nix-stuff/roles/server/grafana.nix

{
  config,
  flakeSelf,
  ...
}: let
  domain = "monitoring.everest.tailscale";
in {
  users.users.caddy.extraGroups = ["grafana"];
  age.secrets = let
    hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/";
  in {
    grafanaAdminName = {
      file = hostSecrets + "grafana/admin_name.age";
      owner = "grafana";
      group = "grafana";
    };
    grafanaAdminPassword = {
      file = hostSecrets + "grafana/admin_password.age";
      owner = "grafana";
      group = "grafana";
    };
  };
  services = {
    grafana = {
      enable = true;

      provision = {
        enable = true;
        datasources.settings = {
          apiVersion = 1;
        };
      };

      settings = {
        analytics.reporting_enabled = false;
        security = {
          admin_user = "$__file{${config.age.secrets.grafanaAdminName.path}}";
          admin_password = "$__file{${config.age.secrets.grafanaAdminPassword.path}}";
          cookie_secure = true;
          strict_transport_security = true;
          content_security_policy = true;
        };
        server = {
          protocol = "socket";
          root_url = "https://${domain}";
        };
      };
    };

    headscale.settings.dns.extra_records = [
      {
        name = domain;
        type = "A";
        value = "100.100.0.1";
      }
    ];
    caddy.virtualHosts.grafana = {
      hostName = domain;
      extraConfig = ''
        import tailscale
        reverse_proxy unix/${config.services.grafana.settings.server.socket}
      '';
    };
  };
}