{
  config,
  lib,
  ...
}: let
  cfg = config.services.postgresql;
in {
  services.postgresql = {
    enable = true;
    enableTCPIP = true;
    authentication = lib.mkForce ''
      #type database DBuser origin-address auth-method
      local all      all    trust
      # ipv4
      host  all      all    127.0.0.1/32   trust
      # ipv6
      host  all      all    ::1/128        trust
    '';
    ensureDatabases = [
      "forgejo"
      "nextcloud"
    ];
    ensureUsers = [
      {
        name = "forgejo";
        ensureDBOwnership = true;
      }
      {
        name = "nextcloud";
        ensureDBOwnership = true;
      }
    ];
    settings = {
      port = 3245;
    };
  };

  services.caddy.virtualHosts = {
    "db.local".extraConfig = ''
      reverse_proxy http://localhost:${toString cfg.settings.port}
      tls internal
    '';
  };
}