{ config, ... }:
{
  services.grafana = {
    enable = true;
    settings = {
      server = {
        domain = "grafana.grzb.de";
        root_url = "https://${config.services.grafana.settings.server.domain}";
      };
      security = {
        cookie_secure = true;
        cookie_samesite = "strict";
        admin_user = "yuri";
        admin_password = "$__file{/run/secrets/metrics-grafana-admin-password}";
        admin_email = "yuri@nekover.se";
      };
      smtp = {
        enabled = true;
        host = "mail.grzb.de:465";
        user = "grafana";
        password = "$__file{/run/secrets/metrics-grafana-smtp-password}";
        from_address = "grafana@robot.grzb.de";
        from_name = "Grafana";
        startTLS_policy = "NoStartTLS";
      };
    };
    provision.datasources.settings.datasources = [
      {
        name = "Prometheus";
        type = "prometheus";
        url = "http://localhost:${builtins.toString config.services.prometheus.port}";
        isDefault = true;
      }
    ];
  };

  sops.secrets."metrics-grafana-admin-password" = {
    mode = "0440";
    owner = "grafana";
    group = "grafana";
    restartUnits = [ "grafana.service" ];
  };
  sops.secrets."metrics-grafana-smtp-password" = {
    mode = "0440";
    owner = "grafana";
    group = "grafana";
    restartUnits = [ "grafana.service" ];
  };
}