      };

      virtualHosts."pyroscope.forkos.org" = {
        enableACME = true;
        forceSSL = true;
        locations."/ingest" = {
          proxyPass = "http://pyroscope";
          basicAuthFile = config.age.secrets.metrics-push-htpasswd.path;
        };
        locations."/push.v1.PusherService/Push" = {
          proxyPass = "http://pyroscope";
          basicAuthFile = config.age.secrets.metrics-push-htpasswd.path;
        };
      };
    };
    services.pyroscope = {
      enable = true;
      secretFile = config.age.secrets.pyroscope-secrets.path;
      settings = {
        target = "all";
        multitenancy_enabled = false;

        api.base-url = "https://pyroscope.forkos.org";
        analytics.reporting_enabled = false;

        storage = {
          backend = "s3";
          s3 = {
            endpoint = "s3.delroth.net";
            region = "garage";
            bucket_name = "bagel-pyroscope";
            access_key_id = "\${S3_KEY_ID}";
            secret_access_key = "\${S3_KEY}";
            force_path_style = true;
          };
        };
        server = {
          http_listen_port = 4040;
          grpc_listen_port = 9097;
          grpc_server_max_recv_msg_size = 104857600;
          grpc_server_max_send_msg_size = 104857600;
          grpc_server_max_concurrent_streams = 1000;
        };

        memberlist = {
          advertise_port = 7948;
          bind_port = 7948;
        };
      };
    };
  };
}