{ pkgs, config, ... }:
{

  services.mysql = {
    enable = true;
    package = pkgs.mariadb;
    settings = {
      mysqld = {
        max_allowed_packet = "64M";
        transaction_isolation = "READ-COMMITTED";
        binlog_format = "ROW";
        # Allow remote connections
        bind-address = "0.0.0.0";
      };
    };

    # Create read-only user for remote access on initial MySQL setup
    initialScript = pkgs.writeShellScript "mysql-init.sql" ''
      PASSWORD=$(cat ${config.sops.secrets.mysql-readonly-password.path})
      ${pkgs.mariadb}/bin/mysql -u root <<EOF
        CREATE USER IF NOT EXISTS 'api_ebs_amz_at_ro'@'%' IDENTIFIED BY '$PASSWORD';
        GRANT SELECT ON api_ebs_amz_at.* TO 'api_ebs_amz_at_ro'@'%';
        FLUSH PRIVILEGES;
      EOF
    '';
  };

  services.mysqlBackup.enable = true;
}