{self, ...}: let
  wireguardData = import "${self}/data/wireguard/chaosInternalWireGuard.nix";
  wireguardHosts = wireguardData.hosts;
in {
  services.postgresql = {
    enable = true;
    port = 5434;
    enableTCPIP = true;
    ensureUsers = [
      {
        name = "piped";
        ensurePermissions."DATABASE piped" = "ALL PRIVILEGES";
      }
    ];
    ensureDatabases = ["piped"];
    authentication = ''
      host piped piped ${wireguardHosts."raspberry".ip}/32 trust
      host piped piped ${wireguardHosts."hetzner-arm".ip}/32 trust
    '';
  };
}