{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit (builtins) fetchurl;
  inherit (lib.modules) mkIf;
  inherit (lib.options) mkEnableOption;

  cfg = config.modules.system.services.grafana;
  domain = "info.copeberg.org";
  port = 4021;
in {
  options.modules.system.services.grafana.enable = mkEnableOption "Grafana, a graphing service";

  config = mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [config.services.grafana.settings.server.http_port];

    modules.system.services.database.postgresql.enable = true;

    services.grafana = {
      enable = true;
      package = pkgs.grafana;

      settings = {
        server = {
          http_addr = "127.0.0.1";
          http_port = port;

          root_url = "https://${domain}";
          domain = domain;
          enforce_domain = true;
        };
        database = {
          type = "postgres";
          host = "/run/postgresql";
          name = "grafana";
          user = "grafana";
          ssl_mode = "disable";
        };

        analytics = {
          reporting_enabled = false;
          check_for_updates = false;
        };

        users.allow_signup = false;
      };
      provision = {
        enable = true;
        datasources.settings = {
          datasources = [
            (mkIf config.modules.system.services.prometheus.enable {
              name = "Prometheus";
              type = "prometheus";
              access = "proxy";
              url = "http://127.0.0.1:${toString config.services.prometheus.port}";
              isDefault = true;
            })

            (mkIf config.modules.system.services.database.postgresql.enable {
              name = "PostgreSQL";
              type = "postgres";
              access = "proxy";
              url = "127.0.0.1:${toString config.services.prometheus.exporters.postgres.port}";
            })
          ];
        };
        dashboards.settings.providers = [
          {
            # taken from https://grafana.com/grafana/dashboards/1860-node-exporter-full/
            name = "system-status";
            options.path = fetchurl {
              url = "https://grafana.com/api/dashboards/1860/revisions/40/download";
              sha256 = "sha256-zTsS/UEX6W8+qK3l2GtvdDfmwS8eVnnyZxZ++LtRLBA=";
            };
          }
          {
            # taken from https://grafana.com/grafana/dashboards/9628-postgresql-database/
            name = "PostgreSQL-status";
            options.path = fetchurl {
              url = "https://grafana.com/api/dashboards/9628/revisions/8/download";
              sha256 = "sha256-UhusNAZbyt7fJV/DhFUK4FKOmnTpG0R15YO2r+nDnMc=";
            };
          }
        ];
      };
    };
    services.nginx = {
      enable = true;
      virtualHosts.${domain} = {
        addSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://localhost:${toString port}";
        };
      };
    };
  };
}