# Runs once, on first Postgres init (empty data dir), via the official image's
# /docker-entrypoint-initdb.d hook. Creates the per-service databases + roles
# Authentik and OCIS need. Passwords come from the postgres-secret env (see
# secrets.example.yaml) — never hard-code them here.
apiVersion: v1
kind: ConfigMap
metadata:
  name: postgres-init
  namespace: dezky-data
data:
  10-extra-databases.sh: |
    #!/bin/bash
    set -euo pipefail
    psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
      CREATE ROLE authentik LOGIN PASSWORD '${AUTHENTIK_DB_PASSWORD}';
      CREATE DATABASE authentik OWNER authentik;

      CREATE ROLE ocis LOGIN PASSWORD '${OCIS_DB_PASSWORD}';
      CREATE DATABASE ocis OWNER ocis;
    EOSQL