{ config, ... }: let cfg = config.services.grafana; in { services.grafana = { enable = true; # grafana supports sockets, but no permission management (always 660 grafana:grafana) addr = "127.0.0.1"; port = 3002; domain = "grafana.sbruder.de"; rootUrl = "https://%(domain)s/"; database = { type = "postgres"; host = "/run/postgresql"; user = "grafana"; }; provision = { enable = true; datasources = [ { name = "Prometheus"; type = "prometheus"; url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}"; isDefault = true; } ]; }; analytics.reporting.enable = false; }; systemd.services.grafana.after = [ "postgresql.service" ]; services.postgresql = { enable = true; ensureDatabases = [ cfg.database.name ]; ensureUsers = [ { name = cfg.database.user; ensurePermissions = { "DATABASE ${cfg.database.name}" = "ALL PRIVILEGES"; }; } ]; }; services.nginx.virtualHosts."grafana.sbruder.de" = { enableACME = true; forceSSL = true; locations = { "/".proxyPass = "http://${cfg.addr}:${toString cfg.port}"; }; }; }