{ nodes, pkgs, lib, ... }: 
let
  mkChildNode = apiKey: allowFrom: ''
    [${apiKey}]
      enabled = yes
      default history = 5000
      default memory mode = dbengine
      health enabled by default = auto
      allow from = ${allowFrom}
  '';
  isMonitorableChild = s: lib.hasAttrByPath [ "config" "federez" "monitoring" "apiKey" ] s && s.config.federez.monitoring.apiKey != null;
  filterMonitorableChildren = lib.filterAttrs (_: isMonitorableChild);
  monitorableChildren = filterMonitorableChildren nodes;
  streamingChildren = lib.mapAttrsToList (name: peer: ''
  # ${name}
  ${mkChildNode peer.config.federez.monitoring.apiKey "*"}
  '') monitorableChildren;
in
  {
    # I wish it could be truly reproducible, but it cannot because of the access token secret.
    environment.etc."netdata/health_alarm_notify.conf".enable = false;
    environment.etc."netdata/health_alarm_notify.conf".source = pkgs.writeText "health_alarm_notify.conf" ''
      SEND_MATRIX="YES"
      MATRIX_HOMESERVER="https://matrix.federez.net"
      MATRIX_ACCESSTOKEN="XXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
      DEFAULT_RECIPIENT_MATRIX="!vdYmGGkFFxIRklSLcO:federez.net"
    '';

  services.netdata = {
    enable = true;
    package = pkgs.netdataCloud;
    config = {
      global = {
        "access log" = "none";
        "disconnect idle web clients after seconds" = 3600;
        "enable web responses gzip compression" = "no";
        "errors to trigger flood protection" = 8000;
        "dbengine multihost disk space" = 4 * 1024; # 8GiB
        "page cache size" = 1024; # 1GiB
      };
      db = {
        mode = "dbengine";
        "update every" = 5;
        "storage tiers" = 3;
        "dbengine multihost disk space MB" = 4 * 1024; # 4GiB
        "dbengine tier 1 multihost disk space MB" = 2 * 1024; # 2GiB
        "dbengine tier 2 multihost disk space MB" = 1 * 1024; # 1GiB
      };
      web = {
        # "bind to" = "127.0.0.1 0.0.0.0 unix:/run/netdata/netdata.sock";
        # "allow connections from" = "localhost 127.0.0.1 0.0.0.0";
        # "allow dashboard from" = "localhost 127.0.0.1 0.0.0.0";
        # "allow management from" = "localhost 127.0.0.1";
        "allow streaming from" = "89.234.162.*";
        "allow connections by dns" = "no";
        "allow dashboard by dns" = "no";
        "allow badges by dns" = "no";
        "allow streaming by dns" = "no";
        "allow netdata.conf by dns" = "no";
        "allow management by dns" = "no";
      };
      "[plugin:timex]" = {
        "update every" = 30;
        "clock synchronization state" = "yes";
        "time offset" = "yes";
      };

    };
    configDir = {
      "stream.conf" = pkgs.writeText "stream.conf" ''
        [stream]
          enabled = no
          enable compression = yes

        # From file
        ${lib.concatStringsSep "\n" streamingChildren}
      '';

      "go.d.conf" = pkgs.writeText "go.d.conf" (builtins.toJSON {
        "modules"."systemdunits" = true;
      });
    };
  };

  networking.firewall.allowedTCPPorts = [ 19999 ];
  # We are not the child.
  federez.monitoring.enableChild = false;
}