{ lib, config, pkgs, ... }:
let
  cfg = config.services.vm_postgresql;
in
{
  options.services.vm_postgresql = {
    enable = lib.mkEnableOption "Enable minimal config";
  };
  config = lib.mkIf cfg.enable {
    services.postgresql = {
      enable = true;
      package = pkgs.postgresql_16;
      enableTCPIP = true;
      settings.port = 5432;
      ensureDatabases = [
        "gitea"
        "nextcloud"
        "netbox"
        "authentik"
        "grafana"
      ];
      ensureUsers = [
        {
          name = "gitea";
          ensureDBOwnership = true;
        }
        {
          name = "nextcloud";
          ensureDBOwnership = true;
        }
      ];
      authentication = "
        host  nextcloud  nextcloud  192.168.1.44/32   md5
        host  gitea      gitea      192.168.1.14/32   md5
        host  netbox     netbox     192.168.1.45/32   md5
        host  authentik  authentik  192.168.1.125/32  md5
        host  grafana    grafana    192.168.1.27/32   md5
        ";
      # Not great, not in prod, cleartext pass
      # waiting for ensureUsers.*.passwordFile option
      # https://github.com/NixOS/nixpkgs/pull/326306
      initialScript = pkgs.writeText "init-sql-script" ''
        alter user gitea with password 'password';
        alter user nextcloud with password 'password';
      '';
    };
    networking.firewall.allowedTCPPorts = [ 5432 ];
  };
}