diff --git a/hosts/koi/containers/zond/default.nix b/hosts/koi/containers/zond/default.nix
index 0e7adb8..7081585 100644
--- a/hosts/koi/containers/zond/default.nix
+++ b/hosts/koi/containers/zond/default.nix
@@ -1,14 +1,56 @@
-{ ... }:
+{ abs, config, ... }:
 
-{
-  # todo - move this from an ad-hoc docker compose to a proper service
+let 
+  secrets = import (abs "lib/secrets.nix");
+
+  UID = 1116;
+in {
   # todo 2: update UMAMI_HOST in teisu-env
+
+  imports = [
+    (secrets.declare [
+      {
+        name = "umami-env";
+        owner = "umami";
+      }
+    ])
+  ];
+
+  users.users.umami = {
+    isNormalUser = true;
+    uid = UID;
+  };
+
+  services.postgresql.ensureUsers = [
+    { name = "umami"; ensureDBOwnership = true; }
+  ];
+  services.postgresql.ensureDatabases = [ "umami" ];
+  desu.postgresql.ensurePasswords.umami = "umami";
+
+  systemd.services.docker-umami.after = [ "postgresql.service" ];
+  virtualisation.oci-containers.containers.umami = {
+    image = "ghcr.io/umami-software/umami:postgresql-v2.13.2";
+
+    environment = {
+      DATABASE_TYPE = "postgresql";
+      DATABASE_URL = "postgresql://umami:umami@172.17.0.1:5432/umami";
+      DISABLE_TELEMETRY = "1";
+      DISABLE_UPDATES = "1";
+    };
+
+    environmentFiles = [
+      (secrets.file config "umami-env")
+    ];
+
+    user = "${builtins.toString UID}";
+  };
+
   services.nginx.virtualHosts."zond.tei.su" = {
     forceSSL = true;
     useACMEHost = "tei.su";
     
     locations."/" = {
-      proxyPass = "http://umami.umami.docker:3000$request_uri";
+      proxyPass = "http://umami.docker:3000$request_uri";
     };
   };
 }
\ No newline at end of file
diff --git a/secrets/teisu-env.age b/secrets/teisu-env.age
index 08cb279..ad8de59 100644
Binary files a/secrets/teisu-env.age and b/secrets/teisu-env.age differ
diff --git a/secrets/umami-env.age b/secrets/umami-env.age
new file mode 100644
index 0000000..2235a1b
Binary files /dev/null and b/secrets/umami-env.age differ