diff --git a/hosts/lab/shlink.nix b/hosts/lab/shlink.nix
index 4286e85..d35fcef 100644
--- a/hosts/lab/shlink.nix
+++ b/hosts/lab/shlink.nix
@@ -2,7 +2,6 @@
 {
   sops.secrets.shlink-db-password = {
     sopsFile = ../../secrets/shlink.yaml;
-    owner = "postgres";
   };
 
   sops.secrets.shlink-api-key = {
@@ -23,18 +22,17 @@
     ensureUsers = [{
       name = "shlink";
       ensureDBOwnership = true;
+      ensureClauses = {
+        login = true;
+        password = "SCRAM-SHA-256$4096:nhQwTFK7rhy8FOrhlgDnvg==$3eB9AlBwUxK1UOiwXAlP5wzxnmKUsBpB1UTsF0cRDIo=:GmxUtrGP6haTPnhPSOL42qsuPwEHV7tME1WfBNucGrU=";
+      };
     }];
     authentication = ''
-      host shlink shlink 127.0.0.1/32 md5
-      host shlink shlink ::1/128 md5
+      host shlink shlink 127.0.0.1/32 scram-sha-256
+      host shlink shlink ::1/128 scram-sha-256
     '';
   };
 
-  systemd.services.postgresql-setup.postStart = ''
-    ${config.services.postgresql.package}/bin/psql -p $PGPORT -tAc \
-      "ALTER ROLE shlink PASSWORD '$(tr -d '\n' < ${config.sops.secrets.shlink-db-password.path})';"
-  '';
-
   services.caddy.virtualHosts."ily.rs" = {
     extraConfig = ''
       redir / https://wynne.rs permanent