{ lib, pkgs, config, ...}:
let
  ldap = pkgs.writeTextFile {
    name = "ldap.toml";
    text = ''
      [[servers]]
      host = "ldap.cloonar.com"
      port = 636
      use_ssl = true
      bind_dn = "cn=grafana,ou=system,ou=users,dc=cloonar,dc=com"
      bind_password = "$__file{/run/secrets/grafana-ldap-password}"
      search_filter = "(&(objectClass=cloonarUser)(mail=%s))"
      search_base_dns = ["ou=users,dc=cloonar,dc=com"]

      [servers.attributes]
      name = "givenName"
      surname = "sn"
      username = "uid"
      email =  "mail"
      member_of = "memberOf"

      [[servers.group_mappings]]
      group_dn = "cn=Administrators,ou=groups,dc=cloonar,dc=com"
      org_role = "Admin"
      grafana_admin = true # Available in Grafana v5.3 and above
    '';
  };
in
{
  systemd.services.grafana.script = lib.mkBefore "export GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$(cat /run/secrets/grafana-oauth-secret)";
  services.grafana = {
    enable = true;
    settings = {
      analytics.reporting_enabled = false;
      # "auth.ldap".enabled = true;
      # "auth.ldap".config_file = toString ldap;

      "auth.generic_oauth" = {
        enabled = true;
        name = "Authelia";
        icon = "signin";
        client_id = "grafana";
        scopes = "openid profile email groups";
        empty_scopes = false;
        auth_url = "https://auth.cloonar.com/api/oidc/authorization";
        token_url = "https://auth.cloonar.com/api/oidc/token";
        api_url = "https://auth.cloonar.com/api/oidc/userinfo";
        login_attribute_path = "preferred_username";
        groups_attribute_path = "groups";
        name_attribute_path = "name";
        use_pkce = true;
      };

      "auth.anonymous".enabled = true;
      "auth.anonymous".org_name = "Cloonar e.U.";
      "auth.anonymous".org_role = "Viewer";

      server = {
        root_url = "https://grafana.cloonar.com";
        domain = "grafana.cloonar.com";
        enforce_domain = true;
        enable_gzip = true;
        http_addr = "0.0.0.0";
        http_port = 3001;
      };

      smtp = {
        enabled = true;
        host = "mail.cloonar.com:587";
        user = "grafana@cloonar.com";
        password = "$__file{${config.sops.secrets.grafana-ldap-password.path}}";
        fromAddress = "grafana@cloonar.com";
      };

      database = {
        type = "postgres";
        name = "grafana";
        host = "/run/postgresql";
        user = "grafana";
      };

      security.admin_password = "$__file{${config.sops.secrets.grafana-admin-password.path}}";
    };
  };

  services.nginx.virtualHosts."grafana.cloonar.com" = {
    forceSSL = true;
    enableACME = true;
    acmeRoot = null;
    locations."/".extraConfig = "proxy_pass http://localhost:3001;";
  };

  # TODO: fix for nixos 24.05
  services.postgresql.ensureUsers = [
    {
      name = "grafana";
      ensurePermissions = {
        "DATABASE \"grafana\"" = "ALL PRIVILEGES";
        "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
      };
    }
  ];
  services.postgresql.ensureDatabases = [ "grafana" ];
  services.postgresqlBackup.databases = [ "grafana" ];

  sops.secrets = {
    grafana-admin-password.owner = "grafana";
    grafana-ldap-password.owner = "grafana";
    grafana-oauth-secret.owner = "grafana";
  };
}