nextcloud: Use a hardened systemd unit instead of a container

configuration/services/postgres.nix

@@ -0,0 +1,31 @@
+{pkgs, ...}: {
+  services.postgresql = {
+    package = pkgs.postgresql_14;
+    enable = true;
+
+    # Only enable connections via the unix socket, and check with the
+    # OS to make sure the user matches the database name.
+    #
+    # See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
+    authentication = ''
+      local sameuser all peer
+    '';
+
+    # Note: The following options with ensure.* are set-only; i.e.,
+    # when permissions/users/databases are removed from these lists,
+    # that operation needs to be performed manually on the system as
+    # well.
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensurePermissions = {
+          "DATABASE nextcloud" = "ALL PRIVILEGES";
+        };
+      }
+    ];
+
+    ensureDatabases = [
+      "nextcloud"
+    ];
+  };
+}