{ config, ... }: let cfg = config.services.grafana; in { services.grafana = { enable = true; settings = { server = { # grafana supports sockets, but no permission management (always 660 grafana:grafana) http_addr = "127.0.0.1"; http_port = 3002; domain = "grafana.sbruder.de"; rootUrl = "https://%(domain)s/"; }; database = { type = "postgres"; host = "/run/postgresql"; user = "grafana"; }; analytics = { reporting_enabled = false; check_for_updates = false; check_for_plugin_updates = false; }; }; provision = { enable = true; datasources.settings.datasources = [ { name = "Prometheus"; type = "prometheus"; url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}"; isDefault = true; } ]; }; }; systemd.services.grafana.after = [ "postgresql.service" ]; services.postgresql = { enable = true; ensureDatabases = [ cfg.settings.database.name ]; ensureUsers = [ { name = cfg.settings.database.user; ensurePermissions = { "DATABASE ${cfg.settings.database.name}" = "ALL PRIVILEGES"; }; } ]; }; services.nginx.virtualHosts."grafana.sbruder.de" = { enableACME = true; forceSSL = true; locations = { "/".proxyPass = "http://${cfg.settings.server.http_addr}:${toString cfg.settings.server.http_port}"; }; }; }