homelab/modules/nixos/services/grafana.nix

# modules/services/grafana.nix
{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.services.grafana;
  helpers = import ../lib/helpers.nix {inherit lib;};
in {
  options.services.grafana = {
    enable = mkEnableOption "Grafana monitoring dashboard";
    port = mkOption {
      type = types.port;
      default = 3000;
      description = "Grafana web interface port";
    };
    adminPassword = mkOption {
      type = types.str;
      description = "Admin password for Grafana";
    };
  };

  config = mkIf cfg.enable {
    services.grafana = {
      enable = true;
      settings = {
        server = {
          http_port = cfg.port;
          domain = "${config.homelab.global.hostname}.${config.homelab.global.domain}";
        };
        security = {
          admin_password = cfg.adminPassword;
        };
      };
    };

    homelab.global = {
      backups.jobs = [
        {
          name = "grafana-data";
          backend = "restic";
          paths = ["/var/lib/grafana"];
          schedule = "daily";
          excludePatterns = ["*/plugins/*" "*/png/*"];
        }
      ];

      reverseProxy.entries = [
        {
          subdomain = "grafana";
          port = cfg.port;
          enableAuth = false; # Grafana handles its own auth
        }
      ];

      monitoring.endpoints = [
        {
          name = "grafana";
          port = cfg.port;
          path = "/metrics";
          jobName = "grafana";
          labels = {
            service = "grafana";
            type = "monitoring";
          };
        }
      ];
    };
  };
}