{
  pkgs,
  config,
  ...
}:
{
  imports = [
    ./grafana.nix
    ./mimir.nix
    ./loki.nix
    ./pve-exporter.nix
  ];

  sops = {
    defaultSopsFile = ../../secrets/passwords.yaml;
    secrets."services/grafana/admin_password" = {
      mode = "0440";
      owner = "grafana";
      group = "grafana";
      restartUnits = [ "grafana.service" ];
    };
    secrets."services/loki/nginx" = {
      mode = "0440";
      owner = "nginx";
      group = "nginx";
      restartUnits = [ "nginx.service" ];
    };
    secrets."services/mimir/nginx" = {
      mode = "0440";
      owner = "nginx";
      group = "nginx";
      restartUnits = [ "nginx.service" ];
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 ];
  networking.usePredictableInterfaceNames = false;

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    logError = "syslog:server=unix:/dev/log,nohostname";
  };

  # DO NOT CHANGE
  # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
  home-manager.users.noc.home.stateVersion = "24.11";
  system.stateVersion = "24.11";
}