{
  config,
  inputs,
  lib,
  ...
}:
with lib; let
  cfg = config.nixfiles.modules.grafana;
in {
  options.nixfiles.modules.grafana = {
    enable = mkEnableOption "Whether to enable Grafana.";

    port = mkOption {
      description = "Port.";
      type = with types; port;
      default = 30101;
    };

    domain = mkOption {
      description = "Domain name sans protocol scheme.";
      type = with types; nullOr str;
      default = "grafana.${config.networking.domain}";
    };
  };

  config = mkIf cfg.enable {
    secrets = {
      grafana-admin-password = {
        file = "${inputs.self}/secrets/grafana-admin-password";
        owner = "grafana";
        group = "grafana";
      };
      grafana-key = {
        file = "${inputs.self}/secrets/grafana-key";
        owner = "grafana";
        group = "grafana";
      };
    };

    nixfiles.modules = {
      nginx = {
        enable = true;
        virtualHosts.${cfg.domain}.locations."/" = {
          proxyPass = "http://127.0.0.1:${toString cfg.port}";
          proxyWebsockets = true;
        };
      };
      postgresql.enable = true;
    };

    services = let
      db = "grafana";
    in {
      grafana = {
        enable = true;

        inherit (cfg) domain port;
        protocol = "http";
        addr = "127.0.0.1";

        analytics.reporting.enable = false;

        database = {
          type = "postgres";
          host = "/run/postgresql";
          name = db;
          user = db;
        };

        security = with config.secrets; {
          secretKeyFile = grafana-key.path;
          adminPasswordFile = grafana-admin-password.path;
        };

        extraOptions.LOG_LEVEL = "warn";
      };

      postgresql = {
        ensureDatabases = [db];
        ensureUsers = [
          {
            name = db;
            ensurePermissions."DATABASE \"${db}\"" = "ALL PRIVILEGES";
          }
        ];
      };
    };
  };
}