{config, ...}: let
  domain = "metrics.${config.services.nginx.domain}";
in {
  services.grafana = {
    enable = true;
    settings = {
      server.http_port = 3001; # Default overlaps with gitea

      security = {
        admin_user = "tlater";
        admin_password = "$__file{${config.sops.secrets."grafana/adminPassword".path}}";
        secret_key = "$__file{${config.sops.secrets."grafana/secretKey".path}}";
        cookie_secure = true;
        cookie_samesite = "strict";
        content_security_policy = true;
      };

      database = {
        user = "grafana";
        name = "grafana";
        type = "postgres";
        host = "/run/postgresql";
      };
    };

    provision = {
      enable = true;

      datasources.settings.datasources = [
        {
          name = "Victoriametrics - tlater.net";
          url = "http://localhost:8428";
          type = "prometheus";
        }
      ];
    };
  };

  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    extraConfig = ''
      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
      access_log /var/log/nginx/${domain}/access.log upstream_time;
    '';
    locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
  };
}