{ config, ... }:

let
  svc_domain = "grafana.${config.mine.shared.settings.domain}";

  auth_domain = config.mine.shared.settings.authelia.domain;

  grafana_user = config.systemd.services.grafana.serviceConfig.User;
in {
  services.grafana = {
    enable = true;
    settings = {
      server = {
        http_addr = "127.0.0.1";
        http_port = 3010;
        root_url = "https://${svc_domain}";
      };

      # only allow signun with oauth
      auth.disable_login_form = true;

      "auth.generic_oauth" = {
        enabled = true;
        name = "Authelia";
        icon = "signin";
        client_id = "grafana";
        client_secret = "$__file{${config.age.secrets.grafana-authelia-secret.path}}";
        scopes = "openid profile email groups";
        empty_scopes = false;
        auth_url = "https://${auth_domain}/api/oidc/authorization";
        token_url = "https://${auth_domain}/api/oidc/token";
        api_url = "https://${auth_domain}/api/oidc/userinfo";
        login_attribute_path = "preferred_username";
        groups_attribute_path = "groups";
        name_attribute_path = "name";
        use_pkce = true;

        role_attribute_path = config.mine.shared.lib.ldap.mkScope (lconfig: llib:
          "contains(groups, '${lconfig.groups.grafana_admin}') && 'Admin' || contains(groups, 'editor') && 'Editor' || 'Viewer'"
        );
      };
    };

    provision = {
      enable = true;
      
      # dashboards.settings.providers = [{
      # name = "my dashboards";
      # options.path = "/etc/grafana-dashboards";
      # }];
      
      datasources.settings.datasources = [
        {
          name = "Prometheus";
          type = "prometheus";
          url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
        }
      ];
    };
  };

  # authelia
  services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
    client_id = "grafana";
    client_name = "Grafana";
    client_secret = "$pbkdf2-sha512$310000$81MV1.67njuS/5H2UvVsnA$vaNO3/tzVA76Jho4ngS.xFjDuYn1sDn/9qo7cD0ueMnVvzaoJj00ND5wCGzVSUnvLuxNE/enC1K5r7xKAe/Hrg";
    redirect_uris = [ "https://${svc_domain}/login/generic_oauth" ];
    scopes = [
      "openid"
      "email"
      "profile"
      "groups"
    ];
  }];

  environment.persistence.root.directories = [
    config.services.grafana.dataDir
  ];

  systemd.tmpfiles.rules = [
    "Z ${config.services.grafana.dataDir} 0770 ${grafana_user} ${grafana_user} -"
  ];

  age.secrets.grafana-authelia-secret.owner = grafana_user;

  services.nginx.virtualHosts."${svc_domain}" = {
    forceSSL = true;
    enableACME = true;
    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.grafana.settings.server.http_port}";
  };
}