{config, ...}: let
  cfg = config.services.grafana;
  secrets = config.age.secrets;
in {
  age.secrets.grafana_oidc_client_secret = {
    file = ../../secrets/grafana/oidc/client_secret.age;
    owner = "grafana";
  };
  services.grafana = {
    enable = true;
    settings = {
      server = {
        root_url = "https://${cfg.settings.server.domain}";
      };
      "auth.generic_oauth" = {
        enabled = true;
        name = "authentik";
        client_id = "TNMLGFxpovO0jPptxD0nYmjnuytXd1MphjFS20uE";
        client_secret = "$__file{${secrets.grafana_oidc_client_secret.path}}";
        scopes = toString ["openid" "profile" "email"];
        auth_url = "https://auth.tristans.cloud/application/o/authorize/";
        token_url = "https://auth.tristans.cloud/application/o/token/";
        api_url = "https://auth.tristans.cloud/application/o/userinfo/";
        redirect_url = "https://auth.tristans.cloud/application/o/grafana/end-session/";
        role_attribute_path =
          "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
      };
    };
  };
  services.nginx.virtualHosts = {
    ${cfg.settings.server.domain} = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyWebsockets = true;
        proxyPass = "http://localhost:${toString cfg.settings.server.http_port}";
      };
    };
  };
}