{pkgs, ...}: { services.postgresql = { enable = true; enableTCPIP = true; package = pkgs.postgresql_17; settings = { ssl = true; }; extensions = with pkgs.postgresql17Packages; [ pgvector ]; initialScript = pkgs.writeText "backend-initScript" '' CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow'; CREATE DATABASE baserow; ALTER DATABASE baserow OWNER to baserow; CREATE USER kestra WITH ENCRYPTED PASSWORD 'kestra'; CREATE DATABASE kestra; ALTER DATABASE kestra OWNER to kestra; CREATE USER n8n WITH ENCRYPTED PASSWORD 'n8n'; CREATE DATABASE n8n; ALTER DATABASE n8n OWNER to n8n; CREATE USER outline WITH ENCRYPTED PASSWORD 'outline'; CREATE DATABASE outline; ALTER DATABASE outline OWNER to outline; ''; authentication = pkgs.lib.mkOverride 10 '' # Local connections (Unix socket) local all postgres peer local outline outline scram-sha-256 local n8n n8n scram-sha-256 # Localhost connections (IPv4 and IPv6) host all postgres 127.0.0.1/32 scram-sha-256 host all postgres ::1/128 scram-sha-256 host outline outline 127.0.0.1/32 scram-sha-256 host outline outline ::1/128 scram-sha-256 host n8n n8n 127.0.0.1/32 scram-sha-256 host n8n n8n ::1/128 scram-sha-256 # Podman network connections for Baserow host baserow baserow 10.89.0.0/24 scram-sha-256 host kestra kestra 10.89.0.0/24 scram-sha-256 # Deny all other connections local all all reject host all all 0.0.0.0/0 reject host all all ::/0 reject ''; }; services.postgresqlBackup = { enable = true; startAt = "03:10:00"; databases = ["baserow" "kestra" "n8n" "outline"]; }; networking.firewall = { extraCommands = '' iptables -A INPUT -p tcp -s 127.0.0.1 --dport 5432 -j ACCEPT iptables -A INPUT -p tcp -s 10.89.0.0/24 --dport 5432 -j ACCEPT ''; }; }