{
  config,
  pkgs,
  ...
}: let
  alertmanagerEnv = config.sops.secrets."alertmanager/env".path;
in {
  sops.secrets."alertmanager/env" = {
    sopsFile = ../../secrets/secrets.yaml;
    mode = "0440";
  };

  services.prometheus.alertmanager = {
    enable = true;
    openFirewall = true;
    environmentFile = alertmanagerEnv;

    webExternalUrl = "http://monitor.lab:9093"; # optional but helpful
    configuration = {
      route = {
        receiver = "null";
        group_by = ["alertname"];
        group_wait = "10s";
        group_interval = "5m";
        repeat_interval = "4h";

        routes = [
          {
            receiver = "telegram";
            matchers = [
              "severity =~ \"warning|critical\""
            ];
            group_wait = "10s";
            continue = true;
          }
        ];
      };

      receivers = [
        {name = "null";}
        {
          name = "telegram";
          telegram_configs = [
            {
              api_url = "https://api.telegram.org";
              bot_token = "$TELEGRAM_BOT_TOKEN";
              chat_id = -1002642560007;
              message_thread_id = 4;
              parse_mode = "HTML";
              send_resolved = true;
              message = "{{ template \"telegram.message\". }}";
            }
          ];
        }
      ];

      templates = [
        (pkgs.writeText "telegram.tmpl" (builtins.readFile ./provisioning/templates/telegram.tmpl))
        # (pkgs.writeText "telegram.markdown.v2.tmpl" (builtins.readFile ./provisioning/templates/telegram.markdown.v2.tmpl))
      ];
    };
  };
}