diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix
index 05b13492052a8..9d857cf5ffe00 100644
--- a/nixos/modules/services/databases/mysql.nix
+++ b/nixos/modules/services/databases/mysql.nix
@@ -107,6 +107,13 @@ in
         description = "A file containing SQL statements to be executed on the first startup. Can be used for granting certain permissions on the database";
       };
 
+      databases = mkOption {
+        default = [];
+        description = "List of databases that should exist on each startup and users that should have access to it.";
+        example = [ { name = "foodatabase"; users = [ { username = "foouser"; password = "secret"; } ]; } ];
+      };
+
+
       # FIXME: remove this option; it's a really bad idea.
       rootPassword = mkOption {
         default = null;
@@ -160,6 +167,19 @@ in
 
     environment.systemPackages = [mysql];
 
+    system.activationScripts.mysql = ''
+      ${concatMapStrings (database: ''
+        if [ -z "$(${mysql}/bin/mysqlshow | ${pkgs.gnugrep}/bin/grep -E '^\| +${database.name} +\|')" ]
+        then
+          ${mysql}/bin/mysqladmin create "${database.name}"
+        fi
+        ${concatMapStrings (user: ''
+          ## `` are *NONSTANDARD* but work on MYSQL. For other SQL servers, "" should work better
+          echo "GRANT ALL ON \`${database.name}\`.* TO '${user.username}'@localhost IDENTIFIED BY '${user.password}'" | ${mysql}/bin/mysql "${database.name}" ;
+        '') database.users}
+      '') cfg.databases}
+    '';
+
     systemd.services.mysql =
       { description = "MySQL Server";