{ config, pkgs, ... }:

{
  services.nginx = {
    upstreams.grafana.servers."localhost:3000" = {};
    virtualHosts."${config.networking.hostName}.${config.networking.domain}" = {
      default = true;
      quic = true;
      kTLS = true;
      forceSSL = true;
      enableACME = true;
      #auth_basic "Administrator’s Area";
      #auth_basic_user_file ${config.age.secrets.grafana-basic-auth.path};
      locations = {
        #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
        "/" = {
          recommendedProxySettings = true;
          proxyPass = "http://grafana";
        };
        "/api/live/" = {
          recommendedProxySettings = true;
          proxyWebsockets = true;
          proxyPass = "http://grafana";
        };
      };
    };
  };
}