{
  project.name = "stats";

  networks.dmz = {
    name = "dmz";
    external = true;
  };
  networks.internal = {};

  services = {
    grafana.service = {
      image = "grafana/grafana:10.4.4";
      user = "1000";
      container_name = "grafana";
      labels = {
        "traefik.enable" = "true";

        "traefik.http.services.grafana.loadbalancer.server.port" = "3000";
        "traefik.http.routers.grafana.service" = "grafana";
        "traefik.http.routers.grafana.rule" = "Host(`grafana.ghoscht.com`)";
        "traefik.http.routers.grafana.entrypoints" = "websecure";
        "traefik.http.routers.grafana.tls" = "true";
        "traefik.http.routers.grafana.tls.certresolver" = "letsencrypt";
      };
      environment = {
        GF_SERVER_ROOT_URL = "https://grafana.ghoscht.com";

        GF_AUTH_GENERIC_OAUTH_NAME = "authentik";
        GF_AUTH_GENERIC_OAUTH_ENABLED = "true";
        GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP = "true";
        GF_AUTH_GENERIC_OAUTH_SCOPES = "openid profile email";
        GF_AUTH_GENERIC_OAUTH_AUTH_URL = "https://auth.ghoscht.com/application/o/authorize/";
        GF_AUTH_GENERIC_OAUTH_TOKEN_URL = "https://auth.ghoscht.com/application/o/token/";
        GF_AUTH_GENERIC_OAUTH_API_URL = "https://auth.ghoscht.com/application/o/userinfo/";

        # GF_AUTH_OAUTH_AUTO_LOGIN = "true";
      };
      env_file = [
        "/home/ghoscht/.docker/stats/grafana.env"
      ];
      volumes = [
        "/home/ghoscht/.docker/stats/grafana_data:/var/lib/grafana"
      ];
      networks = [
        "dmz"
        "internal"
      ];
    };
    loki.service = {
      image = "grafana/loki:3.0.0";
      volumes = [
        "/home/ghoscht/.docker/stats/loki_data:/etc/loki"
      ];
      ports = [
        "3100:3100"
      ];
      command = "-config.file=/etc/loki/loki-config.yml";
      networks = [
        "internal"
      ];
    };
    promtail.service = {
      image = "grafana/promtail:3.0.0";
      volumes = [
        "/var/log:/var/log"
        "/var/run/docker.sock:/var/run/docker.sock:ro"
        "/home/ghoscht/.docker/stats/promtail_data/promtail-config.yml:/etc/promtail/promtail-config.yml"
      ];
      command = "-config.file=/etc/promtail/promtail-config.yml";
      networks = [
        "internal"
      ];
    };
    prometheus.service = {
      image = "prom/prometheus:v2.53.0";
      volumes = [
        "/home/ghoscht/.docker/stats/prometheus_config/prometheus.yml:/etc/prometheus/prometheus.yml"
        "/home/ghoscht/.docker/stats/prometheus_data:/prometheus"
      ];
      command = [
        "--config.file=/etc/prometheus/prometheus.yml"
        "--web.console.libraries=/etc/prometheus/console_libraries"
        "--web.console.templates=/etc/prometheus/consoles"
      ];
      networks = [
        "internal"
      ];
    };
    node-exporter.service = {
      image = "prom/node-exporter:v1.8.1";
      volumes = [
        "/proc:/host/proc:ro"
        "/sys:/host/sys:ro"
        "/:/rootfs:ro"
      ];
      command = [
        "--path.procfs=/host/proc"
        "--path.rootfs=/rootfs"
        "--path.sysfs=/host/sys"
        "--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)"
      ];
      networks = [
        "internal"
      ];
    };
    # cadvisor.service = {
    #   image = "gcr.io/cadvisor/cadvisor:v0.49.1";
    #   volumes = [
    #     "/:/rootfs:ro"
    #     "/var/run:/var/run:ro"
    #     "/sys:/sys:ro"
    #     "/var/lib/docker:/var/lib/docker:ro"
    #     "/dev/disk:/dev/disk:ro"
    #   ];
    #   devices = ["/dev/kmsg"];
    #   networks = [
    #     "internal"
    #   ];
    # };
  };
}