diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index bf742a4689283c65c06937f2ad73f2afadb3db1f..8cce63e0725f8142d3f9b6e3cafc647c04413ae5 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -91,21 +91,24 @@ in {
 
     services.grafana = {
       enable = true;
-      inherit domain; 
-      port = 2342;
-      addr = "127.0.0.1";
+
+      settings = {
+        server.domain = "${toString domain}";
+        server.http_port = 2342;
+        server.http_addr = "127.0.0.1";
+      };
 
       # No phoning home
-      analytics.reporting.enable = false;
+      settings.analytics.reporting_enabled = false;
 
       # Force Grafana to believe it is reachable via https on the default port
       # number because that's where the nginx that forwards traffic to it is
       # listening.  Grafana's own server listens on an internal address that
       # doesn't matter to anyone except our nginx instance.
-      rootUrl = "https://%(domain)s/";
+      settings.server.root_url = "https://%(domain)s/";
 
       # Defend against DNS rebinding attacks.
-      settings.server.enforce_domain = "true";
+      settings.server.enforce_domain = true;
       # Same time zone for all users by default
       settings.date_formats.default_timezone = "UTC";
 
@@ -115,7 +118,7 @@ in {
       } // grafanaAuth;
 
       # Give users that come through GSuite SSO the highest possible privileges:
-      users.autoAssignOrgRole = "Editor";
+      settings.users.auto_assign_org_role = "Editor";
 
       # Read the admin password from a file in our secrets folder:
       settings.security.admin_password = "$__file{${toString cfg.adminPasswordFile}}";
@@ -163,7 +166,7 @@ in {
     };
 
     # nginx reverse proxy
-    security.acme.email = cfg.letsEncryptAdminEmail;
+    security.acme.defaults.email = cfg.letsEncryptAdminEmail;
     security.acme.acceptTerms = true;
     services.nginx = {
       enable = true;
@@ -181,7 +184,7 @@ in {
         enableACME = true;
         forceSSL = true;
         locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
           proxyWebsockets = true;
         };
         locations."/metrics" = {
@@ -193,7 +196,7 @@ in {
             allow ::1;
             deny all;
           '';
-          proxyPass = "http://127.0.0.1:${toString config.services.grafana.port}";
+          proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
         };
       };
     };