#! /usr/bin/env bash

psql <<-EOF
CREATE ROLE readaccess;

REVOKE ALL ON DATABASE ${POSTGRES_DB} FROM readaccess;
GRANT CONNECT ON DATABASE ${POSTGRES_DB} TO readaccess;

\c ${POSTGRES_DB}

REVOKE ALL ON SCHEMA public FROM readaccess;
REVOKE CREATE ON SCHEMA public FROM readaccess;
GRANT USAGE ON SCHEMA public TO readaccess;

REVOKE ALL ON ALL TABLES IN SCHEMA public FROM readaccess;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readaccess;
ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES FROM readaccess;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readaccess;

REVOKE ALL ON ALL SEQUENCES IN SCHEMA public FROM readaccess;
GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO readaccess;
ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON SEQUENCES FROM readaccess;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO readaccess;

REVOKE ALL ON ALL FUNCTIONS IN SCHEMA public FROM readaccess;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO readaccess;
ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON FUNCTIONS FROM readaccess;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO readaccess;
EOF