diff --git a/module.nix b/module.nix
index 31019ab..112a925 100644
--- a/module.nix
+++ b/module.nix
@@ -27,7 +27,8 @@ let
     mkOption;
 
   inherit (lib.strings)
-    concatStringsSep;
+    concatStringsSep
+    versionOlder;
 
   inherit (lib.trivial)
     boolToString
@@ -142,6 +143,9 @@ in
     (mkIf config.services.authentik.enable (let
       cfg = config.services.authentik;
 
+      # https://goauthentik.io/docs/installation/docker-compose#startup
+      tz = "UTC";
+
       # Passed to each service and to the `ak` wrapper using `systemd-run(1)`
       serviceDefaults = {
         DynamicUser = true;
@@ -181,7 +185,6 @@ in
         };
         postgresql = mkIf cfg.createDatabase {
           enable = true;
-          package = pkgs.postgresql_14;
           ensureDatabases = [ "authentik" ];
           ensureUsers = [
             { name = "authentik"; ensureDBOwnership = true; }
@@ -198,9 +201,6 @@ in
         '')
       ];
 
-      # https://goauthentik.io/docs/installation/docker-compose#explanation
-      time.timeZone = "UTC";
-
       environment.etc."authentik/config.yml".source = settingsFormat.generate "authentik.yml" cfg.settings;
 
       systemd.services = {
@@ -211,6 +211,7 @@ in
           after = [ "network-online.target" ] ++ lib.optionals cfg.createDatabase [ "postgresql.service" ];
           before = [ "authentik.service" ];
           restartTriggers = [ config.environment.etc."authentik/config.yml".source ];
+          environment.TZ = tz;
           serviceConfig = mkMerge [ serviceDefaults {
             Type = "oneshot";
             RemainAfterExit = true;
@@ -233,6 +234,7 @@ in
           preStart = ''
             ln -svf ${config.services.authentik.authentikComponents.staticWorkdirDeps}/* /run/authentik/
           '';
+          environment.TZ = tz;
           serviceConfig = mkMerge [ serviceDefaults {
             RuntimeDirectory = "authentik";
             WorkingDirectory = "%t/authentik";
@@ -257,13 +259,8 @@ in
             ln -svf ${cfg.authentikComponents.staticWorkdirDeps}/* /var/lib/authentik/
             mkdir -p ${cfg.settings.paths.media}
           '';
+          environment.TZ = tz;
           serviceConfig = mkMerge [ serviceDefaults {
-            Environment = [
-              "AUTHENTIK_ERROR_REPORTING__ENABLED=false"
-              "AUTHENTIK_DISABLE_UPDATE_CHECK=true"
-              "AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true"
-              "AUTHENTIK_AVATARS=initials"
-            ];
             StateDirectory = "authentik";
             UMask = "0027";
             # TODO /run might be sufficient
@@ -335,5 +332,29 @@ in
         };
       };
     }))
+
+    # This is an attempt to solve a rather ugly problem that was
+    # caused by previously setting a default for the option
+    # `services.postgresql.package` in this module.
+    #
+    # The problem is that some installations with a state version other than
+    # 22.05, 22.11 or 23.05 may have used this module, meaning their postgresql
+    # version was overridden by this module. Merely removing the setting here,
+    # would cause their config to fall back to their respective default release,
+    # resulting in a (temporarily) broken installation.
+    #
+    # While recovering from this is relatively easy, i.e. they would need to
+    # override the posgresql package in their own config, it is not desirable
+    # to break those installations.
+    #
+    # The idea is to no longer set a default value for the package for new
+    # installations. Instead new installations use the sensible default provided
+    # by nixpkgs. At the same time this should keep the previous default
+    # for old installations.
+    #
+    # After postgresql_14 has been removed from nixpkgs, this workaround can be dropped.
+    (mkIf (versionOlder config.system.stateVersion "24.05") {
+      services.postgresql.package = lib.mkDefault pkgs.postgresql_14;
+    })
   ];
 }