diff --git a/postgres/ssl/ca.crt b/postgres/certs/ca.crt
similarity index 100%
rename from postgres/ssl/ca.crt
rename to postgres/certs/ca.crt
diff --git a/postgres/ssl/server.crt b/postgres/certs/server.crt
similarity index 100%
rename from postgres/ssl/server.crt
rename to postgres/certs/server.crt
diff --git a/postgres/ssl/server.key b/postgres/certs/server.key
similarity index 100%
rename from postgres/ssl/server.key
rename to postgres/certs/server.key
diff --git a/postgres/custom-conf/pg_hba.conf b/postgres/custom-conf/pg_hba.conf
new file mode 100644
index 0000000..43c7472
--- /dev/null
+++ b/postgres/custom-conf/pg_hba.conf
@@ -0,0 +1,3 @@
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+hostssl  all             all             192.168.2.0/24         md5
+hostssl  all             all             127.0.0.1/32           md5
\ No newline at end of file
diff --git a/postgres/docker-compose.yml b/postgres/docker-compose.yml
index 0c704f1..ecb7720 100644
--- a/postgres/docker-compose.yml
+++ b/postgres/docker-compose.yml
@@ -1,57 +1,38 @@
+version: "3.9"
+
 services:
   postgres:
-    image: postgres:16-alpine
-    container_name: fairreview_postgres
+    image: postgres:latest
+    container_name: postgres_secure
     restart: unless-stopped
     environment:
-      POSTGRES_DB: ${POSTGRES_DB:-fairreview}
-      POSTGRES_USER: ${POSTGRES_USER:-zhuma}
+      POSTGRES_USER: ${POSTGRES_USER}
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      POSTGRES_DB: ${POSTGRES_DB}
       PGDATA: /var/lib/postgresql/data/pgdata
     volumes:
       - postgres_data:/var/lib/postgresql/data
-      - ./ssl:/ssl-host:ro  # your host SSL files, read-only
-    tmpfs:
-      - /ssl:rw,mode=0700   # tmpfs inside container for proper ownership
-      - /tmp
-      - /var/run/postgresql
+      - ./certs:/certs:ro
+      - ./init-scripts:/docker-entrypoint-initdb.d:ro
+      - ./custom-conf:/etc/postgresql/conf.d:ro
     ports:
-      - "5432:5432"
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-zhuma} -d ${POSTGRES_DB:-fairreview}"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-      start_period: 10s
-    security_opt:
-      - no-new-privileges:true
-    deploy:
-      resources:
-        limits:
-          memory: 512M
-        reservations:
-          memory: 256M
+      - "5432:5432" # accessible from LAN
     command: >
-      sh -c "
-        # Copy SSL files into tmpfs, set correct permissions
-        cp /ssl-host/* /ssl/ &&
-        chown postgres:postgres /ssl/* &&
-        chmod 600 /ssl/server.key &&
-        chmod 644 /ssl/server.crt /ssl/ca.crt &&
-        # Start PostgreSQL with SSL
-        postgres
-          -c ssl=on
-          -c ssl_cert_file=/ssl/server.crt
-          -c ssl_key_file=/ssl/server.key
-          -c ssl_ca_file=/ssl/ca.crt
-          -c max_connections=100
-          -c shared_buffers=128MB
-          -c effective_cache_size=256MB
-          -c maintenance_work_mem=64MB
-          -c checkpoint_completion_target=0.9
-          -c wal_buffers=16MB
-          -c default_statistics_target=100
-      "
+      postgres
+      -c listen_addresses='*'
+      -c ssl=on
+      -c ssl_cert_file=/certs/server.crt
+      -c ssl_key_file=/certs/server.key
+      -c ssl_ca_file=/certs/ca.crt
+      -c log_timezone=UTC
+      -c timezone=UTC
+      -c config_file=/etc/postgresql/conf.d/postgresql.conf
+    networks:
+      - pgnet
 
 volumes:
-  postgres_data:
\ No newline at end of file
+  postgres_data:
+
+networks:
+  pgnet:
+    driver: bridge
\ No newline at end of file