{ pkgs, lib, config, ... }:
let cfg = config.custom.terraformDatabase;
in {
  options = {
    custom = {
      terraformDatabase.enable = lib.mkOption {
        default = false;
        type = lib.types.bool;
        description = ''
          Whether to start a postgreSQL database for Terraform states
        '';
      };
    };
  };

  config = lib.mkIf cfg.enable {
    services.postgresql = {
      enable = true;
      ensureDatabases = [ "terraformstates" ];
      package = pkgs.postgresql_15;
      enableTCPIP = true;

      dataDir = lib.mkIf config.custom.dataDisk.enable
        "${config.custom.dataDisk.mountPoint}/postgresql/${config.services.postgresql.package.psqlSchema}";

      authentication = ''
        hostssl terraformstates terraform all cert
      '';

      settings =
        let
          serverCert = builtins.toFile "postgresql_server.crt"
            (builtins.readFile ../postgresql_server.crt);
        in
        {
          ssl = true;
          ssl_cert_file = serverCert;
          ssl_key_file = config.age.secrets."postgresql_server.key".path;
          ssl_ca_file = serverCert;
        };

      ensureUsers = [{
        name = "terraform";
        ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; };
      }];
    };

    networking.firewall.allowedTCPPorts = [ 5432 ];

    age.secrets."postgresql_server.key" = {
      file = ../secrets/postgresql_server.key.age;
      mode = "400";
      owner = builtins.toString config.ids.uids.postgres;
      group = builtins.toString config.ids.gids.postgres;
    };
  };
}