-- moments role and database bootstrap.
-- Run as a postgres superuser against the cluster's `postgres` database.
-- Idempotent — safe to re-run on every deploy.
--
-- Two run modes — pick whichever fits your operator path:
--
-- (a) mTLS as the network superuser `grenade` (already mapped via pg_ident
--     on magrathea + frankie). The host cert is picked up from the standard
--     /etc/pki/tls paths via the PG* env vars:
--
--       PGSSLMODE=verify-full \
--       PGSSLCERT=/etc/pki/tls/misc/$(hostname -f).pem \
--       PGSSLKEY=/etc/pki/tls/private/$(hostname -f).pem \
--       PGSSLROOTCERT=/etc/pki/ca-trust/source/anchors/root-internal.pem \
--       psql -h magrathea.kosherinata.internal -U grenade -d postgres \
--            -f asset/sql/bootstrap.sql
--
-- (b) ssh to the db host and run as the local `postgres` peer:
--
--       ssh magrathea.kosherinata.internal \
--           sudo --user postgres psql -d postgres -f - \
--         < asset/sql/bootstrap.sql
--
-- After this completes, run asset/sql/bootstrap-moments.sql against the
-- newly created `moments` database to apply the in-database grants.

DO $$
BEGIN
  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'moments_rw') THEN
    CREATE ROLE moments_rw LOGIN;
  END IF;
  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'moments_ro') THEN
    CREATE ROLE moments_ro LOGIN;
  END IF;
END
$$;

SELECT 'CREATE DATABASE moments OWNER moments_rw'
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'moments')
\gexec

GRANT CONNECT ON DATABASE moments TO moments_ro, moments_rw;