diff --git a/configuration/default.nix b/configuration/default.nix
index 456d12d..ef68727 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -1,4 +1,5 @@
 {
+  pkgs,
   lib,
   modulesPath,
   flake-inputs,
@@ -53,6 +54,19 @@
     };
 
     logrotate.enable = true;
+
+    postgresql = {
+      package = pkgs.postgresql_14;
+      enable = true;
+
+      # Only enable connections via the unix socket, and check with the
+      # OS to make sure the user matches the database name.
+      #
+      # See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
+      authentication = ''
+        local sameuser all peer
+      '';
+    };
   };
 
   security = {
diff --git a/configuration/services/default.nix b/configuration/services/default.nix
index 1f343f0..bee8f44 100644
--- a/configuration/services/default.nix
+++ b/configuration/services/default.nix
@@ -11,7 +11,6 @@
     ./ntfy-sh
     ./minecraft.nix
     ./nextcloud.nix
-    ./postgres.nix
     ./webserver.nix
     ./wireguard.nix
   ];
diff --git a/configuration/services/metrics/grafana.nix b/configuration/services/metrics/grafana.nix
index 078f27c..3b757df 100644
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@@ -8,80 +8,93 @@ in
     443
   ];
 
-  services.grafana = {
-    enable = true;
-    settings = {
-      server = {
-        http_port = 3001; # Default overlaps with gitea
-        root_url = "https://metrics.tlater.net";
-      };
-
-      security = {
-        admin_user = "tlater";
-        admin_password = "$__file{${config.sops.secrets."grafana/adminPassword".path}}";
-        secret_key = "$__file{${config.sops.secrets."grafana/secretKey".path}}";
-        cookie_secure = true;
-        cookie_samesite = "strict";
-        content_security_policy = true;
-      };
-
-      database = {
-        user = "grafana";
-        name = "grafana";
-        type = "postgres";
-        host = "/run/postgresql";
-      };
-    };
-
-    declarativePlugins = [
-      pkgs.grafanaPlugins.victoriametrics-metrics-datasource
-      pkgs.grafanaPlugins.victoriametrics-logs-datasource
-    ];
-
-    provision = {
+  services = {
+    grafana = {
       enable = true;
+      settings = {
+        server = {
+          http_port = 3001; # Default overlaps with gitea
+          root_url = "https://metrics.tlater.net";
+        };
 
-      datasources.settings.datasources = [
-        {
-          name = "Victoriametrics - tlater.net";
-          url = "http://localhost:8428";
-          type = "victoriametrics-metrics-datasource";
-          access = "proxy";
-          isDefault = true;
-        }
+        security = {
+          admin_user = "tlater";
+          admin_password = "$__file{${config.sops.secrets."grafana/adminPassword".path}}";
+          secret_key = "$__file{${config.sops.secrets."grafana/secretKey".path}}";
+          cookie_secure = true;
+          cookie_samesite = "strict";
+          content_security_policy = true;
+        };
 
-        {
-          name = "Victorialogs - tlater.net";
-          url = "http://${config.services.victorialogs.bindAddress}";
-          type = "victoriametrics-logs-datasource";
-          access = "proxy";
-        }
+        database = {
+          user = "grafana";
+          name = "grafana";
+          type = "postgres";
+          host = "/run/postgresql";
+        };
+      };
+
+      declarativePlugins = [
+        pkgs.grafanaPlugins.victoriametrics-metrics-datasource
+        pkgs.grafanaPlugins.victoriametrics-logs-datasource
       ];
 
-      alerting.contactPoints.settings.contactPoints = [
-        {
-          name = "ntfy";
-          receivers = [
-            {
-              uid = "ntfy";
-              type = "webhook";
-              settings.url = "http://${config.services.ntfy-sh.settings.listen-http}/local-alerts?template=grafana";
-            }
-          ];
-        }
-      ];
+      provision = {
+        enable = true;
+
+        datasources.settings.datasources = [
+          {
+            name = "Victoriametrics - tlater.net";
+            url = "http://localhost:8428";
+            type = "victoriametrics-metrics-datasource";
+            access = "proxy";
+            isDefault = true;
+          }
+
+          {
+            name = "Victorialogs - tlater.net";
+            url = "http://${config.services.victorialogs.bindAddress}";
+            type = "victoriametrics-logs-datasource";
+            access = "proxy";
+          }
+        ];
+
+        alerting.contactPoints.settings.contactPoints = [
+          {
+            name = "ntfy";
+            receivers = [
+              {
+                uid = "ntfy";
+                type = "webhook";
+                settings.url = "http://${config.services.ntfy-sh.settings.listen-http}/local-alerts?template=grafana";
+              }
+            ];
+          }
+        ];
+      };
     };
-  };
 
-  services.nginx.virtualHosts."${domain}" = {
-    forceSSL = true;
-    useACMEHost = "tlater.net";
-    enableHSTS = true;
-    locations = {
-      "/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
-      "/api/live" = {
-        proxyWebsockets = true;
-        proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
+    postgresql = {
+      ensureUsers = [
+        {
+          name = "grafana";
+          ensureDBOwnership = true;
+        }
+      ];
+
+      ensureDatabases = [ "grafana" ];
+    };
+
+    nginx.virtualHosts."${domain}" = {
+      forceSSL = true;
+      useACMEHost = "tlater.net";
+      enableHSTS = true;
+      locations = {
+        "/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
+        "/api/live" = {
+          proxyWebsockets = true;
+          proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
+        };
       };
     };
   };
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index 30f79ed..6628d07 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -103,6 +103,17 @@ in
     };
   };
 
+  services.postgresql = {
+    ensureUsers = [
+      {
+        name = "nextcloud";
+        ensureDBOwnership = true;
+      }
+    ];
+
+    ensureDatabases = [ "nextcloud" ];
+  };
+
   # Ensure that this service doesn't start before postgres is ready
   systemd.services.nextcloud-setup.after = [ "postgresql.target" ];
 
diff --git a/configuration/services/postgres.nix b/configuration/services/postgres.nix
deleted file mode 100644
index 85a6843..0000000
--- a/configuration/services/postgres.nix
+++ /dev/null
@@ -1,35 +0,0 @@
-{ pkgs, ... }:
-{
-  services.postgresql = {
-    package = pkgs.postgresql_14;
-    enable = true;
-
-    # Only enable connections via the unix socket, and check with the
-    # OS to make sure the user matches the database name.
-    #
-    # See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
-    authentication = ''
-      local sameuser all peer
-    '';
-
-    # Note: The following options with ensure.* are set-only; i.e.,
-    # when permissions/users/databases are removed from these lists,
-    # that operation needs to be performed manually on the system as
-    # well.
-    ensureUsers = [
-      {
-        name = "grafana";
-        ensureDBOwnership = true;
-      }
-      {
-        name = "nextcloud";
-        ensureDBOwnership = true;
-      }
-    ];
-
-    ensureDatabases = [
-      "grafana"
-      "nextcloud"
-    ];
-  };
-}