{flake, ...}: let
  inherit (flake.config.service.instance.postgresql) name paths ports;
  inherit (flake.config.system.device) server;
in {
  services = {
    postgresqlBackup = {
      enable = true;
      location = paths.path0;
      databases = ["mastodon" "nextcloud" "peertube" "forgejo" "wiki"];
    };
    postgresql = {
      enable = true;
    };
  };
  networking = {
    firewall = {
      allowedTCPPorts = [
        ports.port0
      ];
    };
  };

  fileSystems."/var/lib/postgresql" = {
    device = paths.path0;
    fsType = "none";
    options = ["bind"];
    depends = [server.storage0.mount];
  };

  systemd.tmpfiles.rules = ["Z ${paths.path0} 700 ${name} ${name} -"];

  users.users.${name}.extraGroups = ["nextcloud" "mastodon" "forgejo"];

  system.activationScripts.postgresCommands = ''
    chown -R ${name}:${name} ${paths.path0}
  '';
}