{ flake, ... }:
let
  inherit (flake.config.machines.devices)
    ceres
    ;
  inherit (flake.config.services)
    instances
    ;

  service = instances.postgresql;
in
{
  services = {
    postgresqlBackup = {
      enable = true;
      location = service.paths.path0;
      databases = [
        instances.mastodon.name
        instances.nextcloud.name
        instances.peertube.name
        instances.forgejo.name
        instances.firefly-iii.name
      ];
    };
    postgresql = {
      enable = true;
      # ensureDatabases = [ firefly-iii.name ];
      # ensureUsers = [
      #   {
      #     name = firefly-iii.name;
      #     ensureDBOwnership = true;
      #   }
      # ];
    };
  };
  networking = {
    firewall = {
      allowedTCPPorts = [
        service.ports.port0
      ];
    };
  };

  fileSystems."/var/lib/postgresql" = {
    device = service.paths.path0;
    fsType = "none";
    options = [
      "bind"
    ];
    depends = [
      ceres.storage0.mount
    ];
  };

  systemd.tmpfiles.rules = [
    "Z ${service.paths.path0} 700 ${service.name} ${service.name} -"
  ];

  users.users.${service.name}.extraGroups = [
    instances.nextcloud.name
    instances.mastodon.name
    instances.forgejo.name
  ];

  system.activationScripts.postgresCommands = ''
    chown -R ${service.name}:${service.name} ${service.paths.path0}
  '';
}