{
  pkgs,
  lib,
  config,
  ...
}:
let
  db = "enfants";
  owner = "enfants";
  passwordFile = enfants/passwordFile.clear;
  inherit (config.users) users groups;
  inherit (config) networking;
  # To be used in postStart when resetting the database
  drop = ''
    $PSQL -d template1 -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
      DROP OWNED BY ${owner};
      DROP DATABASE ${db};
      DROP ROLE     ${owner};
    EOF
  '';
in
{
  services.postgresql = {
    authentication = lib.mkForce ''
      # CONNECTION  DATABASE USER      AUTH  OPTIONS
      # FIXME: using scram-sha-256 instead of md5 requires postfix >= 11
      #hostssl       ${db}    ${owner}  all   md5
      local         all      postgres  peer  map=admin
      local         samerole all       peer  map=user
    '';
    identMap = ''
      # MAPNAME  SYSTEM-USERNAME  PG-USERNAME
      user       root             ${owner}
      user       pgadmin          ${owner}
      user       julm             ${owner}
      user       ${owner}         ${db}
    '';
  };
  systemd.services.postgresql = {
    postStart = lib.mkAfter ''
      connection_limit=64 \
      encoding=UTF8 \
      lc_collate=fr_FR.UTF-8 \
      lc_type=fr_FR.UTF-8 \
      owner=${owner} \
      pass=$(cat ${passwordFile}) \
      pg_createdb ${db} >/dev/null

      $PSQL -d "${db}" -AqtX --set ON_ERROR_STOP=1 -f - <<EOF
        -- Reallow this to avoid the error:
        -- "Couldn't refresh the graph"
        -- when testing the connexion to the database
        -- in OpenConcerto-Configuration.sh
        GRANT SELECT ON pg_catalog.pg_settings TO ${owner};
        -- Reallow this to allow pg_dump
        GRANT SELECT ON pg_catalog.pg_database   TO ${owner};
        GRANT SELECT ON pg_catalog.pg_roles      TO ${owner};
        GRANT SELECT ON pg_catalog.pg_tablespace TO ${owner};
        -- Reallow this to allow pgadmin3
        GRANT SELECT ON pg_catalog.pg_user       TO ${owner};

        -- Enable PL/PGSQL
        CREATE OR REPLACE LANGUAGE plpgsql;
      EOF
    '';
  };
}