diff --git a/2-nomad-config/authelia.nomad.hcl b/2-nomad-config/authelia.nomad.hcl
index a66a241..aa3df21 100644
--- a/2-nomad-config/authelia.nomad.hcl
+++ b/2-nomad-config/authelia.nomad.hcl
@@ -1,11 +1,25 @@
 job "authelia" {
   group "authelia" {
     network {
+      mode = "bridge"
       port "http" {
         static = 9091
       }
     }
 
+    service {
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              destination_name = "postgres"
+              local_bind_port  = 5432
+            }
+          }
+        }
+      }
+    }
+
     service {
       name = "auth"
       port = "http"
@@ -59,9 +73,6 @@ access_control:
   rules:
     - domain: "*.othrayte.one"
       policy: one_factor
-    # Disable auth for authelia
-    #- domain: "auth.othrayte.one"
-    #  policy: bypass
 
 session:
   name: authelia_session
@@ -72,9 +83,14 @@ session:
       authelia_url: "https://auth.othrayte.one"
 
 storage:
-  local:
-    path: /config/db.sqlite3
   encryption_key: "{{ with nomadVar "nomad/jobs/authelia" }}{{ .encryption_key }}{{ end }}"
+  postgres:
+    address: 'tcp://127.0.0.1:5432'
+    database: 'authelia'
+    schema: 'public'
+    username: 'authelia'
+    password: '{{ with nomadVar "nomad/jobs/authelia" }}{{ .database_pw }}{{ end }}'
+    timeout: '5s'
 
 notifier:
   filesystem:
diff --git a/2-nomad-config/authelia.tf b/2-nomad-config/authelia.tf
index e13f9f9..309335b 100644
--- a/2-nomad-config/authelia.tf
+++ b/2-nomad-config/authelia.tf
@@ -2,11 +2,23 @@ resource "nomad_job" "authelia" {
   jobspec = file("authelia.nomad.hcl")
 }
 
+resource "postgresql_role" "authelia" {
+  name     = "authelia"
+  password = data.sops_file.secrets.data["authelia.database_pw"]
+  login    = true
+}
+
+resource "postgresql_database" "authelia" {
+  name  = "authelia"
+  owner = postgresql_role.authelia.name
+}
+
 resource "nomad_variable" "authelia" {
   path = "nomad/jobs/authelia"
   items = {
     session_secret = data.sops_file.secrets.data["authelia.session_secret"]
     jwt_secret     = data.sops_file.secrets.data["authelia.jwt_secret"]
     encryption_key = data.sops_file.secrets.data["authelia.encryption_key"]
+    database_pw    = data.sops_file.secrets.data["authelia.database_pw"]
   }
 }
diff --git a/2-nomad-config/gitea.nomad.hcl b/2-nomad-config/gitea.nomad.hcl
index 1bfecd8..c76311f 100644
--- a/2-nomad-config/gitea.nomad.hcl
+++ b/2-nomad-config/gitea.nomad.hcl
@@ -74,7 +74,7 @@ DB_TYPE = postgres
 HOST = localhost:5432
 NAME = gitea
 USER = gitea
-PASSWD = gitea
+PASSWD = {{ with nomadVar "nomad/jobs/gitea" }}{{ .database_pw }}{{ end }}
 
 [repository]
 ROOT = /data/git/repositories
diff --git a/2-nomad-config/gitea.tf b/2-nomad-config/gitea.tf
index 49e2496..b6e4425 100644
--- a/2-nomad-config/gitea.tf
+++ b/2-nomad-config/gitea.tf
@@ -18,12 +18,13 @@ resource "nomad_variable" "gitea" {
   items = {
     internal_token = data.sops_file.secrets.data["gitea.internal_token"]
     jwt_secret     = data.sops_file.secrets.data["gitea.jwt_secret"]
+    database_pw    = data.sops_file.secrets.data["gitea.database_pw"]
   }
 }
 
 resource "postgresql_role" "gitea" {
   name     = "gitea"
-  password = "gitea"
+  password = data.sops_file.secrets.data["gitea.database_pw"]
   login    = true
 }
 
diff --git a/2-nomad-config/secrets.enc.json b/2-nomad-config/secrets.enc.json
index 11cacf2..0c8824b 100644
--- a/2-nomad-config/secrets.enc.json
+++ b/2-nomad-config/secrets.enc.json
@@ -10,16 +10,18 @@
 		"auth_key": "ENC[AES256_GCM,data:gzh4nqEOQLijp5DTGHHSn0aO1mFQUB3sVSdAVDLG+a2H6XJ0BtJJGU55oLJURy7E/um7gzwDofP5mwZGTA==,iv:yl8lHqnNLB2AXlBfMyw/0CAR7+KmyKKDFc7kxbo9S6c=,tag:CunYd62x3omji6ozqmhgOg==,type:str]"
 	},
 	"authelia": {
-		"session_secret": "ENC[AES256_GCM,data:gPVSGzU00EjuW/NDD9bpsc+4DQ==,iv:IRzSKqfv2Quaj1bzrFaK0glCKEPrle+uI8fq/1HFi60=,tag:loiTEpEBGBwQETRWpOffNg==,type:str]",
-		"jwt_secret": "ENC[AES256_GCM,data:7Q/0M5IY0vLsgCE0z78L,iv:f6GymDrq2/NlKJuMNnDDmG2GUAzhonNa8LXlr0x1elw=,tag:1ITT9WmD3UOP30AjYEkLJQ==,type:str]",
-		"encryption_key": "ENC[AES256_GCM,data:wT7aYD2DIu4VQa3GTmlkBFBvtoPvlgUF/fYJo9+wQhRcywY=,iv:29pIf46S9+OVWgSNyuwOaOXD2bWTmdcLzMLQ06VywZQ=,tag:n9JkIbHCB2xFfJ7MHcUKvg==,type:str]"
+		"session_secret": "ENC[AES256_GCM,data:eSpAwX/KPzed/Y0oi6QvBwB7Gv5Kiml4FJS5RyuJ7A0plAd8acNThNXi3H4=,iv:RmH0wB3smlSF+CYs4x1w2V9ixdxgdav4dAQntjO0S5g=,tag:Vo5eHiU+1/dep/IUryN/XQ==,type:str]",
+		"jwt_secret": "ENC[AES256_GCM,data:XGDV2+SbMPYxhzv8S/6SjfA0MZeelRNjgIR10+qcTFYs2IW+IZjkCExLpQ==,iv:hv1b2Dddm21vObwQBUb3LZFfYjAkIm2/ZE1Syt3//YI=,tag:TojRWFctm1H72oPfq62Y2g==,type:str]",
+		"encryption_key": "ENC[AES256_GCM,data:D5F7eScWxCQ8G7pU8khi8aj8/p8ZKSErROhrqKS569fYUQpsHt6+3QQfeH7/naMvJ45r/5oVGCGeeFcEqlY0lEnbFLJEZ/tSOcm4RcIigPcx4a+8H7s=,iv:sf+TdLzacFaDgYjYhw4RKExLu6XfpewKiklt/q7VVzw=,tag:Zu3kCJfCZ7ae7HneXF6jVA==,type:str]",
+		"database_pw": "ENC[AES256_GCM,data:w5TmJwjeFa8tgTXDBI7doNfbBnDBUoWyZ0Qetp4M5JpwyRv06kAj2sAKOCY=,iv:rJubsGeyxSXkOxyTjzTo1GJRgLNWbAIMy1sS74MiuHc=,tag:Sbi4gVZgRcJLriTxm2ebeQ==,type:str]"
 	},
 	"postgres": {
 		"postgres": "ENC[AES256_GCM,data:lKuLcVTuUbfrlVhRdCs=,iv:TsbtAbXYTysxuiCi08F0hJsgoolzzgE2EPdFdPMQ+NQ=,tag:9oNua06hHdeCzE7nB22c0g==,type:str]"
 	},
 	"gitea": {
 		"internal_token": "ENC[AES256_GCM,data:teIsV+6nUPWO9/amas3FmK6uv44YEZNpV780ncTwUkQDygDvQRr7A3KEbk/rYFcTjfxK6Kw8nmqi0rBrcBNX1bSVNg8jwfYHhY2TxFMgCo4tkQxLf3eSBUhlPGsfpsskACKIPnZ1RQ2m,iv:NAKPw0YVNtLlyEp7wld9ml4zQlVxo/takiOid6YQlfA=,tag:QIk+USh8MLZDzJkQsglJ+w==,type:str]",
-		"jwt_secret": "ENC[AES256_GCM,data:/dPDqJdn4Af3Wo005V7lU9b8RbN/wyF0Tx66827cdyaZfi4QPOSj23wNqw==,iv:yJW2PiAGGr97q0DoBr64X88eFNpuVPZX0SPyNDp5QjQ=,tag:p27XTUbMC0WDMTNJCscmGQ==,type:str]"
+		"jwt_secret": "ENC[AES256_GCM,data:/dPDqJdn4Af3Wo005V7lU9b8RbN/wyF0Tx66827cdyaZfi4QPOSj23wNqw==,iv:yJW2PiAGGr97q0DoBr64X88eFNpuVPZX0SPyNDp5QjQ=,tag:p27XTUbMC0WDMTNJCscmGQ==,type:str]",
+		"database_pw": "ENC[AES256_GCM,data:EzGPKdsX3Ib2zWrz09kUdegIxGNwg1j4msbOKUmvCGy6R9/EG1nvOC9Z5Oo=,iv:msek112FxmVAwFume6b7RnSICL/sw5CK3XzgCq9Sp1s=,tag:UcxUi2hySv54liN+Ddodpw==,type:str]"
 	},
 	"sops": {
 		"age": [
@@ -28,8 +30,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-05-22T14:03:49Z",
-		"mac": "ENC[AES256_GCM,data:gRzCl7GS4ywePISLFcR4bd+D8lg+2ZNDpF1QEKS/VZmRZW42NIQT+xiNg7cX7QYYnMyAjckYVGXFlK2/INzHGHWZhuP7pREt9zVCFAXaDZ6s1FVV1ee59u9VdZX7mzUESxvUWEPYvrkbDPtTC6U0x67rihBj/oIc7tGCWt7EoyY=,iv:UVZPZiByRFb1gFL+n1NkokEuDPXaYPbTBhKhraUWOD4=,tag:prVhsjnUswTW9aHz8Xu9IA==,type:str]",
+		"lastmodified": "2025-05-25T07:55:17Z",
+		"mac": "ENC[AES256_GCM,data:+R6CiOUxUKVJrCULbVPHzx1jI7z7RBwnWxbX2oBDh9gveNWz/e0ZLyRtoJJho7kRb8XugTPn5TOeKFdeecyJzjcL8fOkcwBQsUjywR0FhY/i1kWaPFmOskwl7iIQJUdtFz3etOAEjQlFTxuwxi3PtGcyZJn9kSMPff23tTKfRxY=,iv:2iVkNSaItt/bbWaR9/fIpv55FUyYMyFFD/SDNX467f0=,tag:76R72x9t4gw1G1nLheEniw==,type:str]",
 		"encrypted_regex": "^(.*)$",
 		"version": "3.10.2"
 	}