diff --git a/modules/nixos/postgres.nix b/modules/nixos/postgres.nix
index 362baf45..ed2ac2ae 100644
--- a/modules/nixos/postgres.nix
+++ b/modules/nixos/postgres.nix
@@ -9,15 +9,51 @@
   cfg = config.services.postgresql;
   ensureUserModule = { config, ... }: {
     options = with lib.types; {
-      tailscale = {
-        allow = mkEnableOption "tailscale TCP connections";
+      authentication = {
+        enable = mkEnableOption "TCP connections" // {
+          default = config.authentication.hosts != [ ];
+        };
+        hosts = mkOption {
+          type = listOf str;
+          default = [ ];
+        };
+        method = mkOption {
+          type = str;
+          default = "md5";
+        };
         database = mkOption {
           type = str;
         };
+        tailscale = {
+          allow = mkEnableOption "tailscale TCP connections";
+        };
+        local = {
+          allow = mkEnableOption "local TCP connections";
+        };
+        authentication = mkOption {
+          type = lines;
+          default = "";
+        };
       };
     };
     config = {
-      tailscale.database = mkIf (config.ensureDBOwnership) (
+      authentication = {
+        hosts = mkMerge [
+          (mkIf config.authentication.tailscale.allow [
+            "fd7a:115c:a1e0::/96"
+            "fd7a:115c:a1e0:ab12::/64"
+            "100.64.0.0/10"
+          ])
+          (mkIf config.authentication.local.allow [
+            "10.1.1.0/24"
+            "fd0a::/64"
+          ])
+        ];
+        authentication = mkMerge (map (host: ''
+          host ${config.authentication.database} ${config.name} ${host} ${config.authentication.method}
+        '') config.authentication.hosts);
+      };
+      authentication.database = mkIf (config.ensureDBOwnership) (
         mkOptionDefault config.name
       );
     };
@@ -29,19 +65,11 @@ in {
     };
   };
   config.services.postgresql = {
-    enableTCPIP = mkIf (any (user: user.tailscale.allow) cfg.ensureUsers) (
+    enableTCPIP = mkIf (any (user: user.authentication.enable) cfg.ensureUsers) (
       mkDefault true
     );
-    authentication = let
-      allowTail = { database, user }: ''
-        host ${database} ${user} fd7a:115c:a1e0::/96 md5
-        host ${database} ${user} fd7a:115c:a1e0:ab12::/64 md5
-        host ${database} ${user} 100.64.0.0/10 md5
-      '';
-    in mkMerge (map
-      (user: mkIf user.tailscale.allow (
-        allowTail { inherit (user.tailscale) database; user = user.name; }
-      )) cfg.ensureUsers
-    );
+    authentication = mkMerge (map (user:
+      mkIf user.authentication.enable user.authentication.authentication
+    ) cfg.ensureUsers);
   };
 }
diff --git a/nixos/postgres.nix b/nixos/postgres.nix
index 1725f982..e6e819bf 100644
--- a/nixos/postgres.nix
+++ b/nixos/postgres.nix
@@ -8,12 +8,17 @@
 in {
   services.postgresql = {
     enable = mkDefault true;
-    ensureDatabases = ["hass"];
+    ensureDatabases = ["hass" "dex"];
     ensureUsers = [
       {
         name = "hass";
         ensureDBOwnership = true;
-        tailscale.allow = !config.services.home-assistant.enable;
+        authentication.tailscale.allow = !config.services.home-assistant.enable;
+      }
+      {
+        name = "dex";
+        ensureDBOwnership = true;
+        authentication.local.allow = true;
       }
     ];
   };
diff --git a/nixos/secrets/postgres.yaml b/nixos/secrets/postgres.yaml
index 5f106844..7cdf3f3e 100644
--- a/nixos/secrets/postgres.yaml
+++ b/nixos/secrets/postgres.yaml
@@ -1,4 +1,4 @@
-postgresql-init: ENC[AES256_GCM,data:TUoqSxYsydMShNZXjx5Xee4P4Lsar746UOs/H4xQ3yk1xxHejpANo39uhQQdqVXOTQ17JXKOAHjUmFJyIq8BotEFWgQ=,iv:13yUHxGZ+dc8LtHF8NPXIqaMatVoop4TA5cHr87UXQA=,tag:IEF32Ct8+IRC9VoUBlWQbw==,type:str]
+postgresql-init: ENC[AES256_GCM,data:qIZZDcUb4eva7lZ4VCUu+Jl8K37KN37+HQ+6/WisZkDrxshUI5hhrYM0ypGFW0L/W9K9hRHaKGuBqYSeLoXwObT+K4J5VshO+H6PNDjuWkmho5Q/dVENs6AOLcLtxWC3Uz/kcH368yR13F64dCGAzlbSLxcP2bxgfdMbOhQvar9OD602i7TW,iv:BJvjQUcohdBLYxuz+rUsulMbGBwH6axuxOIDhVZET3Y=,tag:yDUwUS6DmiQV7FHtWmRVIg==,type:str]
 sops:
     shamir_threshold: 1
     kms: []
@@ -33,8 +33,8 @@ sops:
             a3l3bUx5NzdqUGd1TEpGY3UvQWt4TU0KB4MAjvI43FaOiGhWTkwPpeMMiAnX4v3L
             rLZDdc/vegF10FKTNJdxdq1E7ccMaV1KwjQkJoOJnWe6teKLjGOFkA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-16T19:12:12Z"
-    mac: ENC[AES256_GCM,data:xT5guyOuwPe4BH24aIUfpG95Gu6o9Df3oGeA8HFJ6dtHuWXrf2xba9rn4tXDHkIxDm/18Z8v6nX4OFoiEgkwWGsg/RXqG1Rs1/+fhWHe4UOUU675bn8zJiFgBKEtr1e0Q1THSPlgfM8L/qgJhEJSYoPcNArbxkfOgXlKJFyH8ro=,iv:kw+IR4Xh77kkHixfWKlX0+mqS3Sq2E+h8NSryrwYchI=,tag:N7yiMKagn4y5j9iOrh93fA==,type:str]
+    lastmodified: "2024-01-21T18:25:21Z"
+    mac: ENC[AES256_GCM,data:b9eqSdZYccvK5WPQmP6/5X5raNFkqSu4sCOJZhL8OOSIfrvdbbJ9xJ7hZ2rsGp8XNxMPcofvLFb/JVwWIZOw1TOIiiyCwK+XfaRA7lcyTi3Kd9P8OADejo222ek/QgaAUzE7D8+q9PTSbLLgrfbvFCuwXJoEEslbjIh6UToziPY=,iv:0yK0y/QhYz8jAJqtMMkNmTPY0rTeonOhneyfdFJRoVw=,tag:e85Y3S7YgfB8EAb1TZSPYg==,type:str]
     pgp:
         - created_at: "2024-01-19T19:08:55Z"
           enc: |-