-- One-time DBA setup for the brain vector store on postgres18.
--
-- Creates the `brain` database, the `brain_app` role, and the pgvector
-- extension. The ingestion service connects as brain_app and creates
-- the table + HNSW index idempotently at startup (see
-- internal/vectorstore.PGStore.Init).
--
-- Run from koala as the postgres superuser:
--
--   kubectl exec -n databases postgres18-0 -- \
--     psql -U postgres -f /tmp/brain-embeddings-init.sql
--
-- Or apply with:
--
--   PASSWORD='<sops-generated>' \
--   kubectl exec -i -n databases postgres18-0 -- \
--     psql -U postgres -v password="'$PASSWORD'" \
--     < scripts/brain-embeddings-init.sql
--
-- Idempotent: rerunning is safe.

\set ON_ERROR_STOP on

-- CREATE DATABASE cannot run inside a DO block (transactional limitation).
-- Use \gexec to emit the statement conditionally instead.
SELECT 'CREATE DATABASE brain'
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'brain')
\gexec

-- DO blocks can't see psql `:'password'` substitutions (those resolve
-- client-side). Use \if to branch at psql level instead.
SELECT EXISTS (SELECT FROM pg_roles WHERE rolname = 'brain_app') AS role_exists \gset
\if :role_exists
    ALTER ROLE brain_app WITH PASSWORD :'password';
\else
    CREATE ROLE brain_app LOGIN PASSWORD :'password';
\endif

GRANT ALL PRIVILEGES ON DATABASE brain TO brain_app;

\c brain

CREATE EXTENSION IF NOT EXISTS vector;
GRANT ALL ON SCHEMA public TO brain_app;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO brain_app;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO brain_app;