diff --git a/flake.lock b/flake.lock
index 13821c5..c2af4a6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1710889954,
-        "narHash": "sha256-Pr6F5Pmd7JnNEMHHmspZ0qVqIBVxyZ13ik1pJtm2QXk=",
+        "lastModified": 1724334015,
+        "narHash": "sha256-5sfvc0MswIRNdRWioUhG58rGKGn2o90Ck6l6ClpwQqA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7872526e9c5332274ea5932a0c3270d6e4724f3b",
+        "rev": "6d204f819efff3d552a88d0a44b5aaaee172b784",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index a7b0aaf..4c617a0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -19,6 +19,7 @@
           system = "x86_64-linux";
           modules = [
             (import ./modules/overlay.nix)
+            ./modules/loomio.nix
             ./hosts/test/configuration.nix
           ];
         };
diff --git a/hosts/test/configuration.nix b/hosts/test/configuration.nix
index 23dbf96..92492d3 100644
--- a/hosts/test/configuration.nix
+++ b/hosts/test/configuration.nix
@@ -19,11 +19,10 @@
   users.users.nixosvmtest.group = "nixosvmtest";
   users.groups.nixosvmtest = {};
 
-  users.groups.loomio = {};
-  users.users.loomio = {
-    description = "User to run loomio";
-    group = "loomio";
-    isSystemUser = true;
+  services.loomio = {
+    enable = true;
+    encyrptedCredentials = ./loomio-credentials.yml.enc;
+    credentialEncryptionKeyFile = ./loomio-master.key;
   };
 
   services.postgresql = {
@@ -32,23 +31,9 @@
     ensureUsers = [{
       name = "loomio";
       ensureDBOwnership = true;
-      # ensurePermissions = { "DATABASE loomio" = "ALL PRIVILEGES"; };
+      ensureClauses.superuser = true;
     }];
   };
 
-  systemd.services.loomio = {
-    enable = true;
-    after = [ "basic.target" ];
-
-    serviceConfig = {
-      User = "loomio";
-      Restart = "always";
-      ExecStart = "${pkgs.loomio}/bin/loomio";
-    };
-    environment = {
-      DATABASE_URL = "postgresql://localhost/loomio";
-    };
-  };
-
   system.stateVersion = "23.11";
 }
diff --git a/hosts/test/loomio-credentials.yml.enc b/hosts/test/loomio-credentials.yml.enc
new file mode 100644
index 0000000..45640a9
--- /dev/null
+++ b/hosts/test/loomio-credentials.yml.enc
@@ -0,0 +1 @@
+1LR0cmifVLl04EAAtWPaoBhy85l6u7pGPjiSheUe/vkKbu3S3MK4XV6vBOmGnki4yMrOvdpvpLomnlCxCxEyOYcDRtBh3LkgZ3+9Bx37IcRHfgobzWVG/ik1/ZA4w2zbo8u/oJD6/gtuJNXBTkWNgpo4/WCJddxrzbF1Jo/FawT/ecwPO5898x/VBZn79rMFqcSJ2NKY4noOhOr2+EosFBjEkU7T5QVag64WQDT5/Np2vVhFWPvCgyoXziKTjBpCIUE9dDcA7HFIPgZ5nZXIwdSmVdAN3cA1zDlQMGqA27R4tt9zuRkPCvnfNvfuuVp9FHuok7tUTFPNR6v6NPzvHNceHugUvFF9zu33MAl8tH9j5W3Wd7zPVxuYp9nU8nHPmQF5DlPUoqUERLq/0biF7+F/4KGkNl+DFkZW--EGCnUuZJQoZORDG3--UsPRfjEX4LFxe6ECg8uR9Q==
\ No newline at end of file
diff --git a/hosts/test/loomio-master.key b/hosts/test/loomio-master.key
new file mode 100644
index 0000000..7073936
--- /dev/null
+++ b/hosts/test/loomio-master.key
@@ -0,0 +1 @@
+dd587169f25e5ed7e391a511da13f491
\ No newline at end of file
diff --git a/modules/loomio.nix b/modules/loomio.nix
index 3c18730..a3b89b2 100644
--- a/modules/loomio.nix
+++ b/modules/loomio.nix
@@ -1,12 +1,116 @@
-{lib, ...}:
-{
+{pkgs, lib, config, ...}:
+let
+  cfg = config.services.loomio;
+  package = pkgs.loomio;
+
+  env = {
+    RAILS_ENV = "production";
+    BUNDLE_FORCE_RUBY_PLATFORM = "true";
+
+    LOOMIO_DATABASE = "loomio";
+    LOOMIO_ENCRYPTED_CREDENTIALS_PATH = cfg.encyrptedCredentials;
+  };
+  cfgService = {
+    User = "loomio";
+    Group = "loomio";
+    WorkingDirectory = package;
+    StateDirectory = "loomio";
+  };
+in {
   imports = [];
   options = {
-    enable = lib.mkEnableOption "loomio";
+    services.loomio = {
+      enable = lib.mkEnableOption "loomio";
+      encyrptedCredentials = lib.mkOption {
+        description = "Credentials required to run loomio";
+        type = lib.types.path;
+      };
+      credentialEncryptionKeyFile = lib.mkOption {
+        description = "File containing encryption key for the encyptedCredentials";
+        type = lib.types.path;
+      };
+    };
   };
   config = {
+    users.groups.loomio = {};
+    users.users.loomio = {
+      description = "User to run loomio";
+      group = "loomio";
+      isSystemUser = true;
+    };
+
+    systemd.services.loomio-init-dirs = {
+      enable = true;
+      after = ["network.target" ];
+      serviceConfig = cfgService // {
+        Type = "oneshot";
+      };
+      script = ''
+        cat > /var/lib/loomio/.secrets_env <<EOF
+        RAILS_MASTER_KEY=$(cat ${cfg.credentialEncryptionKeyFile})
+        EOF
+      '';
+    };
+
+    systemd.services.loomio-init-db = {
+      enable = true;
+      after = ["network.target" "postgresql.service" "loomio-init-dirs.service" ];
+      requires = [ "postgresql.service" "loomio-init-dirs.service" ];
+      serviceConfig = cfgService // {
+        Type = "oneshot";
+        EnvironmentFile = [ "/var/lib/loomio/.secrets_env" ];
+      };
+      environment = env;
+      path = [package config.services.postgresql.package];
+      script = ''
+        #!/usr/bin/env bash
+        result="$(psql -t --csv -c \
+            "select count(*) from pg_class c \
+            join pg_namespace s on s.oid = c.relnamespace \
+            where s.nspname not in ('pg_catalog', 'pg_toast', 'information_schema') \
+            and s.nspname not like 'pg_temp%';")" || error_code=$?
+        if [ "''${error_code:-0}" -ne 0 ]; then
+          echo "Failure checking if database is seeded. psql gave exit code $error_code"
+          exit "$error_code"
+        fi
+        if [ "$result" -eq 0 ]; then
+          echo "Seeding database"
+          SAFETY_ASSURED=1 rails db:schema:load
+          rails db:seed
+        else
+          echo "Migrating database (this might be a noop)"
+          rails db:migrate
+        fi
+      '';
+    };
+
     systemd.services.loomio = {
       enable = true;
+      after = [ "network.target" "loomio-init-db.service" ];
+      requires = [ "loomio.socket" "loomio-init-db.service" ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig =  cfgService // {
+        Type = "notify";
+        TimeoutStartSec = 120;
+        WatchdogSec = 10;
+        Restart = "always";
+        ExecStart = "${package}/bin/puma -C config/puma.rb";
+        EnvironmentFile = [ "/var/lib/loomio/.secrets_env" ];
+      };
+
+      environment = env // {
+        PORT="3000";
+      };
+    };
+
+    systemd.sockets.loomio = {
+      listenStreams = ["0.0.0.0:3000"];
+      socketConfig = {
+        NoDelay = true;
+        ReusePort = true;
+        Backlog = 1024;
+      };
     };
   };
 }
diff --git a/pkg/loomio/creds.patch b/pkg/loomio/creds.patch
new file mode 100644
index 0000000..7165aad
--- /dev/null
+++ b/pkg/loomio/creds.patch
@@ -0,0 +1,21 @@
+diff --git a/.gitignore b/.gitignore
+index 75bb667202..db91658d32 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -97,3 +97,5 @@ yarn-error.log*
+ 
+ # Ruby bundle and gems
+ /vendor
++
++/config/master.key
+diff --git a/config/environments/production.rb b/config/environments/production.rb
+index 05f46dad87..de8fbf9168 100644
+--- a/config/environments/production.rb
++++ b/config/environments/production.rb
+@@ -95,4 +95,6 @@ Rails.application.configure do
+ 
+   # Do not dump schema after migrations.
+   config.active_record.dump_schema_after_migration = false
++
++  config.credentials.content_path = ENV['LOOMIO_ENCRYPTED_CREDENTIALS_PATH']
+ end
diff --git a/pkg/loomio/default.nix b/pkg/loomio/default.nix
index 8965a9a..0ad403e 100644
--- a/pkg/loomio/default.nix
+++ b/pkg/loomio/default.nix
@@ -1,8 +1,20 @@
-{stdenv, writeText, callPackage, bundlerEnv, ruby_3_2 }:
-
+{stdenv,
+  writeShellScriptBin,
+  writeText,
+  symlinkJoin,
+  callPackage,
+  bundlerEnv,
+  ruby_3_2,
+  postgresql
+}:
 let
   gemfile-patch = callPackage ./gemfile-patch.nix {};
-  src = callPackage ./source.nix { patches = [gemfile-patch];};
+  src = callPackage ./source.nix {
+    patches = [
+      gemfile-patch
+      ./creds.patch
+    ];
+  };
   gems = bundlerEnv {
     name = "loomio-env";
     ruby = ruby_3_2;
@@ -12,28 +24,39 @@ let
 
   databaseConfig = writeText "database.yml" ''
     production:
-      url: <%= ENV['DATABASE_URL'] %>
+      adapter: postgresql
+      database: <%= ENV['LOOMIO_DATABASE'] %>
+      host: /var/run/postgresql
   '';
+
 in stdenv.mkDerivation {
   name = "loomio";
   inherit src;
+  nativeBuildInputs = [ gems gems.wrappedRuby ];
   buildInputs = [gems ruby_3_2];
+  buildPhase = ''
+    runHook preBuild
+
+    cp ${databaseConfig} config/database.yml
+    cp ${./puma.rb} config/puma.rb
+
+    export BUNDLE_FORCE_RUBY_PLATFORM=true
+    ${gems}/bin/bundle exec bootsnap precompile --gemfile app/ lib/
+
+    patchShebangs bin/
+
+    for b in $(ls ${gems}/bin/)
+    do
+      if [ ! -f bin/$b ]; then
+        ln -s ${gems}/bin/$b bin/$b
+      fi
+    done
+
+    runHook postBuild
+  '';
+
   installPhase = ''
-    mkdir -p $out/{bin,share/loomio}
-    cp -r * $out/share/loomio
-    bin=$out/bin/loomio
-    cp ${databaseConfig} $out/share/loomio/config/database.yml
-    cat > $bin <<EOF
-#!/usr/bin/env bash
-
-set -ex
-export BUNDLE_FORCE_RUBY_PLATFORM=true
-export RAILS_ENV=production
-${gems}/bin/bundle exec rake -f $out/share/loomio/Rakefile db:prepare
-${gems}/bin/bundle exec puma -C $out/share/loomio/config/puma.rb
-
-EOF
-
-    chmod +x $bin
+    mkdir -p $out
+    cp -r * $out
   '';
 }
diff --git a/pkg/loomio/gemfile-patch.nix b/pkg/loomio/gemfile-patch.nix
index 852dd2c..563983d 100644
--- a/pkg/loomio/gemfile-patch.nix
+++ b/pkg/loomio/gemfile-patch.nix
@@ -1,6 +1,6 @@
 {fetchurl}:
 fetchurl {
- url = "https://github.com/akshaymankar/loomio/commit/528641fd04135a186232568fbf9a4717e2053e86.patch";
- hash = "sha256-sg/4U72gZHoTYepZ4dIQlyC4YBjU5+YgIKI/Oj+XlRs=";
+ url = "https://github.com/akshaymankar/loomio/commit/e8d4c448dd448658aceeaf715b5ea601ee111c03.patch";
+ hash = "sha256-ruONUFWQ/0V+I9x6nV7wNr5xz1QMUPVvLR1xT6gBVRU=";
 }
 
diff --git a/pkg/loomio/gemset.nix b/pkg/loomio/gemset.nix
index 8db7f7e..4044718 100644
--- a/pkg/loomio/gemset.nix
+++ b/pkg/loomio/gemset.nix
@@ -818,7 +818,7 @@
     platforms = [];
     source = {
       remotes = ["http://rubygems.org"];
-      sha256 = "0szml3n6ql6wzl5fq2rcl1w9iksz4zb68p7cbbwkwc5kkp34ikgx";
+      sha256 = "07139870npj59jnl8vmk39ja3gdk3fb5z9vc0lf32y2h891hwqsi";
       type = "gem";
     };
     version = "1.17.0";
@@ -991,7 +991,7 @@
     platforms = [];
     source = {
       remotes = ["http://rubygems.org"];
-      sha256 = "00jg44v6az86mmh8gmr5l4lvryjhzla29qs4qi1gcdcqx2b7xlhk";
+      sha256 = "1mnxzcq8kmyfb9bkzqnp019d1hx1vprip3yzdkkha6b3qz5rgg9r";
       type = "gem";
     };
     version = "3.25.3";
@@ -1045,7 +1045,7 @@
     platforms = [];
     source = {
       remotes = ["http://rubygems.org"];
-      sha256 = "0xkpyc0hmb20xznyh1i1m093r1swni9wfmss0hks67fy6s6kmsr2";
+      sha256 = "03z8yq0z228g6xxxq6s2mmslpv6psrdmi30dpmhysr4px16d897n";
       type = "gem";
     };
     version = "1.62.0";
@@ -1387,6 +1387,16 @@
     };
     version = "1.1.5";
   };
+  mini_portile2 = {
+    groups = ["default" "development" "test"];
+    platforms = [];
+    source = {
+      remotes = ["http://rubygems.org"];
+      sha256 = "1q1f2sdw3y3y9mnym9dhjgsjr72sq975cfg5c4yx7gwv8nmzbvhk";
+      type = "gem";
+    };
+    version = "2.8.7";
+  };
   minitest = {
     groups = ["default" "development" "test"];
     platforms = [];
@@ -1503,12 +1513,12 @@
     version = "2.7.0";
   };
   nokogiri = {
-    dependencies = ["racc"];
+    dependencies = ["mini_portile2" "racc"];
     groups = ["default" "development" "test"];
     platforms = [];
     source = {
       remotes = ["http://rubygems.org"];
-      sha256 = "1aiz5hg2pfjnk756f2zd0723m3wq30gkmishmc76jwn51yw341v3";
+      sha256 = "15gysw8rassqgdq3kwgl4mhqmrgh7nk2qvrcqp4ijyqazgywn6gq";
       type = "gem";
     };
     version = "1.16.7";
diff --git a/pkg/loomio/puma.rb b/pkg/loomio/puma.rb
new file mode 100644
index 0000000..a828f9f
--- /dev/null
+++ b/pkg/loomio/puma.rb
@@ -0,0 +1,26 @@
+max_threads_count = ENV['RAILS_MAX_THREADS'] || ENV['MAX_THREADS'] ||  5
+min_threads_count = ENV['RAILS_MIN_THREADS'] || ENV['MIN_THREADS'] || max_threads_count
+threads min_threads_count, max_threads_count
+
+# Specifies the `port` that Puma will listen on to receive requests; default is 3000.
+#
+port ENV.fetch("PORT") { 3000 }
+
+# Specifies the `environment` that Puma will run in.
+#
+environment ENV.fetch("RAILS_ENV") { "development" }
+
+# Specifies the number of `workers` to boot in clustered mode.
+# Workers are forked web server processes. If using threads and workers together
+# the concurrency of the application would be max `threads` * `workers`.
+# Workers do not work on JRuby or Windows (both of which do not support
+# processes).
+#
+workers ENV['PUMA_WORKERS'] || ENV['WEB_CONCURRENCY'] || 0
+
+# Use the `preload_app!` method when specifying a `workers` number.
+# This directive tells Puma to first boot the application and load code
+# before forking the application. This takes advantage of Copy On Write
+# process behavior so workers use less memory.
+#
+preload_app!
diff --git a/pkg/loomio/update.sh b/pkg/loomio/update.sh
index 1474b5d..87dbbb8 100755
--- a/pkg/loomio/update.sh
+++ b/pkg/loomio/update.sh
@@ -99,7 +99,7 @@ in
   inherit version;
 }
 EOF
-SOURCE_DIR="$(nix-build --no-out-link -E '(import <nixpkgs> {}).callPackage ./source.nix {}')"
+SOURCE_DIR="$(nix-build --no-out-link -E 'let pkgs = import <nixpkgs> {}; in pkgs.callPackage ./source.nix { patches = [(pkgs.callPackage ./gemfile-patch.nix {})]; }')"
 
 echo "Creating gemset.nix"
 BUNDLE_FORCE_RUBY_PLATFORM=true bundix --lockfile="$SOURCE_DIR/Gemfile.lock" --gemfile="$SOURCE_DIR/Gemfile"