adonis/config/monitoring/grafana.nix

{config, ...}: let
  cfg = config.services.grafana;
  owner = config.customOps.owner;
  domain = config.customOps.domain.fqdn;
  hostname = config.networking.hostName;
  subdomain = "${hostname}.${domain}";

  dashboardsDir = ./dashboards;
  dashboardFiles = builtins.attrNames (builtins.readDir dashboardsDir);
in {
  sops.secrets."grafana/admin_password".owner = "grafana";

  services.nginx.virtualHosts."${subdomain}" = {
    locations."/" = {
      proxyPass = "http://${
        toString cfg.settings.server.http_addr
      }:${
        toString cfg.settings.server.http_port
      }";
      proxyWebsockets = true;
      recommendedProxySettings = true;
    };
    forceSSL = true;
    enableACME = true;
  };

  services.grafana = {
    enable = true;
    settings = {
      server = {
        http_addr = "127.0.0.1";
        http_port = 3030;
        domain = subdomain;
        enforce_domain = true;
        enable_gzip = true;
      };
      security = {
        disable_initial_admin_creation = false;
        admin_user = owner;
        admin_email = "admin.grafana@${domain}";
        admin_password = "$__file{${
          config.sops.secrets."grafana/admin_password".path
        }}";
        disable_brute_force_login_protection = false;
        brute_force_login_protection_max_attempts = 3;
        disable_username_login_protection = false;
        disable_ip_address_login_protection = false;
        cookie_secure = true;
        cookie_samesite = "strict";
      };
      analytics = {
        reporting_enabled = false;
        check_for_updates = false;
      };
    };

    provision = {
      enable = true;
      dashboards.settings.providers = [
        {
          name = "dashboards";
          disableDeletion = true;
          options = {
            path = "/etc/grafana-dashboards";
            foldersFromFilesStructure = true;
          };
        }
      ];

      datasources.settings.datasources = [
        {
          name = "prometheus";
          type = "prometheus";
          url = "http://${
            config.services.prometheus.listenAddress
          }:${
            toString config.services.prometheus.port
          }";
          isDefault = true;
          editable = false;
        }
      ];
    };
  };

  environment.etc = builtins.listToAttrs (map (
      name: {
        name = "grafana-dashboards/" + name;
        value = {source = dashboardsDir + ("/" + name);};
      }
    )
    dashboardFiles);
}