{ config, pkgs, values, ... }: let
  cfg = config.services.grafana;
in {
  sops.secrets = let
    owner = "grafana";
    group = "grafana";
  in {
    "keys/grafana/secret_key" = { inherit owner group; };
    "keys/grafana/admin_password" = { inherit owner group; };
  };

  services.grafana = {
    enable = true;

    settings = let
      # See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
      secretFile = path: "$__file{${path}}";
    in {
      server = {
        domain = "grafana.pvv.ntnu.no";
        http_port = 2342;
        http_addr = "127.0.0.1";
      };

      security = {
        secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
        admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
      };
    };

    provision = {
      enable = true;
      datasources.settings.datasources = [
        {
          name = "Ildkule Prometheus";
          type = "prometheus";
          url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
          isDefault = true;
        }
        {
          name = "Ildkule loki";
          type = "loki";
          url = "http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}";
        }
      ];
      dashboards.settings.providers = [
        {
          name = "Node Exporter Full";
          type = "file";
          url = "https://grafana.com/api/dashboards/1860/revisions/29/download";
          options.path = dashboards/node-exporter-full.json;
        }
        {
          name = "Matrix Synapse";
          type = "file";
          url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
          options.path = dashboards/synapse.json;
        }
        # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
        # {
        #   name = "MySQL";
        #   type = "file";
        #   url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
        #   options.path = dashboards/mysql.json;
        # }
        {
          name = "Postgresql";
          type = "file";
          url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
          options.path = dashboards/postgres.json;
        }
        {
          name = "Go Processes (gogs)";
          type = "file";
          url = "https://grafana.com/api/dashboards/240/revisions/3/download";
          options.path = dashboards/go-processes.json;
        }
      ];

    };
  };

  services.nginx.virtualHosts.${cfg.settings.server.domain} = {
    enableACME = true;
    forceSSL = true;
    kTLS = true;
    locations = {
      "/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";
        proxyWebsockets = true;
        extraConfig = ''
          proxy_buffers 8 1024k;
          proxy_buffer_size 1024k;
        '';
      };
    };
  };
}