{ config, ... }:
{
  services.grafana = {
    enable = true;
    settings = {
      log = {
        level = "info";
      };
      server = {
        domain = "saga.datarift.nl";
        enforce_domain = true;
        http_addr = "0.0.0.0";
        root_url = "https://saga.datarift.nl";
      };
      "auth.generic_oauth" = {
        enabled = true;
        name = "Keycloak";
        allow_sign_up = true;
        client_id = "grafana";
        client_secret = "$__file{${config.sops.secrets.grafana-oauth2-secret.path}}";
        use_refresh_token = true;
        scopes = "openid profile email offline_access roles";
        auth_url = "https://id.datarift.nl/realms/datarift/protocol/openid-connect/auth";
        token_url = "https://id.datarift.nl/realms/datarift/protocol/openid-connect/token";
        api_url = "https://id.datarift.nl/realms/datarift/protocol/openid-connect/userinfo";
        signout_redirect_url = "https://id.datarift.nl/realms/datarift/protocol/openid-connect/logout?post_logout_redirect_uri=https%3A%2F%2Fsaga.datarift.nl%2Flogin";
        role_attribute_path = "contains(resource_access.grafana.roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access.grafana.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'editor') && 'Editor' || 'Viewer'";
        allow_assign_grafana_admin = true;
      };
    };
  };
}