{
  config,
  lib,
  namespace,
  ...
}: let
  inherit (builtins) toString;
  inherit (lib) mkEnableOption mkIf;

  cfg = config.${namespace}.services.observability.alloy;

  httpPort = 9070;
  otlpGrpcPort = 9071;
  otlpHttpPort = 9072;
  tempoOtlpGrpcPort = 9062;
in {
  options.${namespace}.services.observability.alloy = {
    enable = mkEnableOption "enable Grafana Alloy";
  };

  config = mkIf cfg.enable {
    services.alloy = {
      enable = true;
      configPath = "/etc/alloy";
      extraFlags = [
        "--disable-reporting"
        "--server.http.listen-addr=[::]:${toString httpPort}"
        "--storage.path=/var/lib/alloy"
      ];
    };

    environment.etc."alloy/config.alloy".text = ''
      otelcol.receiver.otlp "default" {
        grpc {
          endpoint = "[::1]:${toString otlpGrpcPort}"
        }

        http {
          endpoint = "[::1]:${toString otlpHttpPort}"
        }

        output {
          metrics = [otelcol.processor.batch.metrics.input]
          traces  = [otelcol.processor.batch.traces.input]
        }
      }

      otelcol.processor.batch "metrics" {
        output {
          metrics = [otelcol.exporter.prometheus.default.input]
        }
      }

      otelcol.processor.batch "traces" {
        output {
          traces = [otelcol.exporter.otlp.tempo.input]
        }
      }

      otelcol.exporter.prometheus "default" {
        forward_to = [prometheus.remote_write.local.receiver]
      }

      prometheus.remote_write "local" {
        endpoint {
          url = "http://[::1]:${toString config.services.prometheus.port}/api/v1/write"
        }
      }

      otelcol.exporter.otlp "tempo" {
        client {
          endpoint = "[::1]:${toString tempoOtlpGrpcPort}"

          tls {
            insecure = true
          }
        }
      }
    '';

    networking.firewall.allowedTCPPorts = [httpPort];
  };
}