{
  pkgs,
  ...
}:
{
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_15;
    enableTCPIP = true;

    extraPlugins = with pkgs.postgresql15Packages; [
      pgjwt
    ];

    initialScript = /etc/learnlytics/init.sql;

    settings = {
      port = 5432;
      shared_buffers = "128MB";
      effective_cache_size = "512MB";
      maintenance_work_mem = "32MB";
      work_mem = "2MB";
      wal_buffers = "4MB";
      max_connections = 20;
      random_page_cost = 2.0;
      effective_io_concurrency = 100;
      wal_level = "replica";
      checkpoint_timeout = "15min";
      checkpoint_completion_target = 0.7;
      min_wal_size = "1GB";
      max_wal_size = "4GB";
      default_statistics_target = 50;
      log_min_duration_statement = 1000;
      log_duration = false;
      cpu_index_tuple_cost = 0.1;
      cpu_operator_cost = 0.05;
    };

    authentication = ''
      local all all                     trust
      host  all all 127.0.0.1/32        md5
      host  all all ::1/128             md5
      host  all all 192.168.2.0/24      md5
    '';
  };

  systemd.services.postgresql.wantedBy = [ "multi-user.target" ];

  systemd.services.learnlytics-auth-migration = {
    description = "Learnlytics auth schema migration";
    after = [ "postgresql.service" ];
    wants = [ "postgresql.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      User = "postgres";
      ExecStart = "${pkgs.postgresql_15}/bin/psql -U postgres -f /etc/learnlytics/auth-migration.sql";
    };
  };

  networking.firewall.allowedTCPPorts = [ 5432 ];
}