{ pkgs, lib, ... }:
let
  pkgs' = pkgs;
in
{
  peerWithoutUser = pkgs.testers.runNixOSTest {
    name = "postgresql-peerWithoutUser";

    nodes.machine = { config, pkgs, ... }: {
      imports = [
        (pkgs'.path + "/nixos/modules/profiles/headless.nix")
        (pkgs'.path + "/nixos/modules/profiles/qemu-guest.nix")
        ../../modules/blocks/postgresql.nix
      ];

      shb.postgresql.ensures = [
        {
          username = "me";
          database = "me";
        }
      ];
    };

    testScript = { nodes, ... }: ''
    start_all()
    machine.wait_for_unit("postgresql.service")
    machine.wait_for_open_port(5432)

    def peer_cmd(user, database):
        return "sudo -u me psql -U {user} {db} --command \"\"".format(user=user, db=database)

    with subtest("cannot login because of missing user"):
        machine.fail(peer_cmd("me", "me"), timeout=10)

    with subtest("cannot login with unknown user"):
        machine.fail(peer_cmd("notme", "me"), timeout=10)

    with subtest("cannot login to unknown database"):
        machine.fail(peer_cmd("me", "notmine"), timeout=10)
    '';
  };

  peerAuth = pkgs.testers.runNixOSTest {
    name = "postgresql-peerAuth";

    nodes.machine = { config, pkgs, ... }: {
      imports = [
        (pkgs'.path + "/nixos/modules/profiles/headless.nix")
        (pkgs'.path + "/nixos/modules/profiles/qemu-guest.nix")
        ../../modules/blocks/postgresql.nix
      ];

      users.users.me = {
        isSystemUser = true;
        group = "me";
        extraGroups = [ "sudoers" ];
      };
      users.groups.me = {};

      shb.postgresql.ensures = [
        {
          username = "me";
          database = "me";
        }
      ];
    };

    testScript = { nodes, ... }: ''
    start_all()
    machine.wait_for_unit("postgresql.service")
    machine.wait_for_open_port(5432)

    def peer_cmd(user, database):
        return "sudo -u me psql -U {user} {db} --command \"\"".format(user=user, db=database)

    def tcpip_cmd(user, database, port):
        return "psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port)

    with subtest("can login with provisioned user and database"):
        machine.succeed(peer_cmd("me", "me"), timeout=10)

    with subtest("cannot login with unknown user"):
        machine.fail(peer_cmd("notme", "me"), timeout=10)

    with subtest("cannot login to unknown database"):
        machine.fail(peer_cmd("me", "notmine"), timeout=10)

    with subtest("cannot login with tcpip"):
        machine.fail(tcpip_cmd("me", "me", "5432"), timeout=10)
    '';
  };

  tcpIPWithoutPasswordAuth = pkgs.testers.runNixOSTest {
    name = "postgresql-tcpIpWithoutPasswordAuth";

    nodes.machine = { config, pkgs, ... }: {
      imports = [
        (pkgs'.path + "/nixos/modules/profiles/headless.nix")
        (pkgs'.path + "/nixos/modules/profiles/qemu-guest.nix")
        ../../modules/blocks/postgresql.nix
      ];

      shb.postgresql.enableTCPIP = true;
      shb.postgresql.ensures = [
        {
          username = "me";
          database = "me";
        }
      ];
    };

    testScript = { nodes, ... }: ''
    start_all()
    machine.wait_for_unit("postgresql.service")
    machine.wait_for_open_port(5432)

    def peer_cmd(user, database):
        return "sudo -u me psql -U {user} {db} --command \"\"".format(user=user, db=database)

    def tcpip_cmd(user, database, port):
        return "psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port)

    with subtest("cannot login without existing user"):
        machine.fail(peer_cmd("me", "me"), timeout=10)

    with subtest("cannot login with user without password"):
        machine.fail(tcpip_cmd("me", "me", "5432"), timeout=10)
    '';
  };

  tcpIPPasswordAuth = pkgs.testers.runNixOSTest {
    name = "postgresql-tcpIPPasswordAuth";

    nodes.machine = { config, pkgs, ... }: {
      imports = [
        (pkgs'.path + "/nixos/modules/profiles/headless.nix")
        (pkgs'.path + "/nixos/modules/profiles/qemu-guest.nix")
        ../../modules/blocks/postgresql.nix
      ];

      users.users.me = {
        isSystemUser = true;
        group = "me";
        extraGroups = [ "sudoers" ];
      };
      users.groups.me = {};

      system.activationScripts.secret = ''
      echo secretpw > /run/dbsecret
      '';
      shb.postgresql.enableTCPIP = true;
      shb.postgresql.ensures = [
        {
          username = "me";
          database = "me";
          passwordFile = "/run/dbsecret";
        }
      ];
    };

    testScript = { nodes, ... }: ''
    start_all()
    machine.wait_for_unit("postgresql.service")
    machine.wait_for_open_port(5432)

    def peer_cmd(user, database):
        return "sudo -u me psql -U {user} {db} --command \"\"".format(user=user, db=database)

    def tcpip_cmd(user, database, port, password):
        return "PGPASSWORD={password} psql -h 127.0.0.1 -p {port} -U {user} {db} --command \"\"".format(user=user, db=database, port=port, password=password)

    with subtest("can peer login with provisioned user and database"):
        machine.succeed(peer_cmd("me", "me"), timeout=10)

    with subtest("can tcpip login with provisioned user and database"):
        machine.succeed(tcpip_cmd("me", "me", "5432", "secretpw"), timeout=10)

    with subtest("cannot tcpip login with wrong password"):
        machine.fail(tcpip_cmd("me", "me", "5432", "oops"), timeout=10)
    '';
  };
}