{ config, lib, pkgs, ... }:
let
  cfg = config.my.services.grafana;
  secrets = config.age.secrets;
in {
  options.my.services.grafana = with lib; {
    enable = mkEnableOption "grafana observability stack";
  };

  config = lib.mkIf cfg.enable {
    services.grafana = {
      enable = true;
      # Bind to all interfaces.
      addr = "";
      security.adminUser = "fcuny";

      analytics.reporting.enable = false;

      provision = {
        enable = true;
        datasources = [{
          name = "prometheus";
          type = "prometheus";
          isDefault = true;
          url = "http://localhost:9090";
        }];
        dashboards = [{
          disableDeletion = true;
          options.path = ./dashboards;
        }];
      };
    };

    services.nginx.virtualHosts."dash.fcuny.xyz" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:9090";
        proxyWebsockets = true;
      };
    };

    security.acme.certs."dash.fcuny.xyz" = {
      dnsProvider = "gcloud";
      credentialsFile = secrets."acme/credentials".path;
    };

    my.services.backup = { paths = [ "/var/lib/grafana" ]; };
  };
}