{
  pkgs,
  config,
  ...
}:
{
  imports = [ ];

  sops = {
    defaultSopsFile = ../secrets/passwords.yaml;
    secrets."services/grafana/admin_password" = {
      mode = "0440";
      owner = "grafana";
      group = "grafana";
      restartUnits = [ "grafana.service" ];
    };
  };

  # configure static IP address
  networking.useDHCP = false;
  systemd.network = {
    enable = true;
    networks = {
      "10-mgmtNet" = {
        matchConfig.MACAddress = "BC:24:11:FC:C2:26";
        address = [ "10.20.25.4/24" ];
        gateway = [ "10.20.25.2" ];
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 ];

  services = {
    grafana = {
      enable = true;
      settings = {
        security.admin_password = "$__file{${config.sops.secrets."services/grafana/admin_password".path}}";

        server = {
          domain = "grafana.noc.eh22.intern";
          root_url = "http://grafana.noc.eh22.intern/";
          http_addr = "127.0.0.1";
          http_port = 2342;
        };

        database = {
          type = "postgres";
          user = "grafana";
          host = "/run/postgresql";
        };
      };
    };

    postgresql = {
      enable = true;
      ensureDatabases = [ "grafana" ];
      ensureUsers = [
        {
          name = "grafana";
          ensureDBOwnership = true;
        }
      ];
    };

    nginx = {
      enable = true;
      virtualHosts.${config.services.grafana.settings.server.domain} = {
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
          proxyWebsockets = true;
        };
      };
    };
  };
  # DO NOT CHANGE
  # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
  home-manager.users.noc.home.stateVersion = "24.11";
  system.stateVersion = "24.11";
}