{
  config,
  lib,
  ...
}:
let
  cfg = config.bagel.services.grafana;
  inherit (lib) mkEnableOption mkIf;
in
{
  options.bagel.services.grafana.enable = mkEnableOption "Grafana frontend";

  config = mkIf cfg.enable {
    age.secrets.grafana-oauth-secret = {
      file = ../../../secrets/grafana-oauth-secret.age;
      owner = "grafana";
    };

    bagel.services.postgres.enable = true;

    services = {
      grafana = {
        enable = true;

        settings = {
          server = {
            domain = "grafana.forkos.org";
            http_addr = "127.0.0.1";
            http_port = 2342;
            root_url = "https://grafana.forkos.org/";
          };

          database = {
            type = "postgres";
            user = "grafana";
            host = "/run/postgresql";
          };

          "auth.generic_oauth" = {
            enabled = true;

            name = "Lix SSO";
            client_id = "forkos-grafana";
            client_secret = "$__file{${config.age.secrets.grafana-oauth-secret.path}}";

            auth_url = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/auth";
            token_url = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/token";
            api_url = "https://identity.lix.systems/realms/lix-project/protocol/openid-connect/userinfo";

            login_attribute_path = "username";
            email_attribute_path = "email";
            name_attribute_path = "full_name";

            scopes = [
              "openid"
              "profile"
              "email"
              "offline_access"
              "roles"
            ];

            allow_sign_up = true;
            auto_login = true;
            allow_assign_grafana_admin = true;

            role_attribute_path = "contains(grafana_roles[*], 'Admin') && 'GrafanaAdmin' || contains(grafana_roles[*], 'Editor') && 'Editor' || 'Viewer'";
          };

          dashboards.default_home_dashboard_path = "${./dashboards/node_exporter.json}";

          feature_toggles.enable = "autoMigrateOldPanels newVizTooltips";
          security.angular_support_enabled = false;
        };

        provision = {
          dashboards.settings = {
            apiVersion = 1;
            providers = [
              {
                name = "default";
                options.path = ./dashboards;
              }
            ];
          };

          datasources.settings = {
            apiVersion = 1;
            datasources = [
              {
                name = "Mimir";
                type = "prometheus";
                uid = "mimir";
                access = "proxy";
                url = "http://127.0.0.1:9009/prometheus";
                isDefault = true;
              }
              {
                name = "Loki";
                type = "loki";
                uid = "loki";
                access = "proxy";
                url = "http://127.0.0.1:9090/";
              }
              {
                name = "Mimir Alertmanager";
                type = "alertmanager";
                uid = "mimir-alertmanager";
                access = "proxy";
                url = "http://127.0.0.1:9009/";
                jsonData = {
                  handleGrafanaManagedAlerts = true;
                  implementation = "mimir";
                };
              }
            ];
          };
        };
      };

      postgresql = {
        ensureDatabases = [ "grafana" ];
        ensureUsers = [
          {
            name = "grafana";
            ensureDBOwnership = true;
          }
        ];
      };

      nginx = let
        scfg = config.services.grafana.settings.server;
      in {
        enable = true;
        virtualHosts."${scfg.domain}" = {
          enableACME = true;
          forceSSL = true;
          locations."/" = {
            proxyPass = "http://${scfg.http_addr}:${toString scfg.http_port}";
            proxyWebsockets = true;
          };
        };
      };
    };
    
    bagel.monitoring.grafana-agent.exporters.grafana.port = 2342;
  };
}