{ pkgs, ... }:
{
  services.postgresql = {
    package = pkgs.postgresql_14;
    enable = true;

    # Only enable connections via the unix socket, and check with the
    # OS to make sure the user matches the database name.
    #
    # See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
    authentication = ''
      local sameuser all peer
    '';

    # Note: The following options with ensure.* are set-only; i.e.,
    # when permissions/users/databases are removed from these lists,
    # that operation needs to be performed manually on the system as
    # well.
    ensureUsers = [
      {
        name = "grafana";
        ensureDBOwnership = true;
      }
      {
        name = "nextcloud";
        ensureDBOwnership = true;
      }
    ];

    ensureDatabases = [
      "grafana"
      "nextcloud"
    ];
  };
}