{
  pkgs,
  lib,
  config,
  ...
}:
let
  inherit (lib) mkEnableOption mkIf;
  alerts =
    pkgs.runCommand "mimir-alerts-checked"
      {
        src = ./alerts;
        nativeBuildInputs = with pkgs; [ prometheus.cli ];
      }
      ''
        promtool check rules $src/*
        mkdir $out
        cp -R $src $out/anonymous/
      '';
in
{
  services.mimir = {
    enable = true;
    configuration = {
      multitenancy_enabled = false;
      target = "all,alertmanager";
      usage_stats.enabled = false;

      limits = {
        ingestion_rate = 1000000; # can't set to unlimited :(
        out_of_order_time_window = "12h";
        max_global_series_per_user = 0; # unlimited
        max_label_value_length = 10000; # we have pgscv queries that are LONG
      };

      server = {
        http_listen_port = 9009;
        http_listen_address = "127.0.0.1";
        log_level = "warn";
        grpc_listen_port = 9096;
        grpc_listen_address = "127.0.0.1";
      };

      blocks_storage = {
        backend = "filesystem";
      };

      ingester = {
        ring = {
          instance_addr = "127.0.0.1";
          kvstore = {
            store = "memberlist";
          };
          replication_factor = 1;
        };
      };

      alertmanager_storage.backend = "filesystem";
      alertmanager = {
        sharding_ring = {
          replication_factor = 1;
          instance_addr = "127.0.0.1";
        };
      };
      ruler_storage = {
        backend = "local";
        local.directory = alerts;
      };

      memberlist = {
        bind_addr = ["127.0.0.1"];
      };
    };
  };

  services.nginx = {
    upstreams.mimir = {
      servers."127.0.0.1:${toString config.services.mimir.configuration.server.http_listen_port}" = { };
      extraConfig = "keepalive 20;";
    };

    virtualHosts."mimir.noc.eh22.intern" = {
      locations."/api/v1/push" = {
        proxyPass = "http://mimir";
        basicAuthFile = config.sops.secrets."services/mimir/nginx".path;
      };
    };
  };
}