{
  config,
  pkgs,
  ...
}: {
  services.postgresql = {
    enable = true;
    enableTCPIP = true;
    package = pkgs.postgresql_17;
    settings = {
      ssl = true;
    };
    extensions = with pkgs.postgresql17Packages; [
      pgvector
    ];
    initialScript = pkgs.writeText "backend-initScript" ''
      CREATE USER baserow WITH ENCRYPTED PASSWORD 'baserow';
      CREATE DATABASE baserow;
      ALTER DATABASE baserow OWNER to baserow;

      CREATE USER kestra WITH ENCRYPTED PASSWORD 'kestra';
      CREATE DATABASE kestra;
      ALTER DATABASE kestra OWNER to kestra;

      CREATE USER librechat_rag WITH ENCRYPTED PASSWORD 'librechat_rag';
      CREATE DATABASE librechat_rag;
      ALTER DATABASE librechat_rag OWNER to librechat_rag;

      CREATE USER n8n WITH ENCRYPTED PASSWORD 'n8n';
      CREATE DATABASE n8n;
      ALTER DATABASE n8n OWNER to n8n;

      CREATE USER outline WITH ENCRYPTED PASSWORD 'outline';
      CREATE DATABASE outline;
      ALTER DATABASE outline OWNER to outline;

      CREATE USER vaultwarden WITH ENCRYPTED PASSWORD 'vaultwarden';
      CREATE DATABASE vaultwarden;
      ALTER DATABASE vaultwarden OWNER to vaultwarden;
    '';
    authentication = pkgs.lib.mkOverride 10 ''
      # Local connections (Unix socket)
      local   all             postgres        peer
      local   n8n             n8n             scram-sha-256
      local   outline         outline         scram-sha-256
      local   vaultwarden     vaultwarden     scram-sha-256

      # Localhost connections (IPv4 and IPv6)
      host    all             postgres        127.0.0.1/32       scram-sha-256
      host    all             postgres        ::1/128            scram-sha-256

      host    outline         outline         127.0.0.1/32       scram-sha-256
      host    outline         outline         ::1/128            scram-sha-256

      host    n8n             n8n             127.0.0.1/32       scram-sha-256
      host    n8n             n8n             ::1/128            scram-sha-256

      host    vaultwarden     vaultwarden     127.0.0.1/32       scram-sha-256
      host    vaultwarden     vaultwarden     ::1/128            scram-sha-256

      # Podman network connections for Baserow
      host    baserow         baserow         10.89.0.0/24       scram-sha-256
      host    kestra          kestra          10.89.0.0/24       scram-sha-256
      host    librechat_rag   librechat_rag   10.89.0.0/24       scram-sha-256

      # Deny all other connections
      local   all             all             reject
      host    all             all             0.0.0.0/0          reject
      host    all             all             ::/0               reject
    '';
  };
  services.postgresqlBackup = {
    enable = true;
    startAt = "03:10:00";
    databases = ["baserow" "kestra" "librechat_rag" "n8n" "outline" "vaultwarden"];
  };
  services.pgadmin = {
    enable = true;
    initialPasswordFile = "${config.age.secrets.pgadmin-pw.path}";
    initialEmail = "sascha.koenig@azintec.com";
  };

  # Traefik configuration specific to baserow
  services.traefik.dynamicConfigOptions.http = {
    services.pgadmin.loadBalancer.servers = [{url = "http://localhost:5050/";}];
    routers.pgadmin = {
      rule = "Host(`pg.az-gruppe.com`)";
      tls.certResolver = "ionos";
      service = "pgadmin";
      entrypoints = "websecure";
    };
  };
  networking.firewall = {
    extraCommands = ''
      iptables -A INPUT -p tcp -s 127.0.0.1 --dport 5432 -j ACCEPT
      iptables -A INPUT -p tcp -s 10.89.0.0/24 --dport 5432 -j ACCEPT
    '';
  };
}