# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2

{ config, ... }:

let
  host = "grafana.dgnum.eu";
  port = 3033;

  file = name: "$__file{${config.age.secrets."grafana-${name}_file".path}}";
in

{
  services = {
    grafana = {
      enable = true;

      settings = {
        "auth.generic_oauth" = {
          api_url = "https://sso.dgnum.eu/oauth2/openid/dgn_grafana/userinfo";
          auth_url = "https://sso.dgnum.eu/ui/oauth2";
          client_id = "dgn_grafana";
          client_secret = file "oauth_client_secret";
          enabled = true;
          id_token_attribute_name = "sub";
          login_attribute_path = "preferred_username";
          name = "Kanidm";
          scopes = "email,openid,profile";
          token_url = "https://sso.dgnum.eu/oauth2/token";
          use_pkce = true;
        };

        database = {
          type = "postgres";
          user = "grafana";
          host = "/run/postgresql";
        };

        security.disable_initial_admin_creation = true;

        server = {
          domain = host;
          enable_gzip = true;
          enforce_domain = true;
          http_port = port;
          root_url = "https://${host}";
          router_logging = true;
        };

        smtp = {
          enabled = true;
          from_address = "grafana@infra.dgnum.eu";
          host = "kurisu.lahfa.xyz:587";
          password = file "smtp_password";
          user = "web-services@infra.dgnum.eu";
        };

        users = {
          default_theme = "system";
          default_language = "en-GB";
          auto_assign_org_role = "Admin";
        };
      };
    };

    postgresql = {
      ensureDatabases = [ "grafana" ];
      ensureUsers = [
        {
          name = "grafana";
          ensureDBOwnership = true;
        }
      ];
    };
  };

  dgn-web.simpleProxies.grafana = {
    inherit host port;
    proxyWebsockets = true;
  };

  age-secrets.autoMatch = [ "grafana" ];
}