{ lib, pkgs, config, ...}:
let
  ldap = pkgs.writeTextFile {
    name = "ldap.toml";
    text = ''
      [[servers]]
      host = "ldap.cloonar.com"
      port = 636
      use_ssl = true
      bind_dn = "cn=grafana,ou=system,ou=users,dc=cloonar,dc=com"
      bind_password = "$__file{/run/secrets/grafana-ldap-password}"
      search_filter = "(&(objectClass=cloonarUser)(mail=%s))"
      search_base_dns = ["ou=users,dc=cloonar,dc=com"]

      [servers.attributes]
      name = "givenName"
      surname = "sn"
      username = "mail"
      email =  "mail"
      member_of = "memberOf"

      [[servers.group_mappings]]
      group_dn = "cn=Administrators,ou=groups,dc=cloonar,dc=com"
      org_role = "Admin"
      grafana_admin = true # Available in Grafana v5.3 and above
    '';
  };
in
{
  imports = [
    ./alerting/system/default.nix
    ./alerting/service/default.nix
    ./alerting/websites/default.nix
    ./alerting/storage/default.nix

    ./datasources/victoriametrics.nix
    ./datasources/loki.nix

    ./alert-cleanup.nix
  ];

  systemd.services.grafana.script = lib.mkBefore ''
    export GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$(cat /run/secrets/grafana-oauth-secret)
    export PUSHOVER_API_TOKEN=$(cat /run/secrets/pushover-api-token)
    export PUSHOVER_USER_KEY=$(cat /run/secrets/pushover-user-key)
  '';
  services.grafana = {
    enable = true;
    settings = {
      analytics.reporting_enabled = false;
      "auth.ldap".enabled = true;
      "auth.ldap".config_file = toString ldap;

      "auth.generic_oauth" = {
        enabled = true;
        name = "Authelia";
        icon = "signin";
        client_id = "grafana";
        scopes = "openid profile email groups";
        empty_scopes = false;
        auth_url = "https://auth.cloonar.com/api/oidc/authorization";
        token_url = "https://auth.cloonar.com/api/oidc/token";
        api_url = "https://auth.cloonar.com/api/oidc/userinfo";
        login_attribute_path = "preferred_username";
        groups_attribute_path = "groups";
        role_attribute_path = "contains(groups, 'Administrators') && 'Admin' || contains(groups, 'editor') && 'Editor' || 'Viewer'";
        allow_assign_grafana_admin = true;
        name_attribute_path = "name";
        use_pkce = true;
      };

      "auth.anonymous".enabled = false;

      server = {
        root_url = "https://grafana.cloonar.com";
        domain = "grafana.cloonar.com";
        enforce_domain = true;
        enable_gzip = true;
        http_addr = "0.0.0.0";
        http_port = 3001;
      };

      smtp = {
        enabled = true;
        host = "mail.cloonar.com:587";
        user = "grafana@cloonar.com";
        password = "$__file{${config.sops.secrets.grafana-ldap-password.path}}";
        fromAddress = "grafana@cloonar.com";
      };

      database = {
        type = "postgres";
        name = "grafana";
        host = "/run/postgresql";
        user = "grafana";
      };

      security.admin_password = "$__file{${config.sops.secrets.grafana-admin-password.path}}";
    };
    provision = {
      alerting = {
        rules.settings.groups = lib.mkMerge [];
        contactPoints = {
          settings = {
            apiVersion = 1;
            contactPoints = [
              {
                orgId = 1;
                name = "cp_dominik_emergency";
                receivers = [{
                  uid = "dominik_pushover_emergency";
                  type = "pushover";
                  settings = {
                    apiToken = "\${PUSHOVER_API_TOKEN}";
                    userKey = "\${PUSHOVER_USER_KEY}";
                    device = "iphone";
                    priority = 2;
                    retry = "30s";
                    expire = "2m";
                    sound = "siren";
                    okSound = "magic";
                    message = ''{{ template "default.message" . }}'';
                  };
                }];
              }
              {
                orgId = 1;
                name = "cp_dominik_normal";
                receivers = [{
                  uid = "dominik_pushover_normal";
                  type = "pushover";
                  settings = {
                    apiToken = "\${PUSHOVER_API_TOKEN}";
                    userKey = "\${PUSHOVER_USER_KEY}";
                    device = "iphone";
                    priority = 1;
                    sound = "siren";
                    okSound = "magic";
                    message = ''{{ template "default.message" . }}'';
                  };
                }];
              }
            ];
          };
        };

        policies = {
          settings = {
            apiVersion = 1;
            policies = [{
              receiver = "cp_dominik_normal";
              repeat_interval = "999d";
              routes = [
                {
                  receiver = "cp_dominik_emergency";
                  matchers = [ "alertname = HostDown" ];
                  repeat_interval = "999d";
                }
              ];
            }];
          };
        };
      };
      datasources.settings.datasources = lib.mkMerge [];
    };
  };

  services.nginx.virtualHosts."grafana.cloonar.com" = {
    forceSSL = true;
    enableACME = true;
    acmeRoot = null;
    locations."/".extraConfig = "proxy_pass http://localhost:3001;";
  };

  services.postgresql.ensureUsers = [
    {
      name = "grafana";
      ensureDBOwnership = true;
    }
  ];
  services.postgresql.ensureDatabases = [ "grafana" ];
  services.postgresqlBackup.databases = [ "grafana" ];

  sops.secrets = {
    grafana-admin-password.owner = "grafana";
    grafana-ldap-password.owner = "grafana";
    grafana-oauth-secret.owner = "grafana";
    pushover-api-token.owner = "grafana";
    pushover-user-key.owner = "grafana";
  };
}