flatpak: enabled flatpak for castle

flake.lock

@@ -420,6 +420,21 @@
         "type": "github"
       }
     },
+    "nix-flatpak": {
+      "locked": {
+        "lastModified": 1721549352,
+        "narHash": "sha256-nlXJa8RSOX0kykrIYW33ukoHYq+FOSNztHLLgqKwOp8=",
+        "owner": "gmodena",
+        "repo": "nix-flatpak",
+        "rev": "dbce39ea8664820ba9037caaf1e2fad365ed6b4b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "gmodena",
+        "repo": "nix-flatpak",
+        "type": "github"
+      }
+    },
     "nix-index-database": {
       "inputs": {
         "nixpkgs": [
@@ -539,6 +554,7 @@
         "hyprland": "hyprland",
         "hyprland-contrib": "hyprland-contrib",
         "neovim-nightly-overlay": "neovim-nightly-overlay",
+        "nix-flatpak": "nix-flatpak",
         "nix-index-database": "nix-index-database",
         "nixpkgs": "nixpkgs_3",
         "nixpkgs-unstable": "nixpkgs-unstable",

flake.nix

@@ -18,6 +18,7 @@
     neovim-nightly-overlay = {
       url = "github:nix-community/neovim-nightly-overlay";
     };
+    nix-flatpak.url = "github:gmodena/nix-flatpak";
     hyprland-contrib = {
       url = "github:hyprwm/contrib";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -51,11 +52,13 @@
     , neovim-nightly-overlay
     , nix-index-database
     , rust-overlay
+    , nix-flatpak
     , ...
     }:
     let
       commonModules = [
         nur.nixosModules.nur
+        nix-flatpak.nixosModules.nix-flatpak
         home-manager.nixosModules.home-manager
         nix-index-database.nixosModules.nix-index
         {

hardware-configuration/homeserver.nix

@@ -41,6 +41,16 @@
       "bind"
     ];
   };
+  fileSystems."/nas/public/Public" = {
+    device = "/nas/Syncthing/Sync/Public";
+    fsType = "auto";
+    options = [
+      "defaults"
+      "nofail"
+      "nobootwait"
+      "bind"
+    ];
+  };
 
   swapDevices = [ ];
 
@@ -86,6 +96,7 @@
   };
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.enableAllFirmware = true;
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
   hardware.opengl = {
     enable = true;

home/modules/hyprland/hyprland.nix

@@ -227,7 +227,7 @@ in
         ];
       };
       extraConfig = /*hyprlang*/ ''
-        exec-once=dbus-update-activation-enviroment --all
+        exec-once=dbus-update-activation-environment --all
         exec-once=${gnome-keyring.path} ${config.sops.secrets."gnome-keyring/${config.home.username}".path}
         exec-once=foot --server
 

home/programs/yazi.nix

@@ -5,32 +5,31 @@ let
 in
 {
   config = mkIf cfg.enable {
-
     programs.yazi = {
       enable = true;
       enableZshIntegration = true;
       keymap = {
         manager.prepend_keymap = [
-          {
+          # {
-            on = [ "m" ];
+          #   on = [ "m" ];
-            run = "plugin bookmarks --args=save";
+          #   run = "plugin bookmarks --args=save";
-            desc = "Save current position as a bookmark";
+          #   desc = "Save current position as a bookmark";
-          }
+          # }
-          {
+          # {
-            on = [ "'" ];
+          #   on = [ "'" ];
-            run = "plugin bookmarks --args=jump";
+          #   run = "plugin bookmarks --args=jump";
-            desc = "Jump to a bookmark";
+          #   desc = "Jump to a bookmark";
-          }
+          # }
-          {
+          # {
-            on = [ "b" "d" ];
+          #   on = [ "b" "d" ];
-            run = "plugin bookmarks --args=delete";
+          #   run = "plugin bookmarks --args=delete";
-            desc = "Delete a bookmark";
+          #   desc = "Delete a bookmark";
-          }
+          # }
-          {
+          # {
-            on = [ "b" "D" ];
+          #   on = [ "b" "D" ];
-            run = "plugin bookmarks --args=delete_all";
+          #   run = "plugin bookmarks --args=delete_all";
-            desc = "Delete all bookmarks";
+          #   desc = "Delete all bookmarks";
-          }
+          # }
         ];
       };
       settings = {
@@ -80,6 +79,12 @@ in
             { name = "*"; use = "open"; }
           ];
         };
+        plugin = {
+          prepend_previewers = [
+            { mime = "{image,audio,video}/*"; run = "mediainfo"; }
+            { mime = "application/x-subrip"; run = "mediainfo"; }
+          ];
+        };
       };
     };
     home.file = {
@@ -92,22 +97,31 @@ in
           sha256 = "sha256-TSmZwy9jhf0D+6l4KbNQ6BjHbL0Vfo/yL3wt8bjo/EM=";
         };
       };
-      ".config/yazi/init.lua".text = /*lua*/ ''
+      ".config/yazi/plugins/mediainfo.yazi" = {
-        require("bookmarks"):setup({
+        recursive = true;
-            last_directory = { enable = false, persist = false },
+        source = pkgs.fetchFromGitHub {
-            persist = "none",
+          owner = "Ape";
-            desc_format = "full",
+          repo = "mediainfo.yazi";
-            notify = {
+          rev = "c69314e80f5b45fe87a0e06a10d064ed54110439";
-                enable = false,
+          hash = "sha256-8xdBPdKSiwB7iRU8DJdTHY+BjfR9D3FtyVtDL9tNiy4=";
-                timeout = 1,
+        };
-                message = {
+      };
-                    new = "New bookmark '<key>' -> '<folder>'",
+      # ".config/yazi/init.lua".text = /*lua*/ ''
-                    delete = "Deleted bookmark in '<key>'",
+      #   require("bookmarks"):setup({
-                    delete_all = "Deleted all bookmarks",
+      #       last_directory = { enable = false, persist = false },
-                },
+      #       persist = "none",
-            },
+      #       desc_format = "full",
-        })
+      #       notify = {
-      '';
+      #           enable = false,
+      #           timeout = 1,
+      #           message = {
+      #               new = "New bookmark '<key>' -> '<folder>'",
+      #               delete = "Deleted bookmark in '<key>'",
+      #               delete_all = "Deleted all bookmarks",
+      #           },
+      #       },
+      #   })
+      # '';
     };
   };
 }

home/programs/zsh.nix

@@ -30,11 +30,11 @@ in
     shellAliases = {
       ls = "${pkgs.eza}/bin/eza -lah";
       cat = "${pkgs.bat}/bin/bat";
-      update = "sudo nixos-rebuild switch --flake $HOME/dotfiles";
+      update = "nh os switch";
-      superupdate = "(cd $HOME/dotfiles && nix flake update && sudo nixos-rebuild switch --flake $HOME/dotfiles)";
+      superupdate = "nh os switch --update";
+      uptest = "nh os test";
       lg = "${pkgs.lazygit}/bin/lazygit";
       du = "${pkgs.dust}/bin/dust";
-      uptest = "sudo nixos-rebuild test --flake $HOME/dotfiles";
       dry = "sudo nixos-rebuild dry-activate --flake $HOME/dotfiles";
       jq = "${pkgs.gojq}/bin/gojq";
       n = lib.mkIf config.profile.neovide.enable "neovide";

options/default.nix

@@ -8,6 +8,7 @@
     ./services.nix
     ./games.nix
     ./environments.nix
+    ./flatpak.nix
   ];
   options.profile = {
 
@@ -63,7 +64,6 @@
     android.enable = lib.mkEnableOption "android";
     avahi.enable = lib.mkEnableOption "avahi";
     bluetooth.enable = lib.mkEnableOption "bluetooth";
-    flatpak.enable = lib.mkEnableOption "flatpak";
     gnome.enable = lib.mkEnableOption "gnome";
     kde.enable = lib.mkEnableOption "kde";
     networking.firewall = {

options/flatpak.nix

@@ -0,0 +1,10 @@
+{ lib, ... }:
+let
+  inherit (lib) mkEnableOption;
+in
+{
+  options.profile.flatpak = {
+    enable = mkEnableOption "flatpak";
+    zen-browser.enable = mkEnableOption "zen-browser";
+  };
+}

options/services.nix

@@ -22,5 +22,29 @@ in
     wireguard.enable = mkEnableOption "wireguard";
     photoprism.enable = mkEnableOption "photoprism";
     navidrome.enable = mkEnableOption "navidrome";
+
+    telemetry = {
+      enable = mkEnableOption "telemetry";
+      grafana.enable = mkOption {
+        type = types.bool;
+        default = config.profile.services.telemetry.enable;
+      };
+      loki.enable = mkOption {
+        type = types.bool;
+        default = config.profile.services.telemetry.enable;
+      };
+      promtail.enable = mkOption {
+        type = types.bool;
+        default = config.profile.services.telemetry.enable;
+      };
+      tempo.enable = mkOption {
+        type = types.bool;
+        default = config.profile.services.telemetry.enable;
+      };
+      minio.enable = mkOption {
+        type = types.bool;
+        default = config.profile.services.telemetry.enable;
+      };
+    };
   };
 }

profiles/castle.nix

@@ -75,6 +75,11 @@ in
     dbeaver.enable = true;
     kde.enable = false;
 
+    flatpak = {
+      enable = true;
+      zen-browser.enable = true;
+    };
+
     microsoft-edge.enable = true;
     nextcloud.enable = false;
 

profiles/homeserver.nix

@@ -69,6 +69,7 @@
       wireguard.enable = true;
       photoprism.enable = true;
       navidrome.enable = true;
+      telemetry.enable = true;
     };
   };
 }

secrets/telemetry.yaml

@@ -0,0 +1,31 @@
+grafana:
+    admin_user: ENC[AES256_GCM,data:pg3WnfsF8L+/Tg==,iv:wh8VM567ClsFz7GS00OCh9kx3HZCz5GZ/BaTtOt3ksk=,tag:k6mJiktl1Met6Kzl738jpQ==,type:str]
+    admin_password: ENC[AES256_GCM,data:EFJfC78YtBLF5CIxLLhN9deZYcSL7/EfS4w=,iv:qrNi3WsRD26W5L67Fxch7qasEUh9vTj6HUWZs5PGz4o=,tag:bxW1CJyXOcz/pgN39ncQ+w==,type:str]
+    admin_email: ENC[AES256_GCM,data:2cvoq65K2/mdDuykkPVZryDJeNCK,iv:rU4jUYm+3dcvx1KooN9mWQDoovn7t+V7z1eU1m7VagE=,tag:Bhdbiq4BXO3nDwG9StUOkQ==,type:str]
+    secret_key: ENC[AES256_GCM,data:f4f1YF27VU/893HASHmCVL8vnsJEaHD33GOdFVpMj81MOutXqb7d03Hb1DYkDV3aMVmEdpvBcFK3SpZdFma3,iv:q6d59H1PniaVhw6tbd1maCelEGlAC4y2i38jMZ9Jn/Q=,tag:uSbCRstKy7C4Vwp+/FxF/Q==,type:str]
+loki:
+    caddy:
+        basic_auth:
+            username: ENC[AES256_GCM,data:MRwky3O8LGS/4w==,iv:CUHjGRNc8NU5FqhqvpqbATmVE3Kg9Z0jMBFlzsAwON0=,tag:uZlxw9skd0VNLfZTJ/6ZSQ==,type:str]
+            #ENC[AES256_GCM,data:t+u4g7nvpq2U27CHgmu1xi2Ppwv7cJf1s6Et,iv:LtwoPoxsQn1MujHRoD6SqDLm8uN4uBpuIVmn23DDgjI=,tag:PKOHF5vcQzHszpp1sfuU0Q==,type:comment]
+            password: ENC[AES256_GCM,data:GcQ6x8ewxInmAcQwhhwJgXMHxd/ygkscsp2vg7PILEeaOv1heBX0fTHb0sRyAfhLxwKDH84LtGb37656,iv:UEQ7dgqNEKisalpPXFffsVzn6kXDt9DmJP6ec3LOHRE=,tag:CyPPqG2Vf8eeSVzAASintQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1KzFkak5QQ01MUVV0djVH
+            cXlveDhxU3RRelhNL3JQbE1xVWNlaFYzem40CmtGYlpZMTJPS2lKUGl2Vy9CVW5j
+            bFoyNVlJM1lmSGhSM2lGREN3N3VXWTAKLS0tIE9xWFpoTUdrVVBtOS9lckRXWGc1
+            bzYzSEQrRkN6WVVmN254a2NCcUxGVFkK4aHv8tiFiNEnd7I5LB0Jd/4upkEEEXis
+            9A5hdTn20EqL62QuHeYRav1TRu42dp+R4iZAlVl9cRzThkzZKJdHlg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-29T05:57:46Z"
+    mac: ENC[AES256_GCM,data:JGrZUe8PLjlcHULvVa8Yi8ORAW5bMKOMxSGbJ2UFji9byRGu+JHaU7gdF45lrR5XKxJZLmZesWI9fRjsnlEd9WDTEroiwFo965mYFcdmbrJb37BIRO6Thy6C77GXMNcOVW2hBgcVDckNIbAk3qgvVG2QOZ5VKwxPLVQPsfWfCFs=,iv:Do05RY+cgahdv8/Nk6RIOxBA6x28GxyErrgSQRoIR80=,tag:HoqhdhZmcS3QxXGfZyxfFw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

system/default.nix

@@ -1,8 +1,9 @@
-{ hardware-configuration, profile-path, config, ... }:
+{ hardware-configuration, profile-path, config, pkgs, ... }:
 {
   imports = [
     profile-path
     hardware-configuration
+    ./flatpak
     ./modules
     ./services
     ./podman
@@ -25,11 +26,11 @@
     connect-timeout = 5
   '';
 
-  nix.gc = {
+  # nix.gc = {
-    automatic = true;
+  #   automatic = true;
-    dates = "weekly";
+  #   dates = "weekly";
-    options = "--delete-older-than 7d";
+  #   options = "--delete-older-than 7d";
-  };
+  # };
 
   i18n.defaultLocale = "en_US.UTF-8";
 
@@ -65,4 +66,19 @@
       RestartSec = "10s";
     };
   };
+
+  programs.nh = {
+    enable = true;
+    clean.enable = true;
+    clean.extraArgs = "--keep-since 4d --keep 3";
+    flake = "/home/${config.profile.user.name}/dotfiles";
+  };
+
+  environment.variables.FLAKE = "/home/${config.profile.user.name}/dotfiles";
+
+  environment.systemPackages = with pkgs; [
+    # Tools for nh
+    nix-output-monitor
+    nvd
+  ];
 }

system/flatpak/default.nix

@@ -0,0 +1,19 @@
+{ config, lib, ... }:
+let
+  cfg = config.profile.flatpak;
+  inherit (lib.lists) optional;
+in
+{
+  config = lib.mkIf cfg.enable {
+    fonts.fontDir.enable = true;
+    services.flatpak = {
+      enable = true;
+      update.auto = {
+        enable = true;
+        onCalendar = "weekly"; # Default value
+      };
+      packages = [ ]
+        ++ optional cfg.zen-browser.enable "io.github.zen_browser.zen";
+    };
+  };
+}

system/modules/default.nix

@@ -7,7 +7,6 @@
     ./bluetooth.nix
     ./boot_loader.nix
     ./brightnessctl.nix
-    ./flatpak.nix
     ./font.nix
     ./gnome.nix
     ./hyprland.nix

system/modules/flatpak.nix

@@ -1,55 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  cfg = config.profile.flatpak;
-in
-{
-  config = lib.mkIf cfg.enable {
-    # Allow flatpak to access fonts
-    fonts.fontDir.enable = true;
-
-    services.flatpak.enable = true;
-    # system.fsPackages = [ pkgs.bindfs ];
-
-    # Allows user installed fonts to be accessed by flatpak
-    # fileSystems =
-    #   let
-    #     mkRoSymBind = path: {
-    #       device = path;
-    #       fsType = "fuse.bindfs";
-    #       options = [ "ro" "resolve-symlinks" "x-gvfs-hide" ];
-    #     };
-    #     aggregatedFonts = pkgs.buildEnv {
-    #       name = "system-fonts";
-    #       paths = config.fonts.packages;
-    #       pathsToLink = [ "/share/fonts" ];
-    #     };
-    #   in
-    #   {
-    #     # Create an FHS mount to support flatpak host icons/fonts
-    #     "/usr/share/icons" = mkRoSymBind (config.system.path + "/share/icons");
-    #     "/usr/share/fonts" = mkRoSymBind (aggregatedFonts + "/share/fonts");
-    #   };
-
-    xdg.portal = {
-      enable = true;
-      xdgOpenUsePortal = true;
-      # extraPortals = with pkgs; [
-      #   # xdg-desktop-portal-gtk
-      #   # xdg-desktop-portal-kde
-      #   # xdg-desktop-portal-gnome
-      # ];
-    };
-
-    # Auto update flatpak every boot with systemd
-    # systemd.services.flatpak-update = {
-    #   wantedBy = [ "multi-user.target" ];
-    #   after = [ "network-online.target" ];
-    #   wants = [ "network-online.target" ];
-    #   description = "Auto update flatpak every boot after network is online";
-    #   serviceConfig = {
-    #     Type = "oneshot";
-    #     ExecStart = ''${pkgs.flatpak}/bin/flatpak update --assumeyes --noninteractive --system'';
-    #   };
-    # };
-  };
-}

system/modules/sway.nix

@@ -2,11 +2,11 @@
 let
   dbus-sway-environment = pkgs.writeTextFile {
     name = "dbus-sway-environment";
-    destination = "/bin/dbus-sway-enviroment";
+    destination = "/bin/dbus-sway-environment";
     executable = true;
 
     text = ''
-      dbus-update-activation-enviroment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP=sway
+      dbus-update-activation-environment --systemd WAYLAND_DISPLAY XDG_CURRENT_DESKTOP=sway
       systemctl --user stop pipewire pipewire-media-session xdg-desktop-portal xdg-desktop-portal-wlr
       systemctl --user start pipewire pipewire-media-session xdg-desktop-portal xdg-desktop-portal-wlr
     '';

system/modules/yazi.nix

@@ -1,10 +1,14 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.profile.programs.yazi;
   inherit (lib) mkIf;
 in
 {
   config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      mediainfo
+      ffmpegthumbnailer
+    ];
     programs.yazi = {
       enable = true;
       settings = {

system/services/default.nix

@@ -1,6 +1,8 @@
 { ... }:
 {
   imports = [
+    ./telemetry
+
     ./caddy.nix
     ./cockpit.nix
     ./forgejo.nix

system/services/syncthing.nix

@@ -143,6 +143,26 @@ in
               "living-room-system"
             ];
           };
+          "/nas/Syncthing/Sync/General" = {
+            label = "General";
+            id = "General";
+            devices = [
+              "s20fe"
+              "work-laptop"
+              "windows"
+              "living-room-system"
+            ];
+          };
+          "/nas/Syncthing/Sync/Public" = {
+            label = "Public";
+            id = "Public";
+            devices = [
+              "s20fe"
+              "work-laptop"
+              "windows"
+              "living-room-system"
+            ];
+          };
         };
         devices = {
           s20fe = {

system/services/telemetry/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./grafana.nix
+    ./loki.nix
+  ];
+}

system/services/telemetry/grafana.nix

@@ -0,0 +1,59 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.profile.services.telemetry.grafana;
+  inherit (lib) mkIf;
+  grafanaDomain = "grafana.tigor.web.id";
+in
+{
+  config = mkIf cfg.enable {
+    sops.secrets =
+      let
+        opts = {
+          sopsFile = ../../../secrets/telemetry.yaml;
+          owner = "grafana";
+        };
+      in
+      {
+        "grafana/admin_user" = opts;
+        "grafana/admin_password" = opts;
+        "grafana/admin_email" = opts;
+        "grafana/secret_key" = opts;
+      };
+
+    services.caddy.virtualHosts.${grafanaDomain}.extraConfig = ''
+      reverse_proxy ${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}
+    '';
+
+    services.grafana = {
+      enable = true;
+      package = pkgs.grafana;
+      settings = {
+        # https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/
+        server = {
+          protocol = "http"; # served behind caddy
+          http_addr = "0.0.0.0";
+          http_port = 44518;
+          domain = grafanaDomain;
+          root_url = "https://${grafanaDomain}";
+          enable_gzip = true;
+        };
+        database = {
+          type = "sqlite3";
+          cache_mode = "shared";
+          wal = true;
+          query_retries = 3;
+        };
+        security = {
+          # Admin credentials is already available in the secrets
+          admin_user = "$__file{${config.sops.secrets."grafana/admin_user".path}}";
+          admin_password = "$__file{${config.sops.secrets."grafana/admin_password".path}}";
+          admin_email = "$__file{${config.sops.secrets."grafana/admin_email".path}}";
+          secret_key = "$__file{${config.sops.secrets."grafana/secret_key".path}}";
+          cookie_secure = true;
+          cookie_samesite = "lax";
+          strict_transport_security = true;
+        };
+      };
+    };
+  };
+}

system/services/telemetry/loki.nix

@@ -0,0 +1,107 @@
+{ config, lib, ... }:
+let
+  cfg = config.profile.services.telemetry.loki;
+  inherit (lib) mkIf;
+  lokiDomain = "loki.tigor.web.id";
+in
+{
+  config = mkIf cfg.enable {
+
+    sops =
+      let
+        usernameKey = "loki/caddy/basic_auth/username";
+        passwordKey = "loki/caddy/basic_auth/password";
+      in
+      {
+        secrets =
+          let
+            opts = { sopsFile = ../../../secrets/telemetry.yaml; owner = "grafana"; };
+          in
+          {
+            ${usernameKey} = opts;
+            ${passwordKey} = opts;
+          };
+        templates = {
+          "loki/caddy/basic_auth".content = /*sh*/ ''
+            LOKI_USERNAME=${config.sops.placeholder.${usernameKey}}
+            LOKI_PASSWORD=${config.sops.placeholder.${passwordKey}}
+          '';
+        };
+      };
+
+    systemd.services."caddy".serviceConfig = {
+      EnvironmentFile = [ config.sops.templates."loki/caddy/basic_auth".path ];
+    };
+    services.caddy.virtualHosts.${lokiDomain}.extraConfig = /*caddy*/ ''
+      basicauth {
+        {$LOKI_USERNAME} {$LOKI_PASSWORD}
+      }
+      reverse_proxy ${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}
+    '';
+
+    services.loki =
+      let
+        dataDir = config.services.loki.dataDir;
+      in
+      {
+        enable = true;
+        configuration = {
+          # https://grafana.com/docs/loki/latest/configure/examples/configuration-examples/
+          auth_enabled = false;
+          server = {
+            http_listen_address = "0.0.0.0";
+            http_listen_port = 3100;
+            grpc_listen_port = 9095;
+          };
+
+          common = {
+            path_prefix = dataDir;
+            replication_factor = 1;
+            ring = {
+              instance_addr = "127.0.0.1";
+              kvstore.store = "inmemory";
+            };
+          };
+
+          schema_config = {
+            configs = [
+              {
+                from = "2024-08-29";
+                store = "tsdb";
+                object_store = "filesystem";
+                schema = "v13";
+                index = {
+                  prefix = "index_";
+                  period = "24h";
+                };
+              }
+            ];
+          };
+
+          storage_config = {
+            filesystem = {
+              directory = "${dataDir}/chunks";
+            };
+          };
+        };
+      };
+    # https://grafana.com/docs/grafana/latest/datasources/loki/
+    services.grafana.provision.datasources.settings.datasources = [
+      {
+        name = "Loki";
+        type = "loki";
+        access = "proxy";
+        url = "http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}";
+        basicAuth = true;
+        basicAuthUser = "$__file{${config.sops.secrets."loki/caddy/basic_auth/username".path}}";
+        jsonData = {
+          timeout = 60;
+          maxLines = 1000;
+        };
+        secureJsonData = {
+          basicAuthPassword = "$__file{${config.sops.secrets."loki/caddy/basic_auth/password".path}}";
+        };
+      }
+    ];
+  };
+}