diff --git a/systems/x86_64-linux/sgx/firefly.nix b/systems/x86_64-linux/sgx/firefly.nix
index 7b03607..cef398a 100644
--- a/systems/x86_64-linux/sgx/firefly.nix
+++ b/systems/x86_64-linux/sgx/firefly.nix
@@ -53,12 +53,6 @@ in
       "d ${inbox} 0700 firefly-iii-data-importer nginx -"
       "d ${importerHome}/.aqbanking/imexporters/csv/profiles 0700 firefly-iii-data-importer nginx -"
       "L+ ${importerHome}/.aqbanking/imexporters/csv/profiles/firefly.conf - - - - ${fireflyCsvProfile}"
-      # Disable btrfs CoW on Firefly's SQLite directory — random-write
-      # SQLite traffic fragments CoW filesystems quickly. New files in
-      # this dir inherit the +C attribute. Existing database.sqlite,
-      # -wal, -shm need a one-time recreate to apply (use sqlite3 .backup
-      # into a fresh +C file). No-op on non-btrfs filesystems.
-      "h /var/lib/firefly-iii/storage/database - - - - +C"
     ];
 
     services.firefly-sparda-fetch = {
@@ -140,6 +134,17 @@ in
   };
 
   services = {
+    postgresql = {
+      enable = true;
+      ensureDatabases = [ "firefly-iii" ];
+      ensureUsers = [
+        {
+          name = "firefly-iii";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
     firefly-iii = {
       enable = true;
       enableNginx = true;
@@ -153,6 +158,11 @@ in
         DEFAULT_LOCALE = "de_DE";
         TRUSTED_PROXIES = "**";
         LOG_CHANNEL = "stack";
+        # PostgreSQL via Unix socket peer auth — no password needed.
+        DB_CONNECTION = "pgsql";
+        DB_HOST = "/run/postgresql";
+        DB_DATABASE = "firefly-iii";
+        DB_USERNAME = "firefly-iii";
       };
     };