let
  port = 3000;
in {

  networking.firewall.allowedTCPPorts = [ port ]; # legacy
  services.nginx.virtualHosts."grafana.shack" = {
    locations."/".proxyPass = "http://localhost:${toString port}";
  };
  services.grafana = {
    enable = true;
    port = port;
    addr = "0.0.0.0";
    users.allowSignUp = true;
    users.allowOrgCreate = true;
    users.autoAssignOrg = true;
    auth.anonymous.enable = true;
    security = import <secrets/grafana_security.nix>;
  };
}