{ pkgs, ... }:
{
  services.postgresql.enable = true;
  services.postgresql.package = pkgs.postgresql_12;
  services.postgresql.dataDir = "/mnt/data/postgresql";
  services.postgresql.enableTCPIP = true;
  services.postgresql.authentication = ''
    host  all all 10.88.0.0/16 trust
  '';
  services.postgresql.initialScript = pkgs.writeText "backend-initScript" ''
    CREATE DATABASE vault;
    
    CREATE USER vault WITH ENCRYPTED PASSWORD '${(builtins.readFile /opt/cloud-init-misc-data/vault_db_password)}';
    
    GRANT ALL PRIVILEGES ON DATABASE vault TO vault;
    \c vault
    CREATE TABLE vault_kv_store (
      parent_path TEXT COLLATE "C" NOT NULL,
      path        TEXT COLLATE "C",
      key         TEXT COLLATE "C",
      value       BYTEA,
      CONSTRAINT pkey PRIMARY KEY (path, key)
    );
    CREATE INDEX parent_path_idx ON vault_kv_store (parent_path);
    GRANT ALL PRIVILEGES ON TABLE vault_kv_store TO vault;
  '';

  system.activationScripts = {
    mnt = {
      text = "chmod 755 /mnt && mkdir -p /mnt/data/postgresql && chown -R postgres:postgres /mnt/data/postgresql";
      deps = [];
    };
  };

  fileSystems."/mnt/data" = {
    device = "/dev/sdb";
    fsType = "ext4";
    label = "data";
    options = [ "nofail" ];
  };

  networking.firewall.allowedTCPPorts = [5432];
}