{ pkgs, lib, config, ... }: 
let
  cfg = config.services.grafana;
  fileProvider = path: "$__file{${path}}";
in {
  age.secrets = {
    grafana-admin-password = {
      file = ../secrets/grafana-admin-password.age;
      owner = "grafana";
      group = "grafana";
    };
    grafana-secret-key = {
      file = ../secrets/grafana-secret-key.age;
      owner = "grafana";
      group = "grafana";
    };
  };

  services.grafana = {
    enable = true;

    settings = {
      server.protocol = "socket";
      analytics = {
        reporting_enabled = false;
        feedback_links_enabled = false;
      };
      security = {
        admin_user = "admin";
        admin_password = fileProvider config.age.secrets.grafana-admin-password.path;
        secret_key = fileProvider config.age.secrets.grafana-secret-key.path;
      };
    };

    declarativePlugins = lib.mkIf config.services.victoriametrics.enable
      [ pkgs.grafanaPlugins.victoriametrics-metrics-datasource ];

    provision.datasources.settings.datasources = lib.mkIf
      config.services.victoriametrics.enable
      [
        {
          name = "VictoriaMetrics";
          type = "victoriametrics-metrics-datasource";
          uid = "vm";
          url = "http://localhost:8248";
          editable = false;
          jsonData = {
            isDefault = true;
          };
        }
      ];
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    upstreams.grafana.servers."unix:/${cfg.settings.server.socket}" = {};
    virtualHosts."grafana.federez.net" = {
      root = cfg.settings.server.static_root_path;
      enableACME = true;
      forceSSL = true;
      locations."/".tryFiles = "$uri @grafana";
      locations."@grafana".proxyPass = "http://grafana";
    };
  };

  users.users.${config.services.nginx.user}.extraGroups = [ "grafana" ];
}