{ config, pkgs, ... }:
{
  services.grafana = {
    enable = true;
    settings = {
      server = {
        http_addr = "127.0.0.1";
        http_port = 3000;
        domain = "grafana-test.home.2rjus.net";
        root_url = "https://grafana-test.home.2rjus.net/";
      };

      # Disable anonymous access
      "auth.anonymous".enabled = false;

      # OIDC authentication via Kanidm
      "auth.generic_oauth" = {
        enabled = true;
        name = "Kanidm";
        client_id = "grafana";
        client_secret = "$__file{/run/secrets/grafana-oauth2}";
        auth_url = "https://auth.home.2rjus.net/ui/oauth2";
        token_url = "https://auth.home.2rjus.net/oauth2/token";
        api_url = "https://auth.home.2rjus.net/oauth2/openid/grafana/userinfo";
        scopes = "openid profile email groups";
        use_pkce = true;  # Required by Kanidm, more secure
        # Extract user attributes from userinfo response
        email_attribute_path = "email";
        login_attribute_path = "preferred_username";
        name_attribute_path = "name";
        # Map admins group to Admin role, everyone else to Editor (for Explore access)
        role_attribute_path = "contains(groups[*], 'admins') && 'Admin' || 'Editor'";
        allow_sign_up = true;
      };
    };

    # Declarative datasources
    provision.datasources.settings = {
      apiVersion = 1;
      datasources = [
        {
          name = "VictoriaMetrics";
          type = "prometheus";
          url = "http://localhost:8428";
          isDefault = true;
          uid = "victoriametrics";
        }
        {
          name = "Prometheus (monitoring01)";
          type = "prometheus";
          url = "http://monitoring01.home.2rjus.net:9090";
          uid = "prometheus";
        }
        {
          name = "Loki";
          type = "loki";
          url = "http://localhost:3100";
          uid = "loki";
        }
      ];
    };

    # Declarative dashboards
    provision.dashboards.settings = {
      apiVersion = 1;
      providers = [
        {
          name = "homelab";
          type = "file";
          options.path = ./dashboards;
          disableDeletion = true;
        }
      ];
    };
  };

  # Vault secret for OAuth2 client secret
  vault.secrets.grafana-oauth2 = {
    secretPath = "services/grafana/oauth2-client-secret";
    extractKey = "password";
    services = [ "grafana" ];
    owner = "grafana";
    group = "grafana";
  };

  # Local Caddy for TLS termination
  services.caddy = {
    enable = true;
    package = pkgs.unstable.caddy;
    globalConfig = ''
      acme_ca https://vault.home.2rjus.net:8200/v1/pki_int/acme/directory
      metrics
    '';
    virtualHosts."grafana-test.home.2rjus.net".extraConfig = ''
      log {
        output file /var/log/caddy/grafana.log {
          mode 644
        }
      }
      reverse_proxy http://127.0.0.1:3000
    '';
    # Metrics endpoint on plain HTTP for Prometheus scraping
    extraConfig = ''
      http://${config.networking.hostName}.home.2rjus.net/metrics {
        metrics
      }
    '';
  };

  # Expose Caddy metrics for Prometheus
  homelab.monitoring.scrapeTargets = [{
    job_name = "caddy";
    port = 80;
  }];
}