diff --git a/flake.nix b/flake.nix
index 0072dcd7..d2cbdfc6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -274,7 +274,7 @@
                     [ "nix-store" "xn--qbtm095lrg0bfka60z" ]))
                   // (builtins.listToAttrs (builtins.map
                     (site: { name = "${site}.chn.moe"; value.upstream.address = "internal.vps7.chn.moe"; })
-                    [ "xn--s8w913fdga" "misskey" "synapse" "send" "kkmeeting" "api" "gitlab" ]));
+                    [ "xn--s8w913fdga" "misskey" "synapse" "send" "kkmeeting" "api" "gitlab" "grafana" ]));
                   applications =
                   {
                     element.instances."element.chn.moe" = {};
@@ -351,6 +351,7 @@
                 httpapi.enable = true;
                 mastodon.enable = true;
                 gitlab.enable = true;
+                grafana.enable = true;
               };
             };})
           ];
diff --git a/modules/services/default.nix b/modules/services/default.nix
index ff257cc1..2f06732e 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -36,6 +36,7 @@ inputs:
     ./mirism.nix
     ./mastodon.nix
     ./gitlab.nix
+    ./grafana.nix
   ];
   options.nixos.services = let inherit (inputs.lib) mkOption types; in
   {
diff --git a/modules/services/gitlab.nix b/modules/services/gitlab.nix
index 8a9be75c..bda24d66 100644
--- a/modules/services/gitlab.nix
+++ b/modules/services/gitlab.nix
@@ -10,7 +10,6 @@ inputs:
     let
       inherit (inputs.config.nixos.services) gitlab;
       inherit (inputs.lib) mkIf;
-      inherit (builtins) map listToAttrs toString replaceStrings filter;
     in mkIf gitlab.enable
     {
       services.gitlab =
diff --git a/modules/services/grafana.nix b/modules/services/grafana.nix
new file mode 100644
index 00000000..c8590bc1
--- /dev/null
+++ b/modules/services/grafana.nix
@@ -0,0 +1,67 @@
+inputs:
+{
+  options.nixos.services.grafana = let inherit (inputs.lib) mkOption types; in
+  {
+    enable = mkOption { type = types.bool; default = false; };
+    hostname = mkOption { type = types.str; default = "grafana.chn.moe"; };
+  };
+  config =
+    let
+      inherit (inputs.config.nixos.services) grafana;
+      inherit (inputs.lib) mkIf;
+    in mkIf grafana.enable
+    {
+      services.grafana =
+      {
+        enable = true;
+        declarativePlugins = with inputs.pkgs.grafanaPlugins; [];
+        settings =
+        {
+          users = { verify_email_enabled = true; default_language = "zh-CN"; allow_sign_up = true; };
+          smtp =
+          {
+            enabled = true;
+            host = "mail.chn.moe";
+            user = "bot@chn.moe";
+            password = "$__file{${inputs.config.sops.secrets."grafana/mail".path}}";
+            from_address = "bot@chn.moe";
+            ehlo_identity = grafana.hostname;
+            startTLS_policy = "MandatoryStartTLS";
+          };
+          server = { root_url = "https://${grafana.hostname}"; http_port = 3001; enable_gzip = true; };
+          security =
+          {
+            secret_key = "$__file{${inputs.config.sops.secrets."grafana/secret".path}}";
+            admin_user = "chn";
+            admin_password = "$__file{${inputs.config.sops.secrets."grafana/chn".path}}";
+            admin_email = "chn@chn.moe";
+          };
+          database =
+          {
+            type = "postgres";
+            host = "127.0.0.1:5432";
+            user = "grafana";
+            password = "$__file{${inputs.config.sops.secrets."grafana/db".path}}";
+          };
+        };
+      };
+      nixos.services =
+      {
+        nginx =
+        {
+          enable = true;
+          https."${grafana.hostname}".location."/".proxy =
+            { upstream = "http://127.0.0.1:3001"; websocket = true; };
+        };
+        postgresql.instances.grafana = {};
+      };
+      sops.secrets = let owner = inputs.config.systemd.services.grafana.serviceConfig.User; in
+      {
+        "grafana/mail" = { owner = owner; key = "mail/bot"; };
+        "grafana/secret".owner = owner;
+        "grafana/chn".owner = owner;
+        "grafana/db" = { owner = owner; key = "postgresql/grafana"; };
+        "mail/bot" = {};
+      };
+    };
+}
diff --git a/secrets/vps7.yaml b/secrets/vps7.yaml
index ae7cd0e4..46509235 100644
--- a/secrets/vps7.yaml
+++ b/secrets/vps7.yaml
@@ -22,6 +22,7 @@ postgresql:
     nextcloud: ENC[AES256_GCM,data:5UpYSMsZgUgEJHg0ou9Z1RTE+YFFUKuXwPtc6L5XxD4GNo8Gd3CvcQSNGAol+5DtyPKF3q1+ZgtScWGrqU1RyA==,iv:Zfm+Oa4eON8WiJzYUkMFawafDwo9pOnOpWkwHYLIKkk=,tag:4ECMla1dFfCrn7lILwWFNA==,type:str]
     mastodon: ENC[AES256_GCM,data:IQxoNjZILazu5cxkEzFAqqmGSsOffMQHoRB7AC2NqI/+CJSVsfdwiSVfxN+Jc9dmrqCjscUSxaWCMHnrZj/JyQ==,iv:d6tyj/w0uH2E3qHjEcopVhnmE/Pq0qN9PHthSArryyw=,tag:kfJsxqkErFcG11B0CmiIKw==,type:str]
     gitlab: ENC[AES256_GCM,data:YC1Ubpc9zWK8rb5FvZAEYjNWqVF8tZL6Nxqa18Wyq7KAh2Rv2tjl0iVlVzhtaBf28gF++nJVu9LcATaOuHH9sw==,iv:j+t4PwizJNkWZkhzdqU01/P5MeS2nSk6XNlvxJ17hC0=,tag:0gtBn9has+xrtJCn6MAyyA==,type:str]
+    grafana: ENC[AES256_GCM,data:ZLtDIZ3oKasE4r1WNllNe/rkXxqRS+QAJI7EGPKhiFF1BtAxD46UpGQnUag3yg0gP/8+3COQs6camVSxcKFL1A==,iv:wMj3keVjNpVwNMwlt4E3ds1EYjLNIZ/S3RydhOlmYWU=,tag:ZRn7NWaUPbf2rHYLoLYw+w==,type:str]
 meilisearch:
     misskey-misskey: ENC[AES256_GCM,data:4s+qqd6mmstioC0XmG/vA6ED9mzu1vRJVPFFalRiqnnsFy0dYEU87H+y12eOp/KDSLdTNvpp6Z6jCNvxnpDXzQ==,iv:x6L9OPu/dwVsD9pYb4dqavw9NesMbo7LB+rwz6veAR4=,tag:/BBqV2sHIgPas7XsZydh2g==,type:str]
 rsshub:
@@ -86,6 +87,9 @@ gitlab:
     otp: ENC[AES256_GCM,data:Hgq5Tyq+BUTsexVsjFWf07fY0znPL50+qIm+fhuVljlauXBZouQjJKMhqTs9zhLECOktYUtp0wrNa++nO1Ys9A==,iv:Am51j8QjDtldtsZL8uCu0I3pr/SQ6R8KUQinznZjClg=,tag:hbtrlG0MGNL3VcbQUG/irQ==,type:str]
     dbFile: ENC[AES256_GCM,data:AKxE/Z4jooDlkIl3WpQZIlN+MLxlZ7SEWVF12/8f9aq7LtVl5B0RDA6bZbeM0PU8h4eGcSX9feSpLIVpvBAQxQ==,iv:li6hBLw9filwVVXa01oICtvY9UJsMgB+3XYOgZyCTnY=,tag:wC18TzVMM+dcpIi8wwCcIw==,type:str]
     root: ENC[AES256_GCM,data:nPO4MT7BWuCHnWkbHPRYygMpieGsni4+BQs6HVwxBqH5KuD0O7I3PQlcgntxb4kWbqvyWstYW+k9LdscSEzgXg==,iv:fgfW8BljGlOIQzGK+UiEFcT6Hp5ieA8C86kwT8xRlO4=,tag:eSWPda0NYBe47uVYCOUiLg==,type:str]
+grafana:
+    secret: ENC[AES256_GCM,data:QYhopqGcHGr+24qYlfaTdMtnyzmIZYG4PcvS9KYqC24W3M+HmloCkPHh7Y3ZTVg8MnrDGOcbA9YPLdY7eh/u4g==,iv:dh7egVIem2bgDbmWJ1sqH9fLdIYbAIQjnjNvyuEjVq0=,tag:DbIRVHbCcpKGcNc6sDTasA==,type:str]
+    chn: ENC[AES256_GCM,data:0bbjggWS1MdcUIQiQyPlBTULm+faKDpJbmZmV6vSw8k=,iv:am65WQzUE+AvQrQV+NSF5u6RCWn7EetyPsdy4Cuvyyw=,tag:lxNUM1cIYVSXVgwEnS1Hdw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -110,8 +114,8 @@ sops:
             SnFHS1Z0SXUzTFdEd29KTy9DU3Y3R0UKfhh+rUmWDrf+UGjclP57dHipPLFoXSqy
             HdelmfV6q4/c7ppx2E+oZw3VNgoZCsrxxzYZfwxHJiZb+5vkE0D8iA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-20T11:26:38Z"
-    mac: ENC[AES256_GCM,data:FkWXLiv/ewnZuJvGc9DMm6uY3EMQHX6pSJcEwncOCN7PpwSRbEH7+rVlus6ByHfGyV6g+KvtXMX1CSspfcT0pAwQ0aNrc2BekwhmnZM2PfcXSfvmVA+JKWc8dwbo6M6g05qyC0I8MoCqrBQbQmMqZstLfUReASxDrqNQ/e1DWfg=,iv:7E28UMWlCfXeSjQn9YvUTqzqma6t+z7RpdWgjYr+uro=,tag:3HOiPd2tyztlwHpOyXM08Q==,type:str]
+    lastmodified: "2023-11-20T15:47:13Z"
+    mac: ENC[AES256_GCM,data:n8vx3iRkmku3bOkkglONc8VHQTXSbO0jVrjrKEXwjvNnfk7mwBXK2YNu622V2Ap2BhmHvQjxD9Du/r2UE2+d5saCjtkhlt/HLQZlbjtiguL9xQj1qSG2MiU4kIC6rsKpNc9Ae93fOQ/LGjdIhZT6V5LNERyX84nbeXzCTBwRNbU=,iv:TAiBT2JKtFVwl8XrQ7Bl2Go9T6JC/tCQP747lAPtq+M=,tag:eIueYKVPBsX6iiT2pxv2+g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3