diff --git a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
index 016f2a7..f676467 100644
--- a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
@@ -73,11 +73,19 @@ in
             identity_providers.oidc = {
               hmac_secret = hmConfig.sops.placeholder."authelia/oidcHmac";
 
-              jwks = [
-                {
-                  key = hmConfig.sops.placeholder."authelia/oidcKey";
-                }
-              ];
+              jwks = [ { key = hmConfig.sops.placeholder."authelia/oidcKey"; } ];
+
+              authorization_policies = {
+                admin = {
+                  default_policy = "deny";
+                  rules = [
+                    {
+                      policy = "two_factor";
+                      subject = [ "group:admins" ];
+                    }
+                  ];
+                };
+              };
             };
 
             storage = {
@@ -126,14 +134,14 @@ in
             image = "docker-archive:${selfPkgs.docker-yq}";
             networks = [ networks.authelia.ref ];
             volumes = [
-              "${home}/.local/share/authelia/config:/workdir/config"
-              "${hmConfig.sops.templates."authelia-users.yaml".path}:/workdir/users.yaml:ro"
+              "${home}/.local/share/authelia/config:/etc/authelia"
+              "${hmConfig.sops.templates."authelia-users.yaml".path}:/etc/authelia/users.yaml.default:ro"
             ];
             exec = [
               "eval-all"
               ". as $item ireduce ({}; . * $item)"
-              "/workdir/config/users.yaml"
-              "/workdir/users.yaml"
+              "/etc/authelia/users.yaml"
+              "/etc/authelia/users.yaml.default"
               "-i"
             ];
           };
diff --git a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
index 4a76273..0ce545f 100644
--- a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
@@ -132,9 +132,7 @@ in
               ];
             };
           in
-          [
-            "${config}:/etc/authelia/conf.d/traefik.yaml:ro"
-          ];
+          [ "${config}:/etc/authelia/conf.d/traefik.yaml:ro" ];
       };
     };
 
diff --git a/packages/docker/postgresql/entrypoint.sh b/packages/docker/postgresql/entrypoint.sh
index 71cc344..9ca987a 100644
--- a/packages/docker/postgresql/entrypoint.sh
+++ b/packages/docker/postgresql/entrypoint.sh
@@ -24,11 +24,14 @@ mkfifo "$LOG_PIPE"
 LOG_PID=$!
 
 if [ ! -s "$PGDATA/PG_VERSION" ]; then
-  initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD")
+  tmpfile=$(mktemp)
+  printf "%s\n" "$POSTGRES_PASSWORD" > "$tmpfile"
+  initdb --username="$POSTGRES_USER" --pwfile="$tmpfile"
+  rm -f "$tmpfile"
 
   auth_method=$(postgres -c config_file="/etc/postgresql/postgresql.conf" -C password_encryption)
   POSTGRES_HOST_AUTH_METHOD="${POSTGRES_HOST_AUTH_METHOD:=$auth_method}"
-  echo -e "\nhost all all all $POSTGRES_HOST_AUTH_METHOD" >> "$PGDATA/pg_hba.conf"
+  printf "\nhost all all all %s\n" "$POSTGRES_HOST_AUTH_METHOD" >> "$PGDATA/pg_hba.conf"
 
   pg_ctl -w start
 
@@ -39,5 +42,5 @@ if [ ! -s "$PGDATA/PG_VERSION" ]; then
   pg_ctl -m fast -w stop
 fi
 
-trap "kill $LOG_PID" EXIT
+trap 'kill $LOG_PID' EXIT
 exec postgres -c config_file="/etc/postgresql/postgresql.conf" "$@" > "$LOG_PIPE" 2>&1