diff --git a/hosts/nachtigall/apps/mediawiki.nix b/hosts/nachtigall/apps/mediawiki.nix
index 0975271..ac1268d 100644
--- a/hosts/nachtigall/apps/mediawiki.nix
+++ b/hosts/nachtigall/apps/mediawiki.nix
@@ -4,46 +4,141 @@
   lib,
   pkgs,
   ...
-}: let
-  OpenIDConnectPHP = pkgs.fetchzip {
-    url = "https://github.com/jumbojett/OpenID-Connect-PHP/archive/refs/tags/v0.9.10.tar.gz";
-    sha256 = "sha256-ezAUq/BgA1CITnO/tmUkvro7VRNAstnEdUp9WksOL7w=";
-  };
+}: let 
+  localSettingsPHP = pkgs.writeScript "LocalSettings.php" ''
+<?php
+  # Protect against web entry
+  if ( !defined( 'MEDIAWIKI' ) ) {
+    exit;
+  }
 
-  phpseclib = pkgs.fetchzip {
-    url = "https://github.com/phpseclib/phpseclib/archive/refs/tags/3.0.33.tar.gz";
-    sha256 = "sha256-d/9Jg1kzhkWwy/YrVq+JbTWplwICqnifMu34ns+JjL4=";
-  };
+  error_reporting( -1 );
+  ini_set( 'display_errors', 1 );
+  $wgDBerrorLog = '/var/log/mediawiki/dberror.log';
+  $wgDebugLogFile = "/var/log/mediawiki/debug.log";
+  $wgShowExceptionDetails = true;
 
-  constant_time_encoding = pkgs.fetchzip {
-    url = "https://github.com/paragonie/constant_time_encoding/archive/refs/tags/v2.6.3.tar.gz";
-    sha256 = "sha256-S8d2YQIBmC9q2Jscw6XflaxQ4e+XE7ukQDuwXStyKGQ=";
-  };
+  $wgSitename = "pub.solar wiki";
+  $wgMetaNamespace = false;
 
-  mediawikiWithComposer = pkgs.stdenv.mkDerivation {
-    name = "mediawiki-oidc";
-    src = pkgs.mediawiki;
-    version = pkgs.mediawiki.version;
+  ## The URL base path to the directory containing the wiki;
+  ## defaults for all runtime URL paths are based off of this.
+  ## For more information on customizing the URLs
+  ## (like /w/index.php/Page_title to /wiki/Page_title) please see:
+  ## https://www.mediawiki.org/wiki/Manual:Short_URL
+  $wgScriptPath = "https://wiki.pub.solar";
 
-    installPhase = ''
-      mkdir -p $out
-      cp -r * $out
+  ## The protocol and server name to use in fully-qualified URLs
+  $wgServer = "https://wiki.pub.solar";
 
-      mkdir -p $out/share/mediawiki/vendor/jumbojett
-      cp -r ${OpenIDConnectPHP} $out/share/mediawiki/vendor/jumbojett/OpenID-Connect-PHP
-      mkdir -p $out/share/mediawiki/vendor/phpseclib
-      cp -r ${phpseclib} $out/share/mediawiki/vendor/phpseclib/phpseclib
-      mkdir -p $out/share/mediawiki/vendor/paragonie
-      cp -r ${constant_time_encoding} $out/share/mediawiki/vendor/paragonie/constant_time_encoding
-    '';
-  };
+  ## The URL path to static resources (images, scripts, etc.)
+  $wgResourceBasePath = $wgScriptPath;
+
+  ## The URL path to the logo.  Make sure you change this from the default,
+  ## or else you'll overwrite your logo when you upgrade!
+  $wgLogo = "$wgResourceBasePath/resources/assets/wiki.png";
+
+  ## UPO means: this is also a user preference option
+
+  $wgEnableEmail = true;
+  $wgEnableUserEmail = true; # UPO
+
+  $wgPasswordSender = "admins@pub.solar";
+
+  $wgEnotifUserTalk = false; # UPO
+  $wgEnotifWatchlist = false; # UPO
+  $wgEmailAuthentication = true;
+
+  ## Database settings
+  $wgDBtype = "mysql";
+  $wgDBserver = "mediawiki-db";
+  $wgDBport = "3306";
+  $wgDBname = "mediawiki";
+  $wgDBuser = "mediawiki";
+  $wgDBpassword = file_get_contents("/run/agenix/mediawiki-database-password");
+
+  ## Shared memory settings
+  $wgMainCacheType = CACHE_NONE;
+  $wgMemCachedServers = [];
+
+  $wgEnableUploads = true;
+  $wgUploadDirectory = "/var/www/html/uploads";
+
+
+  $wgUseImageMagick = true;
+  $wgImageMagickConvertCommand = "/usr/bin/convert";
+
+  # InstantCommons allows wiki to use images from https://commons.wikimedia.org
+  $wgUseInstantCommons = false;
+
+  # Periodically send a pingback to https://www.mediawiki.org/ with basic data
+  # about this MediaWiki instance. The Wikimedia Foundation shares this data
+  # with MediaWiki developers to help guide future development efforts.
+  $wgPingback = true;
+
+  ## If you use ImageMagick (or any other shell command) on a
+  ## Linux server, this will need to be set to the name of an
+  ## available UTF-8 locale
+  $wgShellLocale = "C.UTF-8";
+
+  # Site language code, should be one of the list in ./languages/data/Names.php
+  $wgLanguageCode = "en";
+
+  $wgSecretKey = file_get_contents("/run/agenix/mediawiki-secret-key");
+
+  # Changing this will log out all existing sessions.
+  $wgAuthenticationTokenVersion = "";
+
+  ## For attaching licensing metadata to pages, and displaying an
+  ## appropriate copyright notice / icon. GNU Free Documentation
+  ## License and Creative Commons licenses are supported so far.
+  $wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
+  $wgRightsUrl = "";
+  $wgRightsText = "";
+  $wgRightsIcon = "";
+
+  # Path to the GNU diff3 utility. Used for conflict resolution.
+  $wgDiff = "/usr/bin/diff";
+  $wgDiff3 = "/usr/bin/diff3";
+
+  # Enabled skins.
+  wfLoadSkin('MonoBook');
+  wfLoadSkin('Timeless');
+  wfLoadSkin('Vector');
+
+  # Enabled extensions.
+  wfLoadExtension('OpenIDConnect');
+  wfLoadExtension('PluggableAuth');
+  wfLoadExtension('VisualEditor');
+
+
+  # End of automatically generated settings.
+  # Add more configuration options below.
+
+  // $wgLogos = 'https://pub.solar/assets/pubsolar.svg';
+
+  $wgDefaultSkin = 'vector-2022';
+
+  // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Installation
+  $wgGroupPermissions['*']['autocreateaccount'] = true;
+
+  // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration
+  $wgPluggableAuth_EnableAutoLogin = true;
+  $wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID';
+
+  // https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak
+  $wgPluggableAuth_Config[] = [
+      'plugin' => 'OpenIDConnect',
+      'data' => [
+          'providerURL' => 'https://auth.pub.solar/realms/pub.solar',
+          'clientID' => 'mediawiki',
+          'clientsecret' => readfile('/run/agenix/mediawiki-oidc-client-secret')
+      ]
+  ];
+  $wgOpenIDConnect_SingleLogout = true;
+  $wgOpenIDConnect_MigrateUsersByEmail = true;
+  '';
 in {
-  age.secrets.mediawiki-admin-password = {
-    file = "${flake.self}/secrets/mediawiki-admin-password.age";
-    mode = "600";
-    owner = "mediawiki";
-  };
-
   age.secrets.mediawiki-database-password = {
     file = "${flake.self}/secrets/mediawiki-database-password.age";
     mode = "600";
@@ -56,6 +151,12 @@ in {
     owner = "mediawiki";
   };
 
+  age.secrets.mediawiki-secret-key = {
+    file = "${flake.self}/secrets/mediawiki-secret-key.age";
+    mode = "600";
+    owner = "mediawiki";
+  };
+
   services.nginx.virtualHosts."wiki.pub.solar" = {
     enableACME = true;
     forceSSL = true;
@@ -63,69 +164,28 @@ in {
     locations."/".proxyPass = "http://127.0.0.1:8293";
   };
 
-  services.mediawiki = {
-    enable = true;
-    url = "https://wiki.pub.solar";
-    name = "pub.solar wiki";
-    package = mediawikiWithComposer;
-    passwordFile = config.age.secrets.mediawiki-admin-password.path;
+  virtualisation = {
+    oci-containers = {
+      backend = "docker";
 
-    httpd.virtualHost = {
-      hostName = "wiki.pub.solar";
-      adminAddr = "admins@pub.solar";
-      listen = [{ ip = "127.0.0.1"; port = 8293; }];
-    };
+      containers."mediawiki" = {
+        image = "git.pub.solar/pub-solar/mediawiki-oidc-docker";
+        user = "${builtins.toString config.users.users.mediawiki.uid}:www-data";
+        autoStart = true;
 
-    database = {
-      type = "postgres";
-      user = "mediawiki";
-      name = "mediawiki";
-      passwordFile = config.age.secrets.mediawiki-database-password.path;
-      socket = "/run/postgresql";
-      createLocally = false;
-    };
+        ports = [
+          "127.0.0.1:8293:80"
+        ];
 
-    extraConfig = ''
-      error_reporting( -1 );
-      ini_set( 'display_errors', 1 );
-      $wgDebugLogFile = "/var/log/mediawiki/debug-{$wgDBname}.log";
-
-      // $wgLogos = 'https://pub.solar/assets/pubsolar.svg';
-
-      $wgDefaultSkin = 'vector-2022'; 
-
-      // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Installation
-      $wgGroupPermissions['*']['autocreateaccount'] = true;
-
-      // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration
-      $wgPluggableAuth_EnableAutoLogin = true;
-      $wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID';
-
-      // https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak
-      $wgPluggableAuth_Config[] = [
-          'plugin' => 'OpenIDConnect',
-          'data' => [
-              'providerURL' => 'https://auth.pub.solar/realms/pub.solar',
-              'clientID' => 'mediawiki',
-              'clientsecret' => readfile('${config.age.secrets.mediawiki-oidc-client-secret.path}')
-          ]
-      ];
-      $wgOpenIDConnect_SingleLogout = true;
-      $wgOpenIDConnect_MigrateUsersByEmail = true;
-    '';
-
-    extensions = {
-      # some extensions are included and can enabled by passing null
-      VisualEditor = null;
-
-      PluggableAuth = pkgs.fetchzip {
-        url = "https://github.com/wikimedia/mediawiki-extensions-PluggableAuth/archive/master.tar.gz";
-        sha256 = "sha256-S8d2YQIBmC9q2Jscw6XflaxQ4e+XE7ukQDuwXStyKGQ=";
-      };
-
-      OpenIDConnect = pkgs.fetchzip {
-        url = "https://github.com/wikimedia/mediawiki-extensions-OpenIDConnect/archive/master.tar.gz";
-        sha256 = "sha256-mFPunUr50tRrEUcqu1p7xWt+eTbvBVamuP34Bhffx+0=";
+        volumes = [
+          "/run/agenix/mediawiki-database-password:/run/agenix/mediawiki-database-password"
+          "/run/agenix/mediawiki-oidc-client-secret:/run/agenix/mediawiki-oidc-client-secret"
+          "/run/agenix/mediawiki-secret-key:/run/agenix/mediawiki-secret-key"
+          "/var/lib/mediawiki/images:/var/www/html/images"
+          "/var/lib/mediawiki/uploads:/var/www/html/uploads"
+          "/var/lib/mediawiki/logs:/var/log/mediawiki"
+          "${localSettingsPHP}:/var/www/html/LocalSettings.php"
+        ];
       };
     };
   };
diff --git a/hosts/nachtigall/apps/postgresql.nix b/hosts/nachtigall/apps/postgresql.nix
index 82d66e7..5ab56c6 100644
--- a/hosts/nachtigall/apps/postgresql.nix
+++ b/hosts/nachtigall/apps/postgresql.nix
@@ -1,7 +1,11 @@
 { ... }:
 
 {
-  services.postgresql.enable = true;
+  services.postgresql = {
+    enable = true;
+    enableTCPIP = true;
+  };
+
   systemd.services.postgresql = {
     after = [
       "var-lib-postgresql.mount"
diff --git a/overlays/default.nix b/overlays/default.nix
index 7bfa77b..f44aeed 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -9,6 +9,7 @@
         nixpkgs.overlays = [
           (final: prev: {
             mastodon = inputs.mastodon-fork.legacyPackages.${prev.system}.mastodon;
+            mediawiki = inputs.unstable.legacyPackages.${prev.system}.mediawiki;
           })
         ];
       });
diff --git a/secrets/mediawiki-secret-key.age b/secrets/mediawiki-secret-key.age
new file mode 100644
index 0000000..c1a2671
--- /dev/null
+++ b/secrets/mediawiki-secret-key.age
@@ -0,0 +1,28 @@
+age-encryption.org/v1
+-> ssh-ed25519 iDKjwg MGfeCP81T9itCIgFoOcDoJfLtvfOb1dEtx4SjRfQMDU
+QJcTZDMx6qZfTtQxRpDAb5oA7PWqAgVDiZ5m9PeD3OU
+-> ssh-ed25519 uYcDNw 3uX4IxJVdepJ/258XhKUEOeX00nbKQ3+8WskCE/Oex0
+WaTAvd0zrcyFFwz7QWwaEsBrtp08g3wbANJvoL+hkfc
+-> ssh-rsa kFDS0A
+kgdsJuX6ZiMPJx5OjJuu0pjLqIr7vmw6SSRAWVR2RgxUbZ2L0khOUCOSbeHExpju
+RtadRLVKgxGkGAYqaivcUj0fu71RbxAfsCkY6hwrXGAwWLLcviTeZpRJUcVWWdkW
+DkZKVukqq2XeB33CqVcTanEVgTmwfuASVb5WL/FBrDpITV0oTcyJB5k57Qor7utC
+9PBYJmkq8ZDbpcZQM210XYCJdOhK4J4j0Rbq3Er6a9mlxVWuGUiBUUXluwDBN7iG
+sEha1Y6GvWfaqy3Y0Y+XxkNx3KsRnRvT3h9lmCM/RVaIGIeOTgF/ZRSKoUuMZ9nY
++XCXTGOhUZZBb/d0Edh+0EF7JCNOHA0Uygu+8RjxxNTMxLDV2eR5N+yYH4tbPuQj
+QI3Wo8H5iDwwCnyDwmXwkRWd9aEhfG16S3NqbyCfEA/xIUgQnIEx7DEjLJwDrb4v
+IVL6cxqSU/GCV2x7HyHf4syZBSQ6oC2Cy5sEJ5WV1m7+S35Vh5UQcxh+oNk1Gxji
+Y6yhem70RFLauzxldNcpI/xKTsj+mfrI21+fb6InVSHzlME0ggcMdz5mp799TEeg
+GYO+lIlfKIPWcQYI6Ci+Qbs1bGZ8kJy82C6arW6rooPQTdqnOgJE++1lj9dZO6bx
+W9oEdGnkIN/QH8RWVLi9bgznVmlzLLpYqM/d+bpEA+k
+-> ssh-ed25519 YFSOsg ccuBr0eGaJ/t2lWMhKNP/c2TtpmGYaenxQSQI9DJv3c
+uLGi3j4gt5xRj3MOsLUjkkA9dCS12feyLQf1YZtDvgg
+-> ssh-ed25519 iHV63A GHevWTk7/M0TtlIo/uZnCn84jq9I2jP9ehkt6PxRgEc
+nF5O/yCV/3zduBtGw6VbwPS2jFHJlUgHiSytDOPSzaU
+-> ssh-ed25519 BVsyTA Tw/06YNSoYYlrtfocjh0pitrWJc8zNAr8RLc42mMjWI
+RaA9t5VwYWYHFquZuXmNrGVkdDOJDh3dgVG+31UxhM8
+-> %zh9-grease 6 rETV7H
+1TID2TYG2RCwwRws8vOvdfDM0zQcqRTDqfJbZsbOAiZQnOU3Lt8g+rwcSgOB7kX4
+lx5lPRHxCa+86NljA+tW5l5u1JZurA
+--- wBDm8U0KDrRkdoeUfQq0Zk81611Im9hlSo96NE4FB9w
+ȕ��7��]�DB��ўܳ�D[DC�����J�JrE+ݿ�p
���3x�t�J�LӲ��1
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 4a41652..dfea645 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -44,4 +44,5 @@ in {
   "mediawiki-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
   "mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys;
   "mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
+  "mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys;
 }