diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix
index 0c9deae..4540e7d 100644
--- a/services/postgresql/default.nix
+++ b/services/postgresql/default.nix
@@ -40,27 +40,49 @@ in {
         host  grafana    grafana    192.168.1.27/32   md5
         ";
       initialScript = pkgs.writeText "init-sql-script" ''
-        nextcloudSecret=$(echo ${config.age.secrets.nextcloudDBPass.path})
-        CREATE ROLE nextcloud WITH LOGIN PASSWORD $nextcloudSecret CREATEDB;
+        CREATE ROLE nextcloud WITH LOGIN CREATEDB;
         CREATE DATABASE nextcloud;
         GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
 
-        giteaSecret=$(echo ${config.age.secrets.giteaDBPass.path})
-        CREATE ROLE gitea WITH LOGIN PASSWORD $giteaSecret CREATEDB;
+        CREATE ROLE gitea WITH LOGIN CREATEDB;
         CREATE DATABASE gitea;
         GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
 
-        authentikSecret=$(echo ${config.age.secrets.authentikDBPass.path})
-        CREATE ROLE authentik WITH LOGIN PASSWORD $authentikSecret CREATEDB;
+        CREATE ROLE authentik WITH LOGIN CREATEDB;
         CREATE DATABASE authentik;
         GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;
 
-        grafanaSecret=$(echo ${config.age.secrets.grafanaDBPass.path})
-        CREATE ROLE grafana WITH LOGIN PASSWORD $grafanaSecret CREATEDB;
+        CREATE ROLE grafana WITH LOGIN CREATEDB;
         CREATE DATABASE grafana;
         GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;
       '';
     };
+    # Stolen from https://discourse.nixos.org/t/assign-password-to-postgres-user-declaratively/9726/3
+    # This is an awful situation
+    systemd.services.postgresql.postStart = let
+      nextcloudDBPass = config.age.secrets.nextcloudDBPass.path;
+      giteaDBPass = config.age.secrets.giteaDBPass.path;
+      authentikDBPass = config.age.secrets.authentikDBPass.path;
+      grafanaDBPass = config.age.secrets.grafanaDBPass.path;
+    in ''
+      $PSQL -tA <<'EOF'
+        DO $$
+        DECLARE password TEXT;
+        BEGIN
+          password := trim(both from replace(pg_read_file('${nextcloudDBPass}'), E'\n', '''));
+          EXECUTE format('ALTER ROLE nextcloud WITH PASSWORD '''%s''';', password);
+
+          password := trim(both from replace(pg_read_file('${giteaDBPass}'), E'\n', '''));
+          EXECUTE format('ALTER ROLE gitea WITH PASSWORD '''%s''';', password);
+
+          password := trim(both from replace(pg_read_file('${authentikDBPass}'), E'\n', '''));
+          EXECUTE format('ALTER ROLE authentik WITH PASSWORD '''%s''';', password);
+
+          password := trim(both from replace(pg_read_file('${grafanaDBPass}'), E'\n', '''));
+          EXECUTE format('ALTER ROLE grafana WITH PASSWORD '''%s''';', password);
+        END $$;
+      EOF
+    '';
     networking.firewall.allowedTCPPorts = [5432];
   };
 }