diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix
index 235e2b0..b263087 100644
--- a/services/postgresql/default.nix
+++ b/services/postgresql/default.nix
@@ -9,9 +9,16 @@ in
   config = lib.mkIf cfg.enable {
     services.postgresql = {
       enable = true;
+      package = postgresql_17;
       enableTCPIP = true;
       settings.port = 5432;
-      ensureDatabases = [ "gitea" "nextcloud" ];
+      ensureDatabases = [
+        "gitea"
+        "nextcloud"
+        "netbox"
+        "authentik"
+        "grafana"
+      ];
       ensureUsers = [
         {
           name = "gitea";
@@ -22,16 +29,19 @@ in
           ensureDBOwnership = true;
         }
       ];
-      authentication = pkgs.lib.mkOverride 10 ''
-        #type database   user        origin-address    auth-method
-        # IPv4 local connections:
-        local all        all                           trust
-        host  gitea      gitea       192.168.122.3/24  trust
-        host  nextcloud  nextcloud   192.168.122.7/24  trust
-      '';
+      authentication = "
+        host  nextcloud  nextcloud  192.168.1.44/32   md5
+        host  gitea      gitea      192.168.1.14/32   md5
+        host  netbox     netbox     192.168.1.45/32   md5
+        host  authentik  authentik  192.168.1.125/32  md5
+        host  grafana    grafana    192.168.1.27/32   md5
+        ";
+      # Not great, not in prod, cleartext pass
+      # waiting for ensureUsers.*.passwordFile option
+      # https://github.com/NixOS/nixpkgs/pull/326306
       initialScript = pkgs.writeText "init-sql-script" ''
-        alter user gitea with password 'gitea';
-        alter user nextcloud with password 'nextcloud';
+        alter user gitea with password 'password';
+        alter user nextcloud with password 'password';
       '';
     };
     networking.firewall.allowedTCPPorts = [ 5432 ];