{ config, ... }: let inherit (config.networking) domain; grafana_host = "grafana.${domain}"; grafana_port = 8082; in { age.secrets.grafana_admin_pass = { file = ../secrets/grafana_admin_pass.age; owner = "grafana"; group = "grafana"; mode = "0600"; }; security.acme.certs."${domain}".extraDomainNames = [ grafana_host ]; services.grafana = { enable = true; settings = { security = { admin_user = "admin"; admin_email = "admin@${domain}"; admin_password = "$__file{${config.age.secrets.grafana_admin_pass.path}}"; }; server = { domain = grafana_host; root_url = "https://${grafana_host}"; http_port = grafana_port; }; }; }; services.nginx = { enable = true; virtualHosts."${grafana_host}" = { serverName = grafana_host; forceSSL = true; useACMEHost = domain; locations."/" = { proxyPass = "http://127.0.0.1:${builtins.toString config.services.grafana.settings.server.http_port}"; proxyWebsockets = true; }; }; }; }