{ config, pkgs, ... }:
{
  imports = [
    ./disk-config.nix
    {
      _module.args.disks = [ "/dev/sda" ];
    }

    ../common/servers
  ];

  time.timeZone = "Europe/Berlin";

  networking.hostName = "db-01";
  networking.nameservers = [ "8.8.8.8" ];

  services.postgresql = {
    enable = true;
    enableTCPIP = true;
    authentication = pkgs.lib.mkOverride 10 ''
      #type database dbuser origin-address auth-method
      local all all trust
      host all all 100.64.0.0/24 trust # trust tailnet
    '';
    ensureDatabases = [
      "authelia"
      "forgejo"
      "lldap"
    ];
    ensureUsers = [
      {
        name = "authelia";
        ensureDBOwnership = true;
      }
      {
        name = "forgejo";
        ensureDBOwnership = true;
      }
      {
        name = "lldap";
        ensureDBOwnership = true;
      }
    ];
  };

  services.postgresqlBackup = {
    enable = true;
    startAt = "*-*-* 02:00:00";
    databases = [
      "authelia"
      "forgejo"
      "lldap"
    ];
  };

  services.restic.backups = {
    postgresql = {
      initialize = true;

      repositoryFile = config.sops.secrets.restic-repository.path;
      passwordFile = config.sops.secrets.restic-password.path;
      environmentFile = config.sops.secrets.restic-environment.path;

      timerConfig = {
        OnCalendar = "03:00";
        Persistent = true;
      };

      paths = [
        "/var/backup/postgresql"
      ];

      pruneOpts = [
        "--keep-daily 7"
        "--keep-weekly 5"
        "--keep-weekly 12"
      ];
    };
  };

  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets = {
      restic-environment = {
        owner = "root";
      };
      restic-password = {
        owner = "root";
      };
      restic-repository = {
        owner = "root";
      };
    };
  };

  system.stateVersion = "25.05";
}