{ config, ... }:

let
  domain = "grafana.fablab-nea.de";
  srv = config.services.grafana.settings.server;
in
{
  services.grafana = {
    enable = true;
    settings.server.domain = domain;
  };

  services.nginx.virtualHosts."${domain}" = {
    enableACME = true;
    forceSSL = true;

    locations."/" = {
      proxyPass = "http://${srv.http_addr}:${toString srv.http_port}";
      recommendedProxySettings = true;
    };
    extraConfig = ''
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
      add_header X-Frame-Options "SAMEORIGIN";
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Content-Type-Options "nosniff";
    '';
  };
}