{ config, ... }: { systemd.services.grafana.after = [ "prometheus.service" ]; services.grafana = { enable = true; settings = { analytics.reporting_enabled = false; analytics.feedback_links_enabled = false; "auth.anonymous".enabled = true; # https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/github/ "auth.github" = { enabled = true; client_id = "ea6aa36488df8b2dede6"; client_secret = "$__file{${config.sops.secrets.grafana-client-secret.path}}"; auth_url = "https://github.com/login/oauth/authorize"; token_url = "https://github.com/login/oauth/access_token"; api_url = "https://api.github.com/user"; allow_sign_up = true; auto_login = false; allowed_organizations = [ "nix-community" ]; role_attribute_strict = true; allow_assign_grafana_admin = true; role_attribute_path = "contains(groups[*], '@nix-community/admin') && 'GrafanaAdmin' || 'Editor'"; }; server = { root_url = "https://monitoring.nix-community.org/grafana/"; domain = "monitoring.nix-community.org"; enforce_domain = true; enable_gzip = true; }; database = { type = "postgres"; name = "grafana"; host = "/run/postgresql"; user = "grafana"; }; security.admin_password = "$__file{${config.sops.secrets.grafana-admin-password.path}}"; }; provision.datasources.settings.datasources = [ { name = "prometheus"; type = "prometheus"; isDefault = true; url = "http://localhost:9090"; } ]; }; services.telegraf.extraConfig.inputs.prometheus.urls = [ "http://localhost:3000/metrics" ]; sops.secrets.grafana-admin-password.owner = "grafana"; sops.secrets.grafana-client-secret.owner = "grafana"; services.postgresql = { enable = true; ensureDatabases = [ "grafana" ]; ensureUsers = [{ name = "grafana"; ensureDBOwnership = true; }]; }; }