diff --git a/npins/sources.json b/npins/sources.json
index 762395b..ae860cc 100644
--- a/npins/sources.json
+++ b/npins/sources.json
@@ -42,8 +42,8 @@
     "nixpkgs": {
       "type": "Channel",
       "name": "nixos-unstable-small",
-      "url": "https://releases.nixos.org/nixos/unstable-small/nixos-25.11pre819016.618b6dbfc210/nixexprs.tar.xz",
-      "hash": "0iykh9dp93av07qjabiqmslc372jki3jzqpfy54nsy04702nz4b9"
+      "url": "https://releases.nixos.org/nixos/unstable-small/nixos-25.11pre819403.86c02c145a0b/nixexprs.tar.xz",
+      "hash": "1m8yiq7jaz24lbfdkch8m22lr8m1jkxkh9d1p4j1svm18f1nilyx"
     },
     "nixpkgs-24.11": {
       "type": "Channel",
diff --git a/profiles/gitlab.nix b/profiles/gitlab.nix
index df2b051..0299983 100644
--- a/profiles/gitlab.nix
+++ b/profiles/gitlab.nix
@@ -12,6 +12,9 @@ in
       gitlab-otp-secret = ../secrets/gitlab-otp-secret.age;
       gitlab-db-secret = ../secrets/gitlab-db-secret.age;
       gitlab-jws-secret = ../secrets/gitlab-jws-secret.age;
+      gitlab-arpk-secret = ../secrets/gitlab-arpk-secret.age;
+      gitlab-ardk-secret = ../secrets/gitlab-ardk-secret.age;
+      gitlab-ars-secret = ../secrets/gitlab-ars-secret.age;
       gitlab-db-password = ../secrets/gitlab-db-password.age;
       gitlab-initial-root-password = ../secrets/gitlab-initial-root-password.age;
       gitlab-ldap-password = ../secrets/gitlab-ldap-password.age;
@@ -33,6 +36,9 @@ in
       otpFile = secrets.gitlab-otp-secret.path;
       dbFile = secrets.gitlab-db-secret.path;
       jwsFile = secrets.gitlab-jws-secret.path;
+      activeRecordPrimaryKeyFile = secrets.gitlab-arpk-secret.path;
+      activeRecordDeterministicKeyFile = secrets.gitlab-ardk-secret.path;
+      activeRecordSaltFile = secrets.gitlab-ars-secret.path;
     };
     extraConfig.ldap = {
       enabled = true;
@@ -55,6 +61,11 @@ in
     };
   };
 
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_16;
+  };
+
   services.nginx = {
     enable = true;
     recommendedProxySettings = true;
diff --git a/profiles/sysadmin.nix b/profiles/sysadmin.nix
index ddfc053..5b28f4b 100644
--- a/profiles/sysadmin.nix
+++ b/profiles/sysadmin.nix
@@ -4,6 +4,7 @@
     ../pubkeys/bensmrs.keys
     ../pubkeys/tomate.keys
     ../pubkeys/jeltz.keys
+    ../pubkeys/asyncnomi.keys
   ];
 
   backups.directories = [ "/root" ];
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index cd16550..ac9abd6 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -66,6 +66,9 @@ in
     "gitlab-otp-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
     "gitlab-db-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
     "gitlab-jws-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-arpk-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-ardk-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
+    "gitlab-ars-secret.age".publicKeys = [ aragon ] ++ gitlab-admins;
     "gitlab-db-password.age".publicKeys = [ aragon ] ++ gitlab-admins;
     "gitlab-initial-root-password.age".publicKeys = [ aragon ] ++ gitlab-admins;
     "gitlab-ldap-password.age".publicKeys = [ aragon ] ++ gitlab-admins;