{ config, ... }:
{
  services.grafana = {
    enable  = true;
    settings = {
      server = {
        domain = "grafana.astatine.net.clerie.de";
        root_url = "https://grafana.astatine.net.clerie.de";
        http_port = 3001;
        http_addr = "::1";
      };
      "auth.anonymous" = {
        enabled = true;
      };
    };

    provision = {
      enable = true;
      datasources.settings.datasources = [
        {
          type = "prometheus";
          name = "Prometheus";
          url = "http://[::1]:9090";
          isDefault = true;
        }
      ];
    };
  };

  services.nginx = {
    virtualHosts = {
      "grafana.astatine.net.clerie.de" = {
        enableACME = true;
        forceSSL   = true;
        basicAuthFile = config.sops.secrets.monitoring-htpasswd.path;
        locations."/".proxyPass = "http://[::1]:3001/";
        locations."= /api/live/ws" = {
          proxyPass = "http://[::1]:3001";
          proxyWebsockets = true;
        };
      };
    };
  };

}