diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix
index 9dfee7a..0c9deae 100644
--- a/services/postgresql/default.nix
+++ b/services/postgresql/default.nix
@@ -11,10 +11,22 @@ in {
   };
   config = lib.mkIf cfg.enable {
     age.secrets = {
-      nextcloudDBPass.file = ./secrets/nextcloudDBPass.age;
-      giteaDBPass.file = ./secrets/giteaDBPass.age;
-      authentikDBPass.file = ./secrets/authentikDBPass.age;
-      grafanaDBPass.file = ./secrets/grafanaDBPass.age;
+      nextcloudDBPass = {
+        file = ./secrets/nextcloudDBPass.age;
+        owner = "postgres";
+      };
+      giteaDBPass = {
+        file = ./secrets/giteaDBPass.age;
+        owner = "postgres";
+      };
+      authentikDBPass = {
+        file = ./secrets/authentikDBPass.age;
+        owner = "postgres";
+      };
+      grafanaDBPass = {
+        file = ./secrets/grafanaDBPass.age;
+        owner = "postgres";
+      };
     };
     services.postgresql = {
       enable = true;
@@ -28,22 +40,22 @@ in {
         host  grafana    grafana    192.168.1.27/32   md5
         ";
       initialScript = pkgs.writeText "init-sql-script" ''
-        nextcloudSecret = $(echo ${config.age.secrets.nextcloudDBPass.path})
+        nextcloudSecret=$(echo ${config.age.secrets.nextcloudDBPass.path})
         CREATE ROLE nextcloud WITH LOGIN PASSWORD $nextcloudSecret CREATEDB;
         CREATE DATABASE nextcloud;
         GRANT ALL PRIVILEGES ON DATABASE nextcloud TO nextcloud;
 
-        giteaSecret = $(echo ${config.age.secrets.giteaDBPass.path})
+        giteaSecret=$(echo ${config.age.secrets.giteaDBPass.path})
         CREATE ROLE gitea WITH LOGIN PASSWORD $giteaSecret CREATEDB;
         CREATE DATABASE gitea;
         GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
 
-        authentikSecret = $(echo ${config.age.secrets.authentikDBPass.path})
+        authentikSecret=$(echo ${config.age.secrets.authentikDBPass.path})
         CREATE ROLE authentik WITH LOGIN PASSWORD $authentikSecret CREATEDB;
         CREATE DATABASE authentik;
         GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik;
 
-        grafanaSecret = $(echo ${config.age.secrets.grafanaDBPass.path})
+        grafanaSecret=$(echo ${config.age.secrets.grafanaDBPass.path})
         CREATE ROLE grafana WITH LOGIN PASSWORD $grafanaSecret CREATEDB;
         CREATE DATABASE grafana;
         GRANT ALL PRIVILEGES ON DATABASE grafana TO grafana;