Preconfigure pgadmin database and user

The initialScript doesn't work, really, because it only runs on database
creation, but it does document what I need.

modules/system/pgadmin.nix

@@ -2,6 +2,7 @@
 with lib;
 
 let
+	dbUsername = "pgadmin";
 	cfg = config.myModules.pgadmin;
 	group = "root";
 	port = 10100;
@@ -28,8 +29,43 @@ in {
 		services.pgadmin = {
 			enable = true;
 			initialEmail = "eli@gleipnir.technology";
-			initialPasswordFile = "/var/run/secrets/pgadmin.yaml";
+			initialPasswordFile = config.sops.secrets."pgadmin-initial-password-file".path;
 			port = port;
+			settings = {
+				# Pre-configure the database server
+				Servers = {
+					"1" = {
+						Name = "Local nidus-sync";
+						Group = "Servers";
+						Host = "/run/postgresql"; # unix socket directory
+						Port = 5432;
+						MaintenanceDB = "postgres";
+						Username = dbUsername;
+						SSLMode = "prefer";
+					};
+				};
+			};
+		};
+		services.postgresql = {
+			ensureUsers = [{
+				# Read only user for pgadmin
+				ensureClauses.login = true;
+				name = dbUsername;
+			}];
+			initialScript = pkgs.writeText "postgresql-init.sql" ''
+				-- Grant connection to database
+				GRANT CONNECT ON DATABASE "nidus-sync" TO ${dbUsername};
+
+				-- Connect to the database and grant schema usage
+				\c nidus-sync
+				GRANT USAGE ON SCHEMA public TO ${dbUsername};
+
+				-- Grant SELECT on all existing tables
+				GRANT SELECT ON ALL TABLES IN SCHEMA public TO ${dbUsername};
+
+				-- GRANT SELECT on all future tables
+				ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO ${dbUsername};
+			'';
 		};
 		sops.secrets."pgadmin-initial-password-file" = {
 			format = "yaml";