diff --git a/hosts/greatyamada/nixos/default.nix b/hosts/greatyamada/nixos/default.nix
index f9b5961..d89bafc 100644
--- a/hosts/greatyamada/nixos/default.nix
+++ b/hosts/greatyamada/nixos/default.nix
@@ -1,4 +1,4 @@
-{ lib, pkgs, ... }: {
+{ config, lib, pkgs, ... }: {
   imports = [ ./filesystems.nix ];
 
   boot = {
@@ -14,7 +14,18 @@
   environment.systemPackages = with pkgs; [ arion docker-client ];
 
   networking = {
-    firewall.enable = true;
+    firewall = {
+      enable = true;
+      interfaces = let
+        matchAll =
+          if !config.networking.nftables.enable then "podman+" else "podman*";
+      in {
+        "${matchAll}" = {
+          allowedTCPPorts = [ 5432 ];
+          allowedUDPPorts = [ 53 ];
+        };
+      };
+    };
     hostName = "greatyamada";
     networkmanager.enable = true;
     useDHCP = lib.mkDefault false;
@@ -43,10 +54,14 @@
     users.avery.extraGroups = [ "media" ];
   };
 
-  virtualisation.podman = {
-    enable = true;
-    dockerSocket.enable = true;
-    defaultNetwork.settings.dns_enabled = true;
+  virtualisation = {
+    oci-containers.backend = "podman";
+    podman = {
+      enable = true;
+      autoPrune.enable = true;
+      dockerSocket.enable = true;
+      defaultNetwork.settings.dns_enabled = true;
+    };
   };
 
   time.timeZone = "UTC";
diff --git a/hosts/greatyamada/services/_port-definitions.nix b/hosts/greatyamada/services/_port-definitions.nix
index e70eabf..564e7e8 100644
--- a/hosts/greatyamada/services/_port-definitions.nix
+++ b/hosts/greatyamada/services/_port-definitions.nix
@@ -4,6 +4,7 @@
   adguardhome-dhcp-udp = 67;
   forgejo-http = 3000;
   jellyfin-http = 8096;
+  koito = 4110;
   minecraft = 13914;
   navidrome-https = 4533;
   nginx-https = 443;
diff --git a/hosts/greatyamada/services/adguardhome.nix b/hosts/greatyamada/services/adguardhome.nix
index 818f4a0..24e4d7e 100644
--- a/hosts/greatyamada/services/adguardhome.nix
+++ b/hosts/greatyamada/services/adguardhome.nix
@@ -20,7 +20,7 @@ in {
           session_ttl = "720h";
         };
         dns = {
-          bind_hosts = [ "0.0.0.0" ];
+          bind_hosts = [ "10.0.0.1" ];
           port = portDefinitions.adguardhome-dns;
           anonymize_client_ip = false;
           ratelimit = 0;
diff --git a/hosts/greatyamada/services/default.nix b/hosts/greatyamada/services/default.nix
index 0e68cdc..1c76eb3 100644
--- a/hosts/greatyamada/services/default.nix
+++ b/hosts/greatyamada/services/default.nix
@@ -5,6 +5,7 @@
     ./forgejo.nix
     ./inadyn.nix
     ./jellyfin.nix
+    ./koito.nix
     # ./minecraft
     ./nginx.nix
     ./pgadmin.nix
diff --git a/hosts/greatyamada/services/koito.nix b/hosts/greatyamada/services/koito.nix
new file mode 100644
index 0000000..147cca2
--- /dev/null
+++ b/hosts/greatyamada/services/koito.nix
@@ -0,0 +1,71 @@
+{ pkgs, lib, config, ... }:
+let
+  portDefinitions = import ./_port-definitions.nix;
+  nginxLocalConfig = import ./nginx-local-config.nix;
+in {
+  virtualisation.oci-containers.containers."koito" = {
+    image = "gabehf/koito:latest";
+    environment = {
+      "KOITO_ALLOWED_HOSTS" = "koito.rcia.dev";
+      "KOITO_ENABLE_LBZ_RELAY" = "true";
+      "KOITO_LBZ_RELAY_URL" = "https://api.listenbrainz.org/1";
+    };
+    environmentFiles = [ config.sops.templates."koito.env".path ];
+    volumes = [ "/mnt/hdd-01/koito:/etc/koito:rw" ];
+    ports = [ "${toString portDefinitions.koito}:4110/tcp" ];
+    log-driver = "journald";
+    extraOptions = [ "--network-alias=koito" "--network=koito_default" ];
+  };
+  systemd.services."podman-koito" = {
+    serviceConfig = { Restart = lib.mkOverride 90 "always"; };
+    after = [ "podman-network-koito_default.service" ];
+    requires = [ "podman-network-koito_default.service" ];
+    partOf = [ "podman-compose-koito-root.target" ];
+    wantedBy = [ "podman-compose-koito-root.target" ];
+  };
+
+  services.nginx.virtualHosts."koito.rcia.dev" = {
+    locations."/".proxyPass =
+      "http://localhost:${toString portDefinitions.koito}";
+    forceSSL = true;
+    useACMEHost = "rcia.dev";
+  };
+
+  sops = {
+    secrets = {
+      "koito/database_url" = { };
+      "koito/listenbrainz_token" = { };
+    };
+    templates."koito.env".content = ''
+      KOITO_DATABASE_URL=${config.sops.placeholder."koito/database_url"}
+      KOITO_LBZ_RELAY_TOKEN=${
+        config.sops.placeholder."koito/listenbrainz_token"
+      }
+    '';
+  };
+
+  # Networks
+  systemd.services."podman-network-koito_default" = {
+    path = [ pkgs.podman ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStop = "podman network rm -f koito_default";
+    };
+    script = ''
+      podman network inspect koito_default || podman network create koito_default
+    '';
+    partOf = [ "podman-compose-koito-root.target" ];
+    wantedBy = [ "podman-compose-koito-root.target" ];
+  };
+
+  # Root service
+  # When started, this will automatically create all resources and start
+  # the containers. When stopped, this will teardown all resources.
+  systemd.targets."podman-compose-koito-root" = {
+    unitConfig = { Description = "Root target generated by compose2nix."; };
+    after = [ "postgresql.service" ];
+    requires = [ "postgresql.service" ];
+    wantedBy = [ "multi-user.target" ];
+  };
+}
diff --git a/hosts/greatyamada/services/postgresql.nix b/hosts/greatyamada/services/postgresql.nix
index 3c7596f..6260571 100644
--- a/hosts/greatyamada/services/postgresql.nix
+++ b/hosts/greatyamada/services/postgresql.nix
@@ -4,8 +4,17 @@ in {
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_16;
+    enableTCPIP = true;
     dataDir =
       "/mnt/ssd-01/postgresql/${config.services.postgresql.package.psqlSchema}";
     settings.port = portDefinitions.postgresql;
+    authentication = pkgs.lib.mkOverride 10 ''
+      local all all trust
+      host all all 127.0.0.1/32 trust
+      host all all ::1/128 trust
+
+      # Allow containers access to the database
+      host all all 10.89.0.0/16 trust
+    '';
   };
 }