diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..86b3a23
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+cafe.qcow2
diff --git a/build-vm.sh b/build-vm.sh
index 158c240..aa1b6ed 100755
--- a/build-vm.sh
+++ b/build-vm.sh
@@ -1,5 +1,7 @@
 #!/bin/sh -e
-nixos-rebuild build-vm --flake .#cafe-virt
-rm -f nixos.qcow2
-./result/bin/run-*-vm
-rm -f nixos.qcow2 result
+nixos-rebuild build-vm --flake .#cafe-virt "$@"
+rm -f cafe.qcow2
+echo "[STARTING VM]"
+./result/bin/run-*-vm -nographic
+echo "[STOPPING VM]"
+rm -f cafe.qcow2 result
diff --git a/flake.nix b/flake.nix
index 8c2579a..fdc9637 100644
--- a/flake.nix
+++ b/flake.nix
@@ -12,13 +12,15 @@
           nix.registry.nixpkgs.flake = nixpkgs;
           system.configurationRevision = nixpkgs.lib.mkIf (self ? rev) self.rev;
         };
-        # 8888 on host is 80 on guest
+        # 8080 on host is 80 on guest
+        # 2222 on host is 22 on guest
         virt-module = {
           virtualisation.vmVariant = {
             virtualisation.cores = 4;
             virtualisation.memorySize = 4096;
             virtualisation.forwardPorts = [
               { from = "host"; host.port = 8080; guest.port = 80; }
+              { from = "host"; host.port = 2222;  guest.port = 22; }
             ];
           };
         };
diff --git a/host.nix b/host.nix
index aad58e4..1f954ab 100644
--- a/host.nix
+++ b/host.nix
@@ -1,34 +1,48 @@
 state-version: { pkgs, ... }:
-let secrets = import ./secrets/secrets.nix;
-    services = with builtins;
-      map (s: import (./services + "/${s}") { inherit pkgs; })
-          (filter (s: ! isNull (match ".*\.nix" s)) 
-                  (attrNames (readDir ./services)));
+let services = with builtins;
+      let services_no_ip =
+        map (s: import (./services + "/${s}") { inherit pkgs; })
+            (filter (s: ! isNull (match ".*\.nix" s)) 
+                    (attrNames (readDir ./services)));
+      in genList (i: elemAt services_no_ip i // { ip = "10.10.0.${toString (i+2)}"; }) (length services_no_ip);
+
     lib = import ./lib.nix;
+    secrets = import ./secrets/secrets.nix;
+
+    hostIp = "10.10.0.1";
 in
 
-lib.foldMap ({ name, ip, config, ports, ... }: 
+{ 
+  containers = 
+lib.foldMap ({ name, config, ip, ports, ... }: 
 {
-  containers.${name} = {
-    autoStart = true;
-    ephemeral = true;
-    privateNetwork = true;
-    hostAddress = ip.host;
-    localAddress = ip.local;
-    config = config // {
-      boot.isContainer = true;
-      networking.hostName = "${name}";
-      networking.useDHCP = false;
+  ${name} = {
+      autoStart = true;
+      ephemeral = true;
+      privateNetwork = true;
+      hostAddress = hostIp;
+      localAddress = ip;
+      config = config // {
+        boot.isContainer = true;
 
-      networking.firewall.enable = true;
-      networking.firewall.allowedTCPPorts = ports.tcp;
-      networking.firewall.allowedUDPPorts = ports.udp;
+        networking = {
+          hostName = "${name}";
 
-      system.stateVersion = state-version;
+          hosts = lib.foldMap ({ name, ip, ...}:
+            { "${ip}" = [ "${name}.containers" "${name}" ]; }
+          ) services;
+
+          firewall.enable = true;
+          firewall.allowedTCPPorts = ports.tcp;
+          firewall.allowedUDPPorts = ports.udp;
+        };
+
+        system.stateVersion = state-version;
+      };
     };
-  };
 }
-) services
+) services;
+}
 
 //
 
@@ -38,29 +52,75 @@ lib.foldMap ({ name, ip, config, ports, ... }:
     enable = true;
     recommendedProxySettings = true;
     virtualHosts =
-      lib.foldMap ({ ip, ports, hosts, ... }: 
+      lib.foldMap ({ ports, hosts, ip, ... }: 
         lib.foldMap (host: 
-        {
-          "${host}" = {
-            locations."/".proxyPass = "http://${ip.local}:${builtins.toString ports.http}";
-          };
-        }
+          if (builtins.isNull ports.http) 
+            then {}
+            else {
+              "${host}" = {
+                locations."/".proxyPass = 
+                  "http://${ip}:${builtins.toString ports.http}";
+              };
+            }
         ) hosts
       ) services;
   };
 
-  # [NETWORK]
-  networking.firewall.allowedTCPPorts = [ 80 ];
-  networking.firewall.allowedUDPPorts = [ ];
-  networking.hostName = "cafe";
+  # [SSHD]
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+    };
+  };
 
-  # VM test user
-  users.users.admin.isNormalUser = true;
-  users.users.admin.hashedPassword = pkgs.lib.removeSuffix "\n" 
-    (builtins.readFile ./secrets/admin_password);
-  users.users.admin.group = "admin";
+  # [NETWORK]
+  networking = {
+    hostName = "cafe";
+
+    firewall.allowedTCPPorts = [ 22 80 443 ];
+    firewall.allowedUDPPorts = [ ];
+
+    nat = {
+      enable = true;
+      internalInterfaces = ["ve-+"];
+      externalInterface = "lo";
+    };
+  };
+
+  # [USER]
+  users.users.admin = {
+    isNormalUser = true;
+    group = "admin";
+    extraGroups = [ "wheel" ];
+    hashedPassword = pkgs.lib.removeSuffix "\n" 
+      (builtins.readFile ./secrets/admin_password);
+    openssh.authorizedKeys.keyFiles = [ ./secrets/id_ed25519.pub ];
+  };
   users.groups.admin = {};
 
+  # [SOFTWARE]
+  programs.bash.interactiveShellInit = ''
+    set -o vi
+  '';
+
+  # [NIX]
+  nix = {
+    settings = {
+      experimental-features = [ "nix-command" "flakes" ];
+      auto-optimise-store = true;
+    };
+    gc = {
+      automatic = true;
+      dates = "monthly";
+      options = "--delete-older-than 30d";
+    };
+  };
+
+  security.sudo.enable = false;
+  security.doas.enable = true;
+
   system.stateVersion = state-version;
 
 }
diff --git a/secrets/gitea_postgres_pass b/secrets/gitea_postgres_pass
new file mode 100644
index 0000000..4b267aa
Binary files /dev/null and b/secrets/gitea_postgres_pass differ
diff --git a/secrets/id_ed25519.pub b/secrets/id_ed25519.pub
new file mode 100644
index 0000000..23cc93e
Binary files /dev/null and b/secrets/id_ed25519.pub differ
diff --git a/services/gitea.nix b/services/gitea.nix
index 3d7bb9b..9b38f77 100644
--- a/services/gitea.nix
+++ b/services/gitea.nix
@@ -1,15 +1,16 @@
 { pkgs, ... }: {
   name = "gitea";
-  ip = {
-    host = "10.10.0.1";
-    local = "10.10.0.2";
-  };
   config = {
     services.gitea = {
       enable = true;
       appName = "My awesome Gitea server"; # Give the site a name
       database = {
-        type = "sqlite3";
+        type = "postgres";
+        host = "postgres.containers";
+        port = 3306;
+        name = "gitea";
+        user = "gitea";
+        passwordFile = ../secrets/gitea_postgres_pass;
       };
       settings.server = {
         DOMAIN = "localhost";
diff --git a/services/postgres.nix b/services/postgres.nix
new file mode 100644
index 0000000..218fc7e
--- /dev/null
+++ b/services/postgres.nix
@@ -0,0 +1,25 @@
+{ pkgs, ... }: {
+  name = "postgres";
+  config = {
+    services.postgresql = {
+      enable = true;
+      enableTCPIP = true;
+      port = 3306;
+      ensureDatabases = [ "gitea" ];
+      initialScript = pkgs.writeText "backend-initScript" ''
+        CREATE USER gitea WITH LOGIN PASSWORD '${pkgs.lib.strings.fileContents ../secrets/gitea_postgres_pass}' CREATEDB;
+        CREATE DATABASE gitea;
+        GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
+      '';
+      authentication = pkgs.lib.mkOverride 10 ''
+        host  all      all     10.10.0.0/16   trust
+      '';
+    };
+  };
+  ports = {
+    tcp = [ 3306 ];
+    udp = [];
+    http = null;
+  };
+  hosts = [ ];
+}
diff --git a/services/readme.md b/services/readme.md
index 2e0b426..e7f2cc6 100644
--- a/services/readme.md
+++ b/services/readme.md
@@ -8,10 +8,6 @@ Services are of the form:
 ```nix
 { pkgs, ... }: {
   name = "name";
-  ip = {
-    host = "ip";
-    local = "ip";
-  };
   config = { ... };
   ports = {
     tcp = [ 80 ];
@@ -21,4 +17,3 @@ Services are of the form:
   hosts = [ "myservice.domain.mjau" ];
 }
 ```
-