{ pkgs, lib, config, ... }: 
let
  cfg = config.services.grafana;
  fileProvider = path: "$__file{${path}}";
  ldapServer = {
    host = "ldap.federez.net ldap-ro.federez.net";
    port = 636;
    use_ssl = true;
    start_tls = false;
    bind_dn = "cn=grafana,ou=service-users,dc=federez,dc=net";
    bind_password = fileProvider config.age.secrets.grafana-ldap-bind-password.path;
    search_filter = "(&(objectClass=posixAccount)(cn=%s))";
    search_base_dns = [ "cn=Utilisateurs,dc=federez,dc=net" ];
    group_search_base_dns = [ "ou=posix,ou=groups,dc=federez,dc=net" ];
    group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))";
    group_search_filter_user_attribute = "uid";
    attributes = {
      email = "mail";
    };
    "group_mappings" = [
      {
        group_dn = "cn=sudoldap,ou=posix,ou=groups,dc=federez,dc=net";
        org_role = "Admin";
        grafana_admin = true;
      }
      {
        group_dn = "*";
        org_role = "Viewer";
      }
    ];
  };
  ldapConfig = (pkgs.formats.toml {}).generate "ldap.toml" {
    servers = [ ldapServer ];
  };
in {
  age.secrets = {
    grafana-admin-password = {
      file = ../secrets/grafana-admin-password.age;
      owner = "grafana";
      group = "grafana";
    };
    grafana-secret-key = {
      file = ../secrets/grafana-secret-key.age;
      owner = "grafana";
      group = "grafana";
    };
    grafana-ldap-bind-password = {
      file = ../secrets/grafana-ldap-bind-password.age;
      owner = "grafana";
      group = "grafana";
    };
  };

  services.grafana = {
    enable = true;

    settings = {
      server.protocol = "socket";
      analytics = {
        reporting_enabled = false;
        feedback_links_enabled = false;
      };
      security = {
        admin_user = "admin";
        admin_password = fileProvider config.age.secrets.grafana-admin-password.path;
        secret_key = fileProvider config.age.secrets.grafana-secret-key.path;
      };
      "auth.ldap" = {
        enabled = true;
        allow_sign_up = true;
        skip_org_role_sync = false;
        config_file = toString ldapConfig;
      };
    };

    declarativePlugins = lib.mkIf config.services.victoriametrics.enable
      [ pkgs.grafanaPlugins.victoriametrics-metrics-datasource ];

    provision.datasources.settings.datasources = lib.mkIf
      config.services.victoriametrics.enable
      [
        {
          name = "VictoriaMetrics";
          type = "victoriametrics-metrics-datasource";
          uid = "vm";
          url = "http://localhost:8428";
          editable = false;
          jsonData = {
            isDefault = true;
          };
        }
      ];
  };

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    upstreams.grafana.servers."unix:/${cfg.settings.server.socket}" = {};
    virtualHosts."grafana.federez.net" = {
      root = cfg.settings.server.static_root_path;
      enableACME = true;
      forceSSL = true;
      locations."/".tryFiles = "$uri @grafana";
      locations."@grafana".proxyPass = "http://grafana";
    };
  };

  users.users.${config.services.nginx.user}.extraGroups = [ "grafana" ];
}