{
  pkgs,
  config,
  modulesPath,
  lib,
  ...
}:
{
  imports = [];

  sops = {
    defaultSopsFile = ../secrets/passwords.yaml;
    secrets."vms"."grafana"."admin_password" = {
      mode = "0440";
      owner = "grafana";
      group = "grafana";
      restartUnits = [ "grafana.service" ];
    };
  };

  # configure static IP address
  networking.useDHCP = false;
  systemd.network = {
    enable = true;
    networks = {
      "10-mgmtNet" = {
        matchConfig.MACAddress = "BC:24:11:FC:C2:26";
        address = [ "10.20.25.4/24" ];
        gateway = [ "10.20.25.2" ];
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 80 ];

  services.grafana = {
    enable = true;
    security.admin_password = "$__file{${config.sops.secrets.vms.grafana.admin_password.path}}";
    settings.server = {
      domain = "grafana.noc.eh22.intern";
      root_url = "http://grafana.noc.eh22.intern/";
    };
  };

  services.nginx.virtualHosts.${config.services.grafana.domain} = {
    locations."/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
        proxyWebsockets = true;
    };
  };

  # DO NOT CHANGE
  # this defines the first version of NixOS that was installed on the machine so that programs with non-migratable data files are kept compatible
  home-manager.users.noc.home.stateVersion = "24.11";
  system.stateVersion = "24.11"; 
}