{config, ...}: {
  # Add grafana user to the inlfuxdb2 group (for secret)
  users.users.grafana.extraGroups = ["influxdb2"];
  services.grafana.enable = true;
  services.grafana.settings = {
    server = {
      http_port = 3000;
      http_addr = "0.0.0.0";
      # Grafana needs to know on which domain and URL it's running
      domain = "grafana.procopius.dk";
      root_url = "https://grafana.procopius.dk"; # Not needed if it is `https://your.domain/`
      # serve_from_sub_path = true;
      oauth_auto_login = false;
    };
    "auth.generic_oauth" = {
      enabled = false;
    };
    "auth" = {
      disable_login_form = false;
    };
  };

  networking.firewall.allowedTCPPorts = [3000];

  services.grafana = {
    # declarativePlugins = with pkgs.grafanaPlugins; [ ... ];

    provision = {
      enable = true;

      datasources.settings.datasources = [
        # "Built-in" datasources can be provisioned - c.f. https://grafana.com/docs/grafana/latest/administration/provisioning/#data-sources
        {
          uid = "prometheus";
          name = "Prometheus";
          type = "prometheus";
          url = "http://127.0.0.1:${toString config.services.prometheus.port}";
        }
        {
          uid = "loki";
          name = "Loki";
          type = "loki";
          url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}";
        }
        {
          uid = "influxdb";
          name = "InfluxDB";
          type = "influxdb";
          url = "http://127.0.0.1:8086";
          access = "proxy";
          jsonData = {
            dbName = "proxmox";
            httpHeaderName1 = "Authorization";
          };
          secureJsonData = {
            httpHeaderValue1 = "$__file{${config.sops.secrets."influxdb/token".path}}";
          };
        }
      ];

      # Note: removing attributes from the above `datasources.settings.datasources` is not enough for them to be deleted on `grafana`;
      # One needs to use the following option:
      # datasources.settings.deleteDatasources = [ { name = "prometheus"; orgId = 1; } { name = "loki"; orgId = 1; } ];

      dashboards.settings.providers = [
        {
          name = "my dashboards";
          options.path = "/etc/grafana-dashboards";
        }
      ];
    };
  };

  environment.etc."grafana-dashboards/traefik.json" = {
    source = ./dashboards/traefik.json;
    user = "grafana";
    group = "grafana";
    mode = "0644";
  };

  environment.etc."grafana-dashboards/traefik-access.json" = {
    source = ./dashboards/traefik-access.json;
    user = "grafana";
    group = "grafana";
    mode = "0644";
  };

  environment.etc."grafana-dashboards/grafana-traefik.json" = {
    source = ./dashboards/grafana-traefik.json;
    user = "grafana";
    group = "grafana";
    mode = "0644";
  };

  environment.etc."grafana-dashboards/node-exporter.json" = {
    source = ./dashboards/node-exporter.json;
    user = "grafana";
    group = "grafana";
    mode = "0644";
  };

  environment.etc."grafana-dashboards/promtail.json" = {
    source = ./dashboards/promtail.json;
    user = "grafana";
    group = "grafana";
    mode = "0644";
  };

  environment.etc."grafana-dashboards/gitea.json" = {
    source = ./dashboards/gitea.json;
    user = "grafana";
    group = "grafana";
    mode = "0644";
  };

  environment.etc."grafana-dashboards/postgres.json" = {
    source = ./dashboards/postgres.json;
    user = "grafana";
    group = "grafana";
    mode = "0644";
  };

  environment.etc."grafana-dashboards/gatus.json" = {
    source = ./dashboards/gatus.json;
    user = "grafana";
    group = "grafana";
    mode = "0644";
  };
}