{
  config,
  lib,
  pkgs,
  ...
}: let
  cfg = config.services.grafana;
  secrets = config.sops.secrets;
  mkDashboards = dashboards:
    pkgs.symlinkJoin {
      name = "dashboards";
      paths = map mkDashboard dashboards;
    };
  mkDashboard = {
    name,
    url,
    sha256,
    patch ? lib.id,
  }:
    pkgs.writeTextFile {
      inherit name;
      text = patch (builtins.readFile (builtins.fetchurl {inherit url sha256;}));
      destination = "/dash/${name}.json";
    };
in {
  sops.secrets."grafana/oidc_client_secret" = {
    owner = "grafana";
  };
  services.grafana = {
    enable = true;
    settings = {
      server = {
        root_url = "https://${cfg.settings.server.domain}";
        domain = "monitor.${config.networking.domain}";
      };
      "auth.generic_oauth" = {
        enabled = true;
        name = "authentik";
        client_id = "TNMLGFxpovO0jPptxD0nYmjnuytXd1MphjFS20uE";
        client_secret = "$__file{${secrets."grafana/oidc_client_secret".path}}";
        scopes = toString ["openid" "profile" "email"];
        auth_url = "https://auth.tristans.cloud/application/o/authorize/";
        token_url = "https://auth.tristans.cloud/application/o/token/";
        api_url = "https://auth.tristans.cloud/application/o/userinfo/";
        redirect_url = "https://auth.tristans.cloud/application/o/grafana/end-session/";
        role_attribute_path = "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
      };
    };
    provision.dashboards.settings.providers = [
      {
        name = "Node Exporter";
        type = "file";
        options.path = mkDashboards [
          {
            name = "node-exporter";
            url = "https://grafana.com/api/dashboards/1860/revisions/37/download";
            sha256 = "sha256:0qza4j8lywrj08bqbww52dgh2p2b9rkhq5p313g72i57lrlkacfl";
            # https://github.com/rfmoz/grafana-dashboards/issues/169
            patch = builtins.replaceStrings ["$__rate_interval"] ["$__range"];
          }
          {
            name = "synapse";
            url = "https://raw.githubusercontent.com/element-hq/synapse/refs/heads/master/contrib/grafana/synapse.json";
            sha256 = "sha256:0yzj1i4zbjy9cms75ip6ad8qyjgv9kka42gxsbzyzr2syznsmqw0";
          }
        ];
      }
    ];
  };
  services.nginx.virtualHosts = {
    ${cfg.settings.server.domain} = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyWebsockets = true;
        proxyPass = "http://localhost:${toString cfg.settings.server.http_port}";
      };
    };
  };
}