# Advanced Panoptikon configuration with secrets and custom reporters

{
  # Load secrets from agenix
  secrets = import ../../secrets { };

  services.panoptikon.enable = true;
  
  services.panoptikon.watchers = {
    # Monitor a private API with authentication
    private-api = {
      script = pkgs.writers.writeDash "private-api" '''
        set -euo pipefail
        ${pkgs.curl}/bin/curl -sSL \
          -H "Authorization: Bearer $API_TOKEN" \
          -H "Content-Type: application/json" \
          https://api.example.com/data
      ''';
      frequency = "hourly";
      loadCredential = [ "API_TOKEN" ];
      reporters = [
        # Custom reporter that sends to a webhook
        (pkgs.writers.writeDash "webhook-reporter" '''
          ${pkgs.curl}/bin/curl -X POST \
            -H "Content-Type: application/json" \
            -d "{\"watcher\": \"$PANOPTIKON_WATCHER\", \"changes\": $(cat)}" \
            https://hooks.example.com/panoptikon
        ''')
        # Also log to systemd journal
        (pkgs.writers.writeDash "journal-log" '''
          journalctl -t panoptikon-private-api --since "1 hour ago" | tail -5
        ''')
      ];
    };

    # Monitor cryptocurrency prices with alerts
    crypto-monitor = {
      script = pkgs.panoptikon.urlJSON {
        jqScript = ".[0] | {
          name: .name,
          price: .quote.USD.price,
          change24h: .quote.USD.percent_change_24h,
          marketCap: .quote.USD.market_cap
        }";
      } "https://api.coingecko.com/api/v3/coins/markets?vs_currency=usd&ids=bitcoin";
      frequency = "*:0/15";
      reporters = [
        (pkgs.writers.writeDash "btc-alert" '''
          price=$(echo "$(cat)" | ${pkgs.jq}/bin/jq -r '.price')
          change=$(echo "$(cat)" | ${pkgs.jq}/bin/jq -r '.change24h')
          
          # Alert if price > $60,000 or change > 5%
          if (( $(echo "$price > 60000" | bc -l) )) || (( $(echo "$change > 5" | bc -l) )); then
            ${pkgs.libnotify}/bin/notify-send \
              "BTC Alert: $$price ($$change% change)"
          fi
        ''')
        # Log to file
        (pkgs.writers.writeDash "price-logger" '''
          echo "$(date): $(cat)" >> /var/log/panoptikon/btc-prices.log
        ''')
      ];
    };

    # Monitor system load with thresholds
    system-health = {
      script = pkgs.writers.writeDash "system-health" '''
        set -euo pipefail
        load=$(uptime | awk -F'load average:' '{print $2}' | awk '{print $1}' | tr -d ',')
        mem=$(free -m | awk 'NR==2{printf "%.1f%%", $3*100/$2 }')
        disk=$(df / | awk 'NR==2{printf "%.1f%%", $5}')
        
        echo "load: $$load, mem: $$mem, disk: $$disk"
      ''';
      frequency = "*:0/5";
      reporters = [
        (pkgs.writers.writeDash "health-alert" '''
          load=$(echo "$(cat)" | awk -F',' '{print $1}' | awk '{print $2}')
          mem=$(echo "$(cat)" | awk -F',' '{print $2}' | awk '{print $2}')
          disk=$(echo "$(cat)" | awk -F',' '{print $3}' | awk '{print $2}')
          
          # Alert if load > 2.0, mem > 80%, or disk > 90%
          if (( $(echo "$load > 2.0" | bc -l) )) || (( $(echo "${mem%%%} > 80" | bc -l) )) || (( $(echo "${disk%%%} > 90" | bc -l) )); then
            ${pkgs.libnotify}/bin/notify-send \
              "System Alert: Load=$$load, Mem=$$mem, Disk=$$disk"
          fi
        ''')
      ];
    };
  };

  # Add monitoring user
  users.extraUsers.panoptikon = {
    isSystemUser = true;
    createHome = true;
    home = "/var/lib/panoptikon";
    group = "panoptikon";
    description = "Panoptikon monitoring service";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK..."  # Monitoring access key
    ];
  };

  # Configure log rotation
  services.logrotate = {
    enable = true;
    config = {
      rotate = 14;
      compress = true;
      delaycompress = true;
      missingok = true;
      notifempty = true;
      create = "644 panoptikon panoptikon";
    };
    files = [
      "/var/log/panoptikon/*.log"
    ];
  };
}