{config, ...}: let
  vars = import ../../../../vars.nix;
in {
  virtualisation.arion = {
    projects.stats.settings = {
      imports = [./arion-compose.nix];
    };
  };

  sops.secrets."stats/oidc_client_id" = {
    owner = vars.user;
  };
  sops.secrets."stats/oidc_client_secret" = {
    owner = vars.user;
  };

  sops.templates."grafana.env" = {
    path = "/home/${vars.user}/.docker/stats/grafana.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      GF_AUTH_GENERIC_OAUTH_CLIENT_ID="${config.sops.placeholder."stats/oidc_client_id"}"
      GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET="${config.sops.placeholder."stats/oidc_client_secret"}"
    '';
  };

  systemd.services.add-loki-logging-driver = {
    description = "Add grafana loki docker driver";
    after = ["network.target"];
    wantedBy = ["multi-user.target"];

    serviceConfig.Type = "oneshot";
    script = let
      dockercli = "${config.virtualisation.docker.package}/bin/docker";
    in ''
      # Put a true at the end to prevent getting non-zero return code, which will
      # crash the whole service.
      check=$(${dockercli} plugin ls | grep "loki" || true)
      if [ -z "$check" ]; then
        ${dockercli} plugin install grafana/loki-docker-driver:latest --alias loki --grant-all-permissions
      else
        echo "loki docker driver already exists in docker"
      fi
    '';
  };

  virtualisation.docker.daemon.settings = {
    debug = true;
    log-driver = "loki";
    log-opts = {
      loki-url = "http://localhost:3100/loki/api/v1/push";
      loki-batch-size = "400";
      loki-max-backoff = "800ms";
      loki-retries = "2";
      loki-timeout = "1s";
      keep-file = "true";
    };
  };
}