{ config, pkgs, ... }:

let
  restartServices = [ "grafana" "influxdb" ];
in {
  microvm.mem = 4096;
  c3d2.deployment = {
    server = "server10";
    mounts = [ "etc" "home" "var"];
  };
  c3d2.isInHq = false;

  services.openssh.enable = true;

  networking.hostName = "grafana";

  # http https influxdb
  networking.firewall.allowedTCPPorts = [ 80 443 8086 ];
  # collectd
  networking.firewall.allowedUDPPorts = [ 25826 ];

  services.nginx = {
    enable = true;
    virtualHosts = {
      "grafana.hq.c3d2.de" = {
        default = true;
        enableACME = true;
        forceSSL = true;
        locations = { "/".proxyPass = "http://localhost:3000/"; };
      };
    };
  };
  services.grafana = {
    enable = true;

    provision = {
      enable = true;
      # curl https://root:SECRET@grafana.hq.c3d2.de/api/datasources | jq > hosts/grafana/datasources.json
      datasources.settings.datasources = map (datasource: {
        inherit (datasource) name type access orgId url password user database isDefault jsonData;
      }) (with builtins; fromJSON (readFile ./datasources.json));
      dashboards.settings.providers = [ {
        settings = {
          apiVersion = 1;
          providers = [ {
            name = "c3d2";
          } ];
        };
        # for id in `curl https://root:SECRET@grafana.hq.c3d2.de/api/search | jq -j 'map(.uid) | join(" ")'`; do curl https://root:SECRET@grafana.hq.c3d2.de/api/dashboards/uid/$id | jq .dashboard > hosts/grafana/dashboards/$id.json;done
        options.path = ./dashboards;
      } ];
    };

    settings = {
      "auth.anonymous" = {
        enabled = false;
        org_name = "Chaos";
      };
      security = {
        admin_password = "$__file{${config.sops.secrets."grafana/admin-password".path}}";
        secret_key = "$__file{${config.sops.secrets."grafana/secret-key".path}}";
      };
      server.domain = "grafana.hq.c3d2.de";
      users.allow_sign_up = false;
    };
  };
  services.influxdb = let
    collectdTypes = pkgs.runCommand "collectd-types" {} ''
      mkdir -p $out/share/collectd
      cat ${pkgs.collectd-data}/share/collectd/types.db >> $out/share/collectd/types.db
      echo "stations  value:GAUGE:0:U" >> $out/share/collectd/types.db
    '';
  in {
    enable = true;
    extraConfig = {
      logging.level = "debug";
      collectd = [{
        enabled = true;
        database = "collectd";
        typesdb = "${collectdTypes}/share/collectd/types.db";
        # create retention policy "30d" on collectd duration 30d replication 1 default
        retention-policy = "30d";
      }];
    };
  };
  systemd.services =
    builtins.foldl' (services: service:
      services // {
        "${service}".serviceConfig = {
          RestartSec = 60;
          Restart = "always";
        };
      }
    ) {} restartServices
    // {
      # work around our slow storage that can't keep up
      influxdb.serviceConfig.LimitNOFILE = "1048576:1048576";
      influxdb.serviceConfig.TimeoutStartSec = "infinity";
    };

  environment.systemPackages = with pkgs; [ influxdb ];

  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets = {
      "grafana/admin-password" = {
        group = config.systemd.services.grafana.serviceConfig.User;
        owner = config.systemd.services.grafana.serviceConfig.User;
      };
      "grafana/secret-key" = {
        group = config.systemd.services.grafana.serviceConfig.User;
        owner = config.systemd.services.grafana.serviceConfig.User;
      };
    };
  };

  system.stateVersion = "22.05";
}