diff --git a/hosts/web-01.cloonar.com/modules/grafana.nix b/hosts/web-01.cloonar.com/modules/grafana.nix
index a06defc..4f711d7 100644
--- a/hosts/web-01.cloonar.com/modules/grafana.nix
+++ b/hosts/web-01.cloonar.com/modules/grafana.nix
@@ -69,6 +69,16 @@ in
     locations."/".extraConfig = "proxy_pass http://localhost:3001;";
   };
 
+  services.postgresql.ensureUsers = [
+    {
+      name = "grafana";
+      ensurePermissions = {
+        "DATABASE \"grafana\"" = "ALL PRIVILEGES";
+        "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
+      };
+    }
+  ];
+  services.postgresql.ensureDatabases = [ "grafana" ];
   services.postgresqlBackup.databases = [ "grafana" ];
 
   sops.secrets = {
diff --git a/hosts/web-01.cloonar.com/modules/loki.nix b/hosts/web-01.cloonar.com/modules/loki.nix
index 4d7fa08..d248f61 100644
--- a/hosts/web-01.cloonar.com/modules/loki.nix
+++ b/hosts/web-01.cloonar.com/modules/loki.nix
@@ -100,7 +100,6 @@ in
 
   sops.secrets.promtail-nginx-password.owner = "nginx";
 
-  security.acme.certs."loki.r".server = config.retiolum.ca.acmeURL;
   services.nginx.virtualHosts."loki.cloonar.com" = {
     forceSSL = true;
     enableACME = true;
@@ -128,6 +127,4 @@ in
       '';
     };
   };
-
-  networking.firewall.interfaces."tinc.retiolum".allowedTCPPorts = [ 80 ];
 }