{ config, pkgs, ... }:
let
  user = name: {
    name = name;
    ensurePermissions = { "DATABASE \"${name}\"" = "ALL PRIVILEGES"; };
  };
in {
  imports = [ ../../common ../../common/lxc.nix ];
  networking.hostName = "postgres";
  system.stateVersion = "21.11";

  environment.systemPackages = with pkgs; [ rsync ];

  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [ 5432 ];

  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_13;
    # yes scuffed, but technically lxd can do whatever with the ip's it gives
    authentication = ''
      local all all trust
      host all all 10.0.0.0/8 trust
      host all all fd42:8db7:2e6b:8e9b:216:3eff::/96 trust
    '';
    ensureDatabases = [ "gitea" "vault" "vaultwarden" "authentik" "umami" ];
    ensureUsers = [
      {
        name = "gitea";
        ensurePermissions = { "DATABASE \"gitea\"" = "ALL PRIVILEGES"; };
      }
      {
        name = "vault";
        ensurePermissions = { "DATABASE \"vault\"" = "ALL PRIVILEGES"; };
      }
      {
        name = "vaultwarden";
        ensurePermissions = { "DATABASE \"vaultwarden\"" = "ALL PRIVILEGES"; };
      }
      {
        name = "authentik";
        ensurePermissions = { "DATABASE \"authentik\"" = "ALL PRIVILEGES"; };
      }
      (user "umami")
    ];

    enableTCPIP = true;
  };
}