{ config, inputs, lib, ... }: with lib; let cfg = config.nixfiles.modules.grafana; in { options.nixfiles.modules.grafana = { enable = mkEnableOption "Grafana"; port = mkOption { description = "Port."; type = with types; port; default = 30101; }; domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; nullOr str; default = "grafana.${config.networking.domain}"; }; }; config = let db = "grafana"; in mkIf cfg.enable { secrets = { grafana-key = { file = "${inputs.self}/secrets/grafana-key"; owner = "grafana"; group = "grafana"; }; grafana-admin-password = { file = "${inputs.self}/secrets/grafana-admin-password"; owner = "grafana"; group = "grafana"; }; grafana-smtp-password = { file = "${inputs.self}/secrets/smtp-password"; owner = "grafana"; group = "grafana"; }; }; nixfiles.modules = { nginx = { enable = true; upstreams.grafana.servers."127.0.0.1:${toString cfg.port}" = {}; virtualHosts.${cfg.domain} = { locations."/" = { proxyPass = "http://grafana"; proxyWebsockets = true; }; extraConfig = nginxInternalOnly; }; }; postgresql = { enable = true; extraPostStart = [ '' $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"' '' ]; }; }; services = { grafana = { enable = true; settings = { server = with cfg; { protocol = "http"; http_addr = "127.0.0.1"; http_port = port; inherit domain; enable_gzip = true; }; database = { type = "postgres"; host = "/run/postgresql"; name = db; user = db; }; smtp = { enable = true; user = "azahi@shire.net"; host = my.domain.shire; password = "$__file{${config.secrets.grafana-smtp-password.path}}"; }; user = { allow_org_create = false; allow_sign_up = false; auto_assign_org = false; auto_assign_org_role = "Viewer"; }; security = with config.secrets; { secret_key = "$__file{${grafana-key.path}}"; admin_password = "$__file{${grafana-admin-password.path}}"; }; analytics.reporting_enable = false; }; }; postgresql = { ensureDatabases = [db]; ensureUsers = [ { name = db; ensurePermissions."DATABASE \"${db}\"" = "ALL"; } ]; }; }; }; }