{
  config,
  pkgs,
  inputs,
  lib,
  ...
}: let
  fqdn = "bolty.raptor-carp.ts.net";
  port = 30001;
  path = "/data/grafana";
  certPath = "${path}/cert.pem";
  keyPath = "${path}/key.pem";
in {
  networking.firewall.allowedTCPPorts = [port];

  systemd.services.grafana-prep = {
    script = ''
      mkdir -p ${path}
      cp -rv /var/lib/tailscale-certs/cert.pem ${certPath}
      cp -rv /var/lib/tailscale-certs/key.pem ${keyPath}
      chown -Rv grafana:grafana ${path}
    '';
    serviceConfig = {
      Type = "oneshot";
      ReloadPropagatedFrom = "tailscale-cert.service";
    };
    before = ["grafana.service"];
    wantedBy = ["multi-user.target"];
    after = [
      "network.target"
      "network-online.target"
      "tailscaled.service"
      "tailscale-cert.service"
    ];
    wants = ["tailscale-cert.service"];
  };

  systemd.services.grafana = {
    after = [
      "network.target"
      "network-online.target"
      "tailscaled.service"
      "tailscale-cert.service"
      "tailscale-auth.service"
    ];
  };

  services.grafana = {
    enable = true;
    dataDir = path;
    settings.server = {
      protocol = "https";
      domain = fqdn;
      http_port = port;
      http_addr = fqdn;
      cert_file = certPath;
      cert_key = keyPath;
    };
  };
}