diff --git a/hosts/tsuki/services/headscale.nix b/hosts/tsuki/services/headscale.nix
index ad6b001..5e9894f 100644
--- a/hosts/tsuki/services/headscale.nix
+++ b/hosts/tsuki/services/headscale.nix
@@ -55,14 +55,10 @@ in {
   services.postgresql = lib.mkIf cfg.enable {
     enable = true;
     ensureDatabases = [ "headscale" ];
-    ensureUsers = [
-      (rec {
+    ensureUsers = [{
         name = "headscale";
-        ensurePermissions = {
-          "DATABASE \"${name}\"" = "ALL PRIVILEGES";
-        };
-      })
-    ];
+        ensureDBOwnership = true;
+    }];
   };
 
   environment.systemPackages = lib.mkIf cfg.enable [ pkgs.headscale ];
diff --git a/hosts/tsuki/services/hedgedoc.nix b/hosts/tsuki/services/hedgedoc.nix
index be5ec8a..6f4a8ab 100644
--- a/hosts/tsuki/services/hedgedoc.nix
+++ b/hosts/tsuki/services/hedgedoc.nix
@@ -53,11 +53,10 @@ in {
 
     services.postgresql = {
       ensureDatabases = [ "hedgedoc" ];
+
       ensureUsers = [{
         name = "hedgedoc";
-        ensurePermissions = {
-          "DATABASE \"hedgedoc\"" = "ALL PRIVILEGES";
-        };
+        ensureDBOwnership = true;
       }];
     };
 
diff --git a/hosts/tsuki/services/matrix/postgres.nix b/hosts/tsuki/services/matrix/postgres.nix
index e3d1152..2f9263b 100644
--- a/hosts/tsuki/services/matrix/postgres.nix
+++ b/hosts/tsuki/services/matrix/postgres.nix
@@ -5,9 +5,7 @@
     cfg = config.services;
     db = name: {
       inherit name;
-      ensurePermissions = {
-        "DATABASE \"${name}\"" = "ALL PRIVILEGES";
-      };
+      ensureDBOwnership = true;
     };
   in {
     enable = true;
diff --git a/hosts/tsuki/services/minecraft/default.nix b/hosts/tsuki/services/minecraft/default.nix
index 8e056ae..9c264e2 100644
--- a/hosts/tsuki/services/minecraft/default.nix
+++ b/hosts/tsuki/services/minecraft/default.nix
@@ -170,9 +170,7 @@ in
     o = lib.optional;
     db = name: {
       inherit name;
-      ensurePermissions = {
-        "DATABASE \"${name}\"" = "ALL PRIVILEGES";
-      };
+      ensureDBOwnership = true;
     };
   in {
     enable = true;
diff --git a/hosts/tsuki/services/nextcloud.nix b/hosts/tsuki/services/nextcloud.nix
index b54c309..bfdbce1 100644
--- a/hosts/tsuki/services/nextcloud.nix
+++ b/hosts/tsuki/services/nextcloud.nix
@@ -58,13 +58,9 @@
   services.postgresql = {
     enable = true;
     ensureDatabases = [ "nextcloud" ];
-    ensureUsers = [
-      (rec {
-        name = "nextcloud";
-        ensurePermissions = {
-          "DATABASE \"${name}\"" = "ALL PRIVILEGES";
-        };
-      })
-    ];
+    ensureUsers = [{
+      name = "nextcloud";
+      ensureDBOwnership = true;
+    }];
   };
 }
diff --git a/hosts/tsuki/services/vaultwarden.nix b/hosts/tsuki/services/vaultwarden.nix
index b82a9b7..2c1464c 100644
--- a/hosts/tsuki/services/vaultwarden.nix
+++ b/hosts/tsuki/services/vaultwarden.nix
@@ -59,14 +59,10 @@ in {
   services.postgresql = lib.mkIf cfg.enable {
     enable = true;
     ensureDatabases = [ "vaultwarden" ];
-    ensureUsers = [
-      (rec {
-        name = "vaultwarden";
-        ensurePermissions = {
-          "DATABASE \"${name}\"" = "ALL PRIVILEGES";
-        };
-      })
-    ];
+    ensureUsers = [{
+      name = "vaultwarden";
+      ensureDBOwnership = true;
+    }];
   };
 
   local.socketActivation.vaultwarden = {