{
  config,
  self',
  self,
  ...
}:
let
  d = self.lib.data.services.grafana;
  a = self.lib.data.services.authentik;
in
{
  services.grafana = {
    enable = true;
    settings = {
      analytics.reporting_enable = false;
      "auth.generic_oauth" = {
        name = "central";
        icon = "signin";
        enabled = "true";
        client_id = "89f4607cf446a777a6b25ebde8731cdcb80b04c1";
        client_secret = "89eccaa8a31104c218df5cfe37c87f0ea0bbddcd1571bddb7f7fbf5a09045efd59c61f1caaa79483ad59aac2c19488b254acdaced47e66a6505865a14a63ac4a";
        auth_url = "https://${a.extUrl}/application/o/authorize/";
        token_url = "https://${a.extUrl}/application/o/token/";
        api_url = "https://${a.extUrl}/application/o/userinfo/";
        scopes = "openid profile email";
      };
      "auth" = {
        signout_redirect_url = "https://${a.extUrl}/if/session-end/stathog/";
        disableLoginForm = true;
      };
      security = {
        admin_user = "pyrox";
        admin_password = "$__file{${config.age.secrets.grafana-admin.path}}";
      };
      server = {
        root_url = "https://${d.extUrl}";
        domain = d.extUrl;
        http_port = d.port;
        http_addr = "0.0.0.0";
      };
      smtp = {
        enabled = true;
        user = "grafana@pyrox.dev";
        from_address = "grafana@pyrox.dev";
        host = "mail.pyrox.dev:465";
        password = "$__file{${config.age.secrets.grafana-smtp-password.path}}";
      };
    };
  };
  age.secrets = {
    grafana-admin = {
      file = ./secrets/grafana-admin-password.age;
      owner = "grafana";
      group = "grafana";
    };
    grafana-smtp-password = {
      file = ./secrets/grafana-smtp-password.age;
      owner = "grafana";
      group = "grafana";
    };
  };
  services.anubis.instances.grafana = {
    settings = {
      BIND = ":${toString d.anubis}";
      POLICY_FNAME = "${self'.packages.anubis-files}/policies/default.yaml";
      TARGET = "http://localhost:${toString d.port}";
    };
  };
}