nix/nixos/services/grafana.nix

{config, lib, pkgs, ...}: let
  cfg = config.services.grafana;
  secrets = config.sops.secrets;
  mkDashboards = dashboards: pkgs.symlinkJoin {
    name = "dashboards";
    paths = map mkDashboard dashboards;
  };
  mkDashboard = {name, url, sha256, patch ? lib.id}: pkgs.writeTextFile {
    inherit name;
    text = patch (builtins.readFile ( builtins.fetchurl {inherit url sha256;} ));
    destination = "/dash/${name}.json";
  };
in {
  sops.secrets."grafana/oidc_client_secret" = {
    owner = "grafana";
  };
  services.grafana = {
    enable = true;
    settings = {
      server = {
        root_url = "https://${cfg.settings.server.domain}";
        domain = "monitor.${config.networking.domain}";
      };
      "auth.generic_oauth" = {
        enabled = true;
        name = "authentik";
        client_id = "TNMLGFxpovO0jPptxD0nYmjnuytXd1MphjFS20uE";
        client_secret = "$__file{${secrets."grafana/oidc_client_secret".path}}";
        scopes = toString ["openid" "profile" "email"];
        auth_url = "https://auth.tristans.cloud/application/o/authorize/";
        token_url = "https://auth.tristans.cloud/application/o/token/";
        api_url = "https://auth.tristans.cloud/application/o/userinfo/";
        redirect_url = "https://auth.tristans.cloud/application/o/grafana/end-session/";
        role_attribute_path = "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
      };
    };
    provision.dashboards.settings.providers = [{
      name = "Node Exporter";
      type = "file";
      options.path = mkDashboards [
      {
        name = "node-exporter";
        url = "https://grafana.com/api/dashboards/1860/revisions/37/download";
        sha256 = "sha256:0qza4j8lywrj08bqbww52dgh2p2b9rkhq5p313g72i57lrlkacfl";
        # https://github.com/rfmoz/grafana-dashboards/issues/169
        patch = builtins.replaceStrings ["$__rate_interval"] ["$__range"];
      }
      {
        name = "synapse";
        url = "https://raw.githubusercontent.com/element-hq/synapse/refs/heads/master/contrib/grafana/synapse.json";
        sha256 = "sha256:16fl81sx1by0wldw4vda0zr1pvbq1dpih1fikzwlvmk63mpc80kb";
      }
      ];
    }];
  };
  services.nginx.virtualHosts = {
    ${cfg.settings.server.domain} = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyWebsockets = true;
        proxyPass = "http://localhost:${toString cfg.settings.server.http_port}";
      };
    };
  };
}