diff --git a/flake.nix b/flake.nix
index 9758ce9..5550dbb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -15,6 +15,7 @@
       inherit inputs;
       cellsFrom = nix/cells;
       cellBlocks = [
+        (std.installables "packages")
         (std.functions "library")
         (std.functions "hydraJobs")
         (tullia.tasks "pipelines")
diff --git a/metadata-server/metadata-server.cabal b/metadata-server/metadata-server.cabal
index 206d09c..e378acf 100644
--- a/metadata-server/metadata-server.cabal
+++ b/metadata-server/metadata-server.cabal
@@ -25,6 +25,7 @@ executable metadata-server
                      , persistent-postgresql
                      , optparse-applicative
                      , persistent
+                     , regex-compat
                      , safe-exceptions
                      , scientific
                      , servant
@@ -43,4 +44,4 @@ executable metadata-server
                         -rtsopts
 
   other-modules:        Paths_metadata_server
-                        Config
\ No newline at end of file
+                        Config
diff --git a/metadata-server/src/Main.hs b/metadata-server/src/Main.hs
index c39cefb..c225d1d 100644
--- a/metadata-server/src/Main.hs
+++ b/metadata-server/src/Main.hs
@@ -24,6 +24,7 @@ import qualified Data.Text as T
 import qualified Database.Persist.Postgresql as Postgresql
 import qualified Network.Wai.Handler.Warp as Warp
 import qualified Options.Applicative as Opt
+import qualified Text.Regex as R
 
 import Cardano.Metadata.Server ( webApp )
 import qualified Cardano.Metadata.Store.Postgres as Store
@@ -38,7 +39,7 @@ main = do
                 }) <- Opt.execParser opts
 
   let pgConnString = pgConnectionString options
-  putStrLn $ "Connecting to database using connection string: " <> BC.unpack pgConnString
+  putStrLn . obfuscatePasswords $ "Connecting to database using connection string: " <> BC.unpack pgConnString
 
   runStdoutLoggingT $ filterLogger (\_ lvl -> lvl /= LevelDebug) $ do
     -- Create log channel
@@ -54,3 +55,6 @@ main = do
 
     -- Logging in main thread
     unChanLoggingT logChan
+
+obfuscatePasswords :: String -> String
+obfuscatePasswords clear = R.subRegex (R.mkRegex "password=\\S+") clear "password=*******"
diff --git a/metadata-store-postgres/src/Cardano/Metadata/Store/Postgres/Config.hs b/metadata-store-postgres/src/Cardano/Metadata/Store/Postgres/Config.hs
index 4098c3c..10604d8 100644
--- a/metadata-store-postgres/src/Cardano/Metadata/Store/Postgres/Config.hs
+++ b/metadata-store-postgres/src/Cardano/Metadata/Store/Postgres/Config.hs
@@ -3,12 +3,15 @@ module Cardano.Metadata.Store.Postgres.Config where
 import qualified Data.ByteString.Char8 as BC
 import Database.Persist.Postgresql ( ConnectionString )
 import qualified Network.Wai.Handler.Warp as Warp
+import Control.Applicative (optional)
 import Options.Applicative
 
 data Opts = Opts
     { optDbName              :: String
     , optDbUser              :: String
-    , optDbHost              :: FilePath
+    , optDbPass              :: Maybe String
+    , optDbHost              :: String
+    , optDbPort              :: Maybe Warp.Port
     , optDbMetadataTableName :: String
     , optDbConnections       :: Int
     , optServerPort          :: Warp.Port
@@ -19,11 +22,13 @@ parseOpts :: Parser Opts
 parseOpts = Opts
   <$> strOption (long "db" <> metavar "DB_NAME" <> help "Name of the database to store and read metadata from")
   <*> strOption (long "db-user" <> metavar "DB_USER" <> help "User to connect to metadata database with")
+  <*> optional (strOption (long "db-pass" <> metavar "DB_PASS" <> help "Password to connect to metadata database with"))
   <*> strOption (long "db-host" <> metavar "DB_HOST" <> showDefault <> value "/run/postgresql" <> help "Host for the metadata database connection")
+  <*> optional (option auto (long "db-port" <> metavar "DB_PORT" <> showDefault <> value 5432 <> help "Port for the metadata database connection"))
   <*> strOption (long "db-table" <> metavar "DB_TABLE" <> showDefault <> value "metadata" <> help "Table in the database to store metadata")
   <*> option auto (long "db-conns" <> metavar "INT" <> showDefault <> value 1 <> help "Number of connections to open to the database")
   <*> option auto (short 'p' <> long "port" <> metavar "PORT" <> showDefault <> value 8080 <> help "Port to run the metadata web server on")
 
 pgConnectionString :: Opts -> ConnectionString
-pgConnectionString (Opts { optDbName = dbName, optDbUser = dbUser, optDbHost = dbHost }) =
-  BC.pack $ "host=" <> dbHost <> " dbname=" <> dbName <> " user=" <> dbUser
+pgConnectionString (Opts { optDbName = dbName, optDbUser = dbUser, optDbPass = dbPass, optDbHost = dbHost, optDbPort = dbPort }) =
+  BC.pack $ "host=" <> dbHost <> " dbname=" <> dbName <> " user=" <> dbUser <> (maybe "" (" password=" <>) dbPass) <> (maybe "" ((" port=" <>) . show) dbPort)
diff --git a/metadata-sync/metadata-sync.cabal b/metadata-sync/metadata-sync.cabal
index f8c6fd6..e7c5603 100644
--- a/metadata-sync/metadata-sync.cabal
+++ b/metadata-sync/metadata-sync.cabal
@@ -119,6 +119,7 @@ executable metadata-sync
                      , optparse-applicative
                      , persistent
                      , postgresql-simple
+                     , regex-compat
                      , resource-pool
                      , safe-exceptions
                      , scientific
diff --git a/metadata-sync/src/Cardano/Metadata/Sync/Config.hs b/metadata-sync/src/Cardano/Metadata/Sync/Config.hs
index b8c0d45..b4f3b91 100644
--- a/metadata-sync/src/Cardano/Metadata/Sync/Config.hs
+++ b/metadata-sync/src/Cardano/Metadata/Sync/Config.hs
@@ -12,6 +12,8 @@ import qualified Data.Text.Encoding as TE
 import Data.Time.Clock ( NominalDiffTime )
 import Database.PostgreSQL.Simple ( Connection )
 import qualified Database.PostgreSQL.Simple as Sql
+import qualified Network.Wai.Handler.Warp as Warp
+import Control.Applicative (optional)
 import Options.Applicative
     ( Parser
     , ParserInfo
@@ -33,7 +35,9 @@ import qualified Options.Applicative as Opt
 data Opts = Opts
     { optDbName              :: Text
     , optDbUser              :: Text
-    , optDbHost              :: FilePath
+    , optDbPass              :: Maybe Text
+    , optDbHost              :: Text
+    , optDbPort              :: Maybe Warp.Port
     , optDbMetadataTableName :: Text
     , optDbConnections       :: Int
     , optGitURL              :: Text
@@ -45,7 +49,9 @@ parseOpts :: Parser Opts
 parseOpts = Opts
   <$> strOption (long "db" <> metavar "DB_NAME" <> help "Name of the database to store and read metadata from")
   <*> strOption (long "db-user" <> metavar "DB_USER" <> help "User to connect to metadata database with")
+  <*> optional (strOption (long "db-pass" <> metavar "DB_PASS" <> help "Password to connect to metadata database with"))
   <*> strOption (long "db-host" <> metavar "DB_HOST" <> showDefault <> value "/run/postgresql" <> help "Host for the metadata database connection")
+  <*> optional (option auto (long "db-port" <> metavar "DB_PORT" <> showDefault <> value 5432 <> help "Port for the metadata database connection"))
   <*> strOption (long "db-table" <> metavar "DB_TABLE" <> showDefault <> value "metadata" <> help "Table in the database to store metadata")
   <*> option auto (long "db-conns" <> metavar "INT" <> showDefault <> value 1 <> help "Number of connections to open to the database")
   <*> strOption (long "git-url" <> metavar "GIT_URL" <> help "URL of the metadata registry git repository")
@@ -61,8 +67,8 @@ opts =
     )
 
 pgConnectionString :: Opts -> BC.ByteString
-pgConnectionString (Opts { optDbName = dbName, optDbUser = dbUser, optDbHost = dbHost }) =
-  TE.encodeUtf8 $ "host=" <> T.pack dbHost <> " dbname=" <> dbName <> " user=" <> dbUser
+pgConnectionString (Opts { optDbName = dbName, optDbUser = dbUser, optDbPass = dbPass, optDbHost = dbHost, optDbPort = dbPort }) =
+  TE.encodeUtf8 $ "host=" <> dbHost <> " dbname=" <> dbName <> " user=" <> dbUser <> (maybe "" (" password=" <>) dbPass) <> (maybe "" ((" port=" <>) . T.pack . show) dbPort)
 
 mkConnectionPool
   :: BC.ByteString
diff --git a/metadata-sync/src/Main.hs b/metadata-sync/src/Main.hs
index 68d637f..fa89859 100644
--- a/metadata-sync/src/Main.hs
+++ b/metadata-sync/src/Main.hs
@@ -9,6 +9,7 @@ import Data.Time.Clock ( NominalDiffTime )
 import Database.PostgreSQL.Simple ( Connection, close, connectPostgreSQL )
 import qualified Network.Wai.Handler.Warp as Warp
 import qualified Options.Applicative as Opt
+import qualified Text.Regex as R
 
 import qualified Cardano.Metadata.Sync as Sync
 import Cardano.Metadata.Sync.Config
@@ -29,7 +30,7 @@ main = do
                 }) <- Opt.execParser opts
 
   let pgConnString = pgConnectionString options
-  putStrLn $ "Connecting to database using connection string: " <> BC.unpack pgConnString
+  putStrLn . obfuscatePasswords $ "Connecting to database using connection string: " <> BC.unpack pgConnString
   withConnectionPool pgConnString numDbConns $ \pool -> do
     withConnectionFromPool pool $ \conn -> do
       putStrLn $ "Reading registry state from '" <> T.unpack gitURL <> "'."
@@ -37,3 +38,6 @@ main = do
   
       putStrLn $ "Syncing to table '" <> T.unpack tableName <> "'."
       Sync.write conn tableName state
+
+obfuscatePasswords :: String -> String
+obfuscatePasswords clear = R.subRegex (R.mkRegex "password=\\S+") clear "password=*******"
diff --git a/metadata-webhook/metadata-webhook.cabal b/metadata-webhook/metadata-webhook.cabal
index f996951..22bdbb2 100644
--- a/metadata-webhook/metadata-webhook.cabal
+++ b/metadata-webhook/metadata-webhook.cabal
@@ -27,6 +27,7 @@ executable metadata-webhook
                      , optparse-applicative
                      , persistent
                      , persistent-postgresql
+                     , regex-compat
                      , safe-exceptions
                      , scientific
                      , servant
@@ -49,4 +50,4 @@ executable metadata-webhook
                         -threaded
 
   other-modules:        Paths_metadata_webhook
-                        Config
\ No newline at end of file
+                        Config
diff --git a/metadata-webhook/src/Main.hs b/metadata-webhook/src/Main.hs
index a58792c..4986c1d 100644
--- a/metadata-webhook/src/Main.hs
+++ b/metadata-webhook/src/Main.hs
@@ -15,6 +15,7 @@ import qualified Database.Persist.Postgresql as Postgresql
 import qualified Network.Wai.Handler.Warp as Warp
 import qualified Options.Applicative as Opt
 import System.Environment ( lookupEnv )
+import qualified Text.Regex as R
 
 import qualified Cardano.Metadata.Store.Postgres as Store
 import Cardano.Metadata.Store.Postgres.Config ( Opts (..), pgConnectionString )
@@ -33,7 +34,7 @@ main = do
                 }) <- Opt.execParser opts
 
   let pgConnString = pgConnectionString options
-  putStrLn $ "Connecting to database using connection string: " <> C8.unpack pgConnString
+  putStrLn . obfuscatePasswords $ "Connecting to database using connection string: " <> C8.unpack pgConnString
   runStdoutLoggingT $
     Postgresql.withPostgresqlPool pgConnString numDbConns $ \pool -> liftIO $ do
       putStrLn $ "Initializing table '" <> tableName <> "'."
@@ -41,3 +42,6 @@ main = do
 
       putStrLn $ "Metadata webhook is starting on port " <> show port <> "."
       liftIO $ Warp.run port (appSigned (gitHubKey $ pure key) intf (getFileContent githubToken))
+
+obfuscatePasswords :: String -> String
+obfuscatePasswords clear = R.subRegex (R.mkRegex "password=\\S+") clear "password=*******"
diff --git a/nix/cells/app/packages.nix b/nix/cells/app/packages.nix
new file mode 100644
index 0000000..5e3e95d
--- /dev/null
+++ b/nix/cells/app/packages.nix
@@ -0,0 +1,20 @@
+{
+  cell,
+  inputs,
+}: let
+  inherit (
+    import "${inputs.self}/release.nix" {
+      metadata-server = inputs.self;
+      supportedSystems = [inputs.nixpkgs.system];
+    }
+  ) native;
+in
+builtins.mapAttrs (_: p: p.${inputs.nixpkgs.system}) {
+  inherit (native)
+    metadata-server
+    metadata-sync
+    metadata-validator-github
+    metadata-webhook
+    token-metadata-creator
+    ;
+}