{
  config,
  pkgs,
  constants,
  ...
}:

{
  services.netdata = {
    enable = true;
    package = pkgs.netdata.override {
      withCloudUi = true;
    };
    config = {
      global = {
        "debug log" = "syslog";
        "access log" = "syslog";
        "error log" = "syslog";
        "bind to" = "127.0.0.1";
      };
    };
  };

  services.nginx.virtualHosts."${constants.services.netdata.fqdn}" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString constants.services.netdata.port}";
      proxyWebsockets = true;
      # Basic Auth can be added here if desired, or restrict by IP
      # extraConfig = "allow 100.64.0.0/10; deny all;"; # Example for Tailscale only
    };
  };
}