If PostgreSQL is running on the same system, then the "hydra" user can can connect without a password (via Unix domain socket authentication), so no need to set up a password. If PostgreSQL is on another machine, then creating a user/database won't work anyway.
V4R3SIRMYTN4CVYWPFPFT34N3PCGVTGNWUSX4VE4B4FT5EEVWJFAC
pass=$(HOME=/root ${pkgs.openssl}/bin/openssl rand -base64 32)
if [ ! -f ${baseDir}/.pgpass ]; then
${config.services.postgresql.package}/bin/psql postgres << EOF
CREATE USER hydra PASSWORD '$pass';
EOF
${optionalString (cfg.dbi == "dbi:Pg:dbname=hydra;user=hydra;") ''
if ! [ -e ${baseDir}/.db-created ]; then
${config.services.postgresql.package}/bin/createuser hydra