{
  config,
  lib,
  pkgs,
  ...
}:
let
  cfg = config.my.servers.postgres;
  # upgrade here first, then below.
  upgrade-pg-cluster =
    let
      newPostgres = pkgs.postgresql_17.withPackages (_pp: [ ]);
    in
    pkgs.writeScriptBin "upgrade-pg-cluster" ''
      set -eux
      systemctl stop postgresql
      export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
      export NEWBIN="${newPostgres}/bin"
      export OLDDATA="${config.services.postgresql.dataDir}"
      export OLDBIN="${config.services.postgresql.package}/bin"
      install -d -m 0700 -o postgres -g postgres "$NEWDATA"
      cd "$NEWDATA"
      sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
      sudo -u postgres $NEWBIN/pg_upgrade \
        --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
        --old-bindir $OLDBIN --new-bindir $NEWBIN \
        "$@"
    '';
  dbNames = [
    "jawz"
    "paperless"
    "nextcloud"
    "ryot"
    "vaultwarden"
    "shiori"
    "mealie"
    "firefly-iii"
    "matrix-synapse"
    "readeck"
    "sonarqube"
    "gitea"
  ];
in
{
  options.my.servers.postgres.enable = lib.mkEnableOption "PostgreSQL database server";
  config = lib.mkIf cfg.enable {
    environment.systemPackages = [ upgrade-pg-cluster ];
    services.postgresql = {
      inherit (cfg) enable;
      enableTCPIP = true;
      ensureDatabases = dbNames;
      package = pkgs.postgresql_17;
      ensureUsers = map (name: {
        inherit name;
        ensureDBOwnership = true;
      }) dbNames;
      authentication = pkgs.lib.mkOverride 10 ''
        local all all              trust
        host  all all ${config.my.localhost}/32 trust
        host  all all ::1/128      trust
        host  all all 10.88.0.0/16 scram-sha-256
      '';
    };
  };
}