{ config, ... }:

let
  fqdn = "sql.${config.networking.domain}";
  mkEntry = "fancy function that takes a name and IP octed and creates a user, db and auth lines";
in
{
  services = {
    #nginx = {
    #  enable = true;
    #  virtualHosts."${fqdn}" = {
    #    enableACME = true;
    #    locations."/".return = "418";
    #  };
    #};
    postgresql = {
      #enableTCPIP = true;
      #settings = {
      #  ssl = "on";
      #  ssl_cert_file = "${config.security.acme.certs."${fqdn}".directory}/server.crt";
      #  ssl_key_file = "${config.security.acme.certs."${fqdn}".directory}/server.key";
      #  ssl_ca_file = "${config.security.acme.certs."${fqdn}".directory}/ca.crt";
      #};
      ensureUsers = [
        {
          name = "pda";
          ensureDBOwnership = true;
        }
      ];
      ensureDatabases = [
        "pda"
      ];
      authentication = ''
        # TYPE  DATABASE  USER  ADDRESS                   METHOD
        #hostssl pda       pda   195.160.173.15/32         scram-sha-256
        #hostssl pda       pda   2001:678:760:cccb::15/128 scram-sha-256
        host    pda       pda   195.160.173.15/32         scram-sha-256
        host    pda       pda   2001:678:760:cccb::15/128 scram-sha-256
      '';
    };
  };
}