diff --git a/CHANGELOG.md b/CHANGELOG.md
index a91c0d65..ea447b8c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,45 @@
+## [17.0.0-beta.3](https://github.com/maevsi/stack/compare/17.0.0-beta.2...17.0.0-beta.3) (2026-02-23)
+
+### Features
+
+* **zammad:** add ([f913dfc](https://github.com/maevsi/stack/commit/f913dfc894724e19195853138cc6610419a5ab42))
+
+### Bug Fixes
+
+* **deps:** lockfile maintenance ([0785ef9](https://github.com/maevsi/stack/commit/0785ef9d90e3b32b86da13fae2052f4879d3985d))
+* **deps:** update ghcr.io/maevsi/vibetype to v13.3.3 ([a175137](https://github.com/maevsi/stack/commit/a1751375c4bcaae957fd32e920cd7a62e10114fa))
+* **elasticsearch:** correct security configuration ([ccda936](https://github.com/maevsi/stack/commit/ccda936b5d1d7c24450027e260d9b49c27abbfbd))
+* **elasticsearch:** set memory ([e257b75](https://github.com/maevsi/stack/commit/e257b75a3500aee4b0028bca4777905d14ca7cf0))
+* **vibetype:** move allowed headers from postgraphile ([421ae19](https://github.com/maevsi/stack/commit/421ae19e65001039c15c94db5e91ce3610bd230f))
+* **zammad-init:** restart on failure only ([3fb38d9](https://github.com/maevsi/stack/commit/3fb38d9d88cc8dd4db0baa55345c3e8e14e0ad70))
+* **zammad-nginx:** resolve certificate ([e95bf06](https://github.com/maevsi/stack/commit/e95bf068fd2b4ad34c810815ab2e638b33cddb01))
+* **zammad:** set nginx server scheme ([f035ac5](https://github.com/maevsi/stack/commit/f035ac5ed555b00983612de0c73abdca5accc34d))
+
+### Performance Improvements
+
+* **elasticsearch:** add resource constraints ([3ae4d73](https://github.com/maevsi/stack/commit/3ae4d73975b3afe8b5177cad84c476c358c230a4))
+
+## [17.0.0-beta.2](https://github.com/maevsi/stack/compare/17.0.0-beta.1...17.0.0-beta.2) (2026-02-20)
+
+### ⚠ BREAKING CHANGES
+
+* **postgraphile:** upgrade to v5
+
+### Features
+
+* **postgraphile:** upgrade to v5 ([0113383](https://github.com/maevsi/stack/commit/011338398447c002aaf4682f06aeaee238f3b3b8))
+
+## [17.0.0-beta.1](https://github.com/maevsi/stack/compare/16.0.8...17.0.0-beta.1) (2026-02-20)
+
+### ⚠ BREAKING CHANGES
+
+* **postgraphile:** change forward authorization path
+
+### Features
+
+* **postgraphile:** change forward authorization path ([0e9cc64](https://github.com/maevsi/stack/commit/0e9cc64501ec547b5bddef83dda8a202a94ff203))
+* **vibetype:** allow csrf token access control header ([1ccdd94](https://github.com/maevsi/stack/commit/1ccdd94c7f87fc570212f6cf8c5ad281632e743f))
+
 ## [16.1.9](https://github.com/maevsi/stack/compare/16.1.8...16.1.9) (2026-02-22)
 
 ### Bug Fixes
diff --git a/README.md b/README.md
index 2489edee..7b8e6434 100644
--- a/README.md
+++ b/README.md
@@ -372,6 +372,10 @@ This project is deployed in accordance to the [DargStack template](https://githu
     
     The container manager's data.
     
+ - ### `postgraphile_data`
+    
+    The GraphQL API's data.
+    
  - ### `postgres_data`
     
     The database's data.
diff --git a/package.json b/package.json
index e14b5d1d..56478632 100644
--- a/package.json
+++ b/package.json
@@ -21,5 +21,5 @@
     "prepare": "husky && ./src/development/certificates/mkcert.sh"
   },
   "type": "module",
-  "version": "16.1.9"
+  "version": "17.0.0-beta.3"
 }
diff --git a/src/development/stack.yml b/src/development/stack.yml
index f112b9d9..000776a3 100644
--- a/src/development/stack.yml
+++ b/src/development/stack.yml
@@ -359,7 +359,7 @@ services:
     deploy:
       labels:
         - traefik.enable=true
-        - traefik.http.middlewares.postgraphile_auth.forwardauth.address=http://vibetype:3000/api/service/traefik/authentication
+        - traefik.http.middlewares.postgraphile_auth.forwardauth.address=http://vibetype:3000/api/internal/service/postgraphile/authentication
         - traefik.http.middlewares.postgraphile_auth.forwardauth.forwardBody=true
         - traefik.http.middlewares.postgraphile_auth.forwardauth.preserveRequestMethod=true
         - traefik.http.middlewares.postgraphile_cors.headers.accessControlAllowCredentials=true
@@ -370,25 +370,28 @@ services:
         - traefik.http.routers.postgraphile.rule=Host(`postgraphile.${STACK_DOMAIN}`)
         - traefik.http.routers.postgraphile_secure.entryPoints=web-secure
         - traefik.http.routers.postgraphile_secure.middlewares=postgraphile_auth,postgraphile_cors
-        - traefik.http.routers.postgraphile_secure.rule=Host(`postgraphile.${STACK_DOMAIN}`)
+        - traefik.http.routers.postgraphile_secure.rule=Host(`postgraphile.${STACK_DOMAIN}`) && Path(`/graphql`)
         - traefik.http.routers.postgraphile_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
         - traefik.http.routers.postgraphile_secure_graphiql.entryPoints=web-secure
-        - traefik.http.routers.postgraphile_secure_graphiql.rule=Host(`postgraphile.${STACK_DOMAIN}`) && Path(`/graphiql`)
+        - traefik.http.routers.postgraphile_secure_graphiql.rule=Host(`postgraphile.${STACK_DOMAIN}`)
         - traefik.http.routers.postgraphile_secure_graphiql.tls.options=mintls13@file #DARGSTACK-REMOVE
-        - traefik.http.services.postgraphile.loadbalancer.server.port=5000
-    environment:
-      POSTGRAPHILE_CONNECTION_FILE: /run/secrets/postgraphile_connection
-      POSTGRAPHILE_JWT_PUBLIC_KEY_FILE: /run/config/postgraphile_jwt-public-key
-      POSTGRAPHILE_JWT_SECRET_KEY_FILE: /run/secrets/postgraphile_jwt-secret
-      POSTGRAPHILE_OWNER_CONNECTION_FILE: /run/secrets/postgraphile_owner-connection
-    image: ghcr.io/maevsi/postgraphile:1.0.19
+        - traefik.http.services.postgraphile.loadbalancer.server.port=5678
+    # # Use the DEBUG environment variable for extended debugging.
+    # environment:
+    #   DEBUG: graphile-build:warn,graphile-build-pg:sql
+    image: maevsi/postgraphile:dev
     secrets:
-      - postgraphile_connection
-      - postgraphile_jwt-secret
-      - postgraphile_owner-connection
+      - source: postgraphile_connection
+        target: /run/environment-variables/POSTGRAPHILE_CONNECTION
+      - source: postgraphile_jwt-secret
+        target: /run/environment-variables/POSTGRAPHILE_JWT_SECRET_KEY
+      - source: postgraphile_owner-connection
+        target: /run/environment-variables/POSTGRAPHILE_OWNER_CONNECTION
     volumes:
-      - ./configurations/postgraphile/jwtRS256.key.pub:/run/config/postgraphile_jwt-public-key:ro
-      - ../production/configurations/postgraphile/.postgraphilerc.js:/postgraphile/.postgraphilerc.js:ro
+      - ../../../postgraphile/:/srv/app/ #DARGSTACK-REMOVE
+      - ./configurations/postgraphile/jwtRS256.key.pub:/run/environment-variables/POSTGRAPHILE_JWT_PUBLIC_KEY:ro
+      - pnpm_data:/srv/.pnpm-store/ #DARGSTACK-REMOVE
+      - postgraphile_data:/srv/app/node_modules #DARGSTACK-REMOVE
   postgres:
     # You can access the database via `adminer`.
     command: -c vibetype.jwt_expiry_duration='1 month' -c wal_level=logical
@@ -713,6 +716,9 @@ volumes:
   portainer_data:
     # The container manager's data.
     {}
+  postgraphile_data:
+    # The GraphQL API's data.
+    {}
   postgres_data:
     # The database's data.
     {}
diff --git a/src/production/configurations/postgraphile/.postgraphilerc.js b/src/production/configurations/postgraphile/.postgraphilerc.js
deleted file mode 100644
index b24a8b17..00000000
--- a/src/production/configurations/postgraphile/.postgraphilerc.js
+++ /dev/null
@@ -1,25 +0,0 @@
-const fs = require('fs');
-
-const postgisPlugin = require("@graphile/postgis");
-
-module.exports = {
-    options: {
-        appendPlugins: [postgisPlugin.default || postgisPlugin],
-        connection: fs.readFileSync(process.env.POSTGRAPHILE_CONNECTION_FILE, 'utf8'),
-        defaultRole: 'vibetype_anonymous',
-        dynamicJson: true,
-        enhanceGraphiql: true,
-        extendedErrors: ['errcode'],
-        host: '0.0.0.0',
-        ignoreRBAC: false,
-        jwtPublicKey: fs.readFileSync(process.env.POSTGRAPHILE_JWT_PUBLIC_KEY_FILE, 'utf8'),
-        jwtSecret: fs.readFileSync(process.env.POSTGRAPHILE_JWT_SECRET_KEY_FILE, 'utf8'),
-        jwtSignOptions: { algorithm: 'RS256' },
-        jwtTokenIdentifier: 'vibetype.jwt',
-        jwtVerifyAlgorithms: ['RS256'],
-        ownerConnection: fs.readFileSync(process.env.POSTGRAPHILE_OWNER_CONNECTION_FILE, 'utf8'),
-        schema: ['vibetype'],
-        setofFunctionsContainNulls: false,
-        watch: true
-    },
-};
diff --git a/src/production/production.yml b/src/production/production.yml
index 7222b3ab..df8eaf19 100644
--- a/src/production/production.yml
+++ b/src/production/production.yml
@@ -43,6 +43,7 @@ services:
         - (( append ))
         - traefik.http.routers.postgraphile.middlewares=postgraphile_auth,postgraphile_cors
         - traefik.http.routers.postgraphile_secure.tls.certresolver=default
+    image: maevsi/postgraphile:2.0.0-beta.1
   postgres_backup:
     # You cannot access the database backup directly.
     environment: