{ config, ... }:
let
  cfg = config.services.grafana;
in
{
  services.grafana = {
    enable = true;
    # grafana supports sockets, but no permission management (always 660 grafana:grafana)
    addr = "127.0.0.1";
    domain = "grafana.sbruder.de";
    rootUrl = "https://%(domain)s/";
    database = {
      type = "postgres";
      host = "/run/postgresql";
      user = "grafana";
    };
    provision = {
      enable = true;
      datasources = [
        {
          name = "Prometheus";
          type = "prometheus";
          url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
          isDefault = true;
        }
      ];
    };
    analytics.reporting.enable = false;
  };

  systemd.services.grafana.after = [ "postgresql.service" ];

  services.postgresql = {
    enable = true;
    ensureDatabases = [ cfg.database.name ];
    ensureUsers = [
      {
        name = cfg.database.user;
        ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; };
      }
    ];
  };

  services.nginx.virtualHosts."grafana.sbruder.de" = {
    enableACME = true;
    forceSSL = true;

    locations = {
      "/".proxyPass = "http://${cfg.addr}:${toString cfg.port}";
    };
  };
}