{config, ...}: let
  domain = "monitoring.everest.tailscale";
in {
  users.users.caddy.extraGroups = ["grafana"];
  sops.secrets = let
    owner = "grafana";
    group = "grafana";
  in {
    "grafanaAdmin/username" = {
      inherit owner group;
    };
    "grafanaAdmin/password" = {
      inherit owner group;
    };
  };
  services = {
    grafana = {
      enable = true;

      provision = {
        enable = true;
        datasources.settings = {
          apiVersion = 1;
        };
      };

      settings = {
        analytics.reporting_enabled = false;
        security = {
          admin_user = "$__file{${config.sops.secrets."grafanaAdmin/username".path}}";
          admin_password = "$__file{${config.sops.secrets."grafanaAdmin/password".path}}";
          cookie_secure = true;
          strict_transport_security = true;
          content_security_policy = true;
        };
        server = {
          protocol = "socket";
          root_url = "https://${domain}";
        };
      };
    };

    headscale.settings.dns.extra_records = [
      {
        name = domain;
        type = "A";
        value = "100.100.0.1";
      }
    ];
    caddy.virtualHosts.grafana = {
      hostName = domain;
      extraConfig = ''
        import tailscale
        reverse_proxy unix/${config.services.grafana.settings.server.socket}
      '';
    };
  };
}