diff --git a/lib/fudo/auth/kerberos/kdc.nix b/lib/fudo/auth/kerberos/kdc.nix
index 125bd83..cfab16a 100644
--- a/lib/fudo/auth/kerberos/kdc.nix
+++ b/lib/fudo/auth/kerberos/kdc.nix
@@ -188,6 +188,7 @@ let
                 User = cfg.user;
                 Group = cfg.group;
                 Type = "oneshot";
+                Restart = "on-failure";
                 RuntimeDirectory = "heimdal-hprop";
                 ExecStartPre = pkgs.writeShellScript "kdc-prepare-hprop-dump.sh"
                   (concatStringsSep " " [
@@ -325,10 +326,11 @@ let
                 LimitNOFILE = 4096;
                 User = cfg.user;
                 Group = cfg.group;
-                Restart = "always";
-                RestartSec = "5s";
+                Restart =
+                  "never"; # Server will retry -- this results in stacking
                 AmbientCapabilities = "CAP_NET_BIND_SERVICE";
                 SecureBits = "keep-caps";
+                ReadWritePaths = [ "${dirOf cfg.kdc.database}" ];
                 ExecStart = concatStringsSep " " [
                   "${pkgs.heimdal}/libexec/heimdal/hpropd"
                   "--database=sqlite:${cfg.kdc.database}"
diff --git a/lib/fudo/postgres.nix b/lib/fudo/postgres.nix
index e31eb3f..e67cbd1 100644
--- a/lib/fudo/postgres.nix
+++ b/lib/fudo/postgres.nix
@@ -154,7 +154,7 @@ in {
     package = mkOption {
       type = package;
       description = "Which package to use for Postgresql server.";
-      default = pkgs.postgresql_11_gssapi;
+      default = pkgs.postgresql_15_gssapi;
     };
 
     ssl-private-key = mkOption {