{ pkgs, config, ... }:
{

  services.mysql = {
    enable = true;
    package = pkgs.mariadb;
    settings = {
      mysqld = {
        max_allowed_packet = "64M";
        transaction_isolation = "READ-COMMITTED";
        binlog_format = "ROW";
        # Allow remote connections
        bind-address = "0.0.0.0";
      };
    };
  };

  # Create read-only user for remote access after MySQL starts
  systemd.services.mysql-setup-readonly-user = {
    description = "Setup MySQL read-only user";
    after = [ "mysql.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      User = "root";
    };
    script = ''
      PASSWORD=$(cat ${config.sops.secrets.mysql-readonly-password.path})
      ${pkgs.mariadb}/bin/mysql -u root <<EOF
CREATE USER IF NOT EXISTS 'api_ebs_amz_at_ro'@'%' IDENTIFIED BY '$PASSWORD';
GRANT SELECT ON api_ebs_amz_at.* TO 'api_ebs_amz_at_ro'@'%';
FLUSH PRIVILEGES;
EOF
    '';
  };

  services.mysqlBackup.enable = true;

  sops.secrets.mysql-readonly-password = {
    owner = "mysql";
  };
}