diff --color -ruN base/sandbox/docker-compose.yml hybrid/sandbox/docker-compose.yml
--- base/sandbox/docker-compose.yml	2025-05-16 19:46:23.713755709 +0200
+++ hybrid/sandbox/docker-compose.yml	2025-05-18 15:04:00.800680098 +0200
@@ -4,28 +4,16 @@
     container_name: vaultwarden
     restart: unless-stopped
     networks:
-      - nginx
-      - vaultwarden
+      - internal
     environment:
       DOMAIN: "https://bitwarden.vm.local"
-      DATABASE_URL: "postgres://vaultwarden:vaultwarden@vaultwarden-db:5432/vaultwarden"
+      DATABASE_URL: "postgres://vaultwarden:vaultwarden@postgres:5432/vaultwarden"
     volumes:
       - ./vw-data/:/data/
     expose:
       - 80
-
-  vaultwarden-db:
-    image: docker.io/library/postgres:latest
-    container_name: vaultwarden-db
-    restart: unless-stopped
-    environment:
-      POSTGRES_DB: vaultwarden
-      POSTGRES_USER: vaultwarden
-      POSTGRES_PASSWORD: vaultwarden
-    volumes:
-      - ./vw-postgres:/var/lib/postgresql/data
-    networks:
-      - vaultwarden
+    extra_hosts:
+      - "postgres:172.18.0.1"
 
   gitea:
     image: docker.gitea.com/gitea:latest
@@ -34,15 +22,14 @@
       - USER_UID=1000
       - USER_GID=1000
       - GITEA__database__DB_TYPE=postgres
-      - GITEA__database__HOST=gitea-db:5432
+      - GITEA__database__HOST=postgres:5432
       - GITEA__database__NAME=gitea
       - GITEA__database__USER=gitea
       - GITEA__database__PASSWD=gitea
       - GITEA__security__INSTALL_LOCK=true
     restart: unless-stopped
     networks:
-      - nginx
-      - gitea
+      - internal
     volumes:
       - ./gitea:/data
       - /etc/timezone:/etc/timezone:ro
@@ -50,33 +37,24 @@
     expose:
       - 3000
       - 22
-
-  gitea-db:
-    image: docker.io/library/postgres:latest
-    container_name: gitea-db
-    restart: unless-stopped
-    environment:
-      - POSTGRES_USER=gitea
-      - POSTGRES_PASSWORD=gitea
-      - POSTGRES_DB=gitea
-    volumes:
-      - ./postgres:/var/lib/postgresql/data
-    networks:
-      - gitea
+    extra_hosts:
+      - "postgres:172.18.0.1"
 
   vulnerable:
     build: /vagrant/sandbox/vuln
     ports:
       - 2222:22
     networks:
-      - nginx
+      - internal
+    extra_hosts:
+      - "postgres:172.18.0.1"
 
   nginx:
     image: nginx:latest
     container_name: nginx
     restart: unless-stopped
     networks:
-      - nginx
+      - internal
     volumes:
       - ./nginx.conf:/etc/nginx/conf.d/default.conf
       - ./nginx/certs:/etc/nginx/certs
@@ -85,9 +63,9 @@
       - 443:443
 
 networks:
-  nginx:
-    driver: bridge
-  gitea:
+  internal:
     driver: bridge
-  vaultwarden:
-    driver: bridge
\ No newline at end of file
+    ipam:
+      config:
+        - subnet: 172.18.0.0/16
+          gateway: 172.18.0.1
\ No newline at end of file
diff --color -ruN base/sandbox/playbook.yml hybrid/sandbox/playbook.yml
--- base/sandbox/playbook.yml	2025-05-17 15:34:39.895845622 +0200
+++ hybrid/sandbox/playbook.yml	2025-05-17 15:34:46.781062066 +0200
@@ -15,6 +15,9 @@
           - curl
           - software-properties-common
           - virtualenv
+          - python3-psycopg2
+          - postgresql
+          - acl
           - bc
           - sysstat
         state: latest
@@ -150,6 +153,62 @@
         name: ssh
         state: restarted
 
+    - name: Ensure PostgreSQL service is running
+      service:
+        name: postgresql
+        state: started
+        enabled: yes
+
+    - name: Create PostgreSQL user for gitea
+      become: true
+      become_user: postgres
+      postgresql_user:
+        name: gitea
+        password: gitea
+        state: present
+
+    - name: Create PostgreSQL database for gitea
+      become: true
+      become_user: postgres
+      postgresql_db:
+        name: gitea
+        owner: gitea
+        state: present
+
+    - name: Create PostgreSQL user for vaultwarden
+      become: true
+      become_user: postgres
+      postgresql_user:
+        name: vaultwarden
+        password: vaultwarden
+        state: present
+
+    - name: Create PostgreSQL database for vaultwarden
+      become: true
+      become_user: postgres
+      postgresql_db:
+        name: vaultwarden
+        owner: vaultwarden
+        state: present
+
+    - name: Set PostgreSQL to listen on localhost and Docker bridge IP
+      become: yes
+      lineinfile:
+        path: /etc/postgresql/14/main/postgresql.conf
+        regexp: '^#?listen_addresses\s*='
+        line: "listen_addresses = 'localhost,172.18.0.1'"
+      notify: Restart PostgreSQL
+
+    - name: Allow connections from Docker subnet in pg_hba.conf
+      become: yes
+      lineinfile:
+        path: /etc/postgresql/14/main/pg_hba.conf
+        line: 'host    all             all             172.18.0.0/16          md5'
+        create: yes
+        insertafter: EOF
+        state: present
+      notify: Restart PostgreSQL
+
     - name: Ensure Docker service is running
       service:
         name: docker
@@ -159,4 +218,12 @@
     - name: Run docker compose up -d
       command: docker compose up -d
       args:
-        chdir: /home/vagrant
\ No newline at end of file
+        chdir: /home/vagrant
+
+
+  handlers:
+    - name: Restart PostgreSQL
+      become: yes
+      service:
+        name: postgresql
+        state: restarted
\ No newline at end of file