diff --git a/server/config/access.go b/server/config/access.go
index 6d7249d89376b3359d59692d6e713798d2994b86..d040dd61e89cc5e56491c8b0c15b9f51632df958 100644
--- a/server/config/access.go
+++ b/server/config/access.go
@@ -20,7 +20,7 @@ func (c *Config) AuthRepo(repo string, pk ssh.PublicKey) proto.AccessLevel {
 // found.
 func (c *Config) User(pk ssh.PublicKey) (proto.User, error) {
 	k := authorizedKey(pk)
-	u, err := c.db.GetUserByPublicKey(k)
+	u, err := c.DB().GetUserByPublicKey(k)
 	if err != nil {
 		log.Printf("error getting user for key: %s", err)
 		return nil, err
@@ -41,7 +41,7 @@ func (c *Config) IsCollab(repo string, pk ssh.PublicKey) bool {
 		return true
 	}
 
-	isCollab, err := c.db.IsRepoPublicKeyCollab(repo, authorizedKey(pk))
+	isCollab, err := c.DB().IsRepoPublicKeyCollab(repo, authorizedKey(pk))
 	if err != nil {
 		log.Printf("error checking if key is repo collab: %v", err)
 		return false
@@ -101,6 +101,7 @@ func (c *Config) accessForKey(repo string, pk ssh.PublicKey) proto.AccessLevel {
 		return anon
 	}
 	private := info.IsPrivate()
+	log.Printf("auth key %s", authorizedKey(pk))
 	if pk != nil {
 		isAdmin := c.IsAdmin(pk)
 		if isAdmin {
@@ -122,14 +123,14 @@ func (c *Config) accessForKey(repo string, pk ssh.PublicKey) proto.AccessLevel {
 	}
 	// Don't restrict access to private repos if no users are configured.
 	// Return anon access level.
-	if private && c.countUsers() > 0 {
+	if private {
 		return proto.NoAccess
 	}
 	return anon
 }
 
 func (c *Config) countUsers() int {
-	count, err := c.db.CountUsers()
+	count, err := c.DB().CountUsers()
 	if err != nil {
 		return 0
 	}
@@ -151,5 +152,8 @@ func (c *Config) isInitialAdminKey(key ssh.PublicKey) bool {
 }
 
 func authorizedKey(key ssh.PublicKey) string {
+	if key == nil {
+		return ""
+	}
 	return strings.TrimSpace(string(gossh.MarshalAuthorizedKey(key)))
 }
diff --git a/server/config/config.go b/server/config/config.go
index 46e9defb527007a3adf5b8654d12c3a6e3e37f82..e26e923eb20ca59823c13c1aa2145116915f2ec4 100644
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -37,10 +37,11 @@ type SSHConfig struct {
 
 // GitConfig is the Git daemon configuration for the server.
 type GitConfig struct {
-	Port           int `env:"PORT" envDefault:"9418"`
-	MaxTimeout     int `env:"MAX_TIMEOUT" envDefault:"0"`
-	IdleTimeout    int `env:"IDLE_TIMEOUT" envDefault:"3"`
-	MaxConnections int `env:"SOFT_SERVE_GIT_MAX_CONNECTIONS" envDefault:"32"`
+	Enabled        bool `env:"ENABLED" envDefault:"true"`
+	Port           int  `env:"PORT" envDefault:"9418"`
+	MaxTimeout     int  `env:"MAX_TIMEOUT" envDefault:"0"`
+	IdleTimeout    int  `env:"IDLE_TIMEOUT" envDefault:"3"`
+	MaxConnections int  `env:"SOFT_SERVE_GIT_MAX_CONNECTIONS" envDefault:"32"`
 }
 
 // DBConfig is the database configuration for the server.
@@ -172,26 +173,25 @@ func DefaultConfig() *Config {
 		// store the key in the config
 		cfg.InitialAdminKeys[i] = pk
 	}
-	log.Printf("initial admin keys are: %v", cfg.InitialAdminKeys)
 	// init data path and db
 	if err := os.MkdirAll(cfg.RepoPath(), 0755); err != nil {
 		log.Fatalln(err)
 	}
-	if err := cfg.createDefaultConfigRepoAndUsers(); err != nil {
-		log.Fatalln(err)
-	}
-	var db db.Store
 	switch cfg.Db.Driver {
 	case "sqlite":
 		if err := os.MkdirAll(filepath.Dir(cfg.DBPath()), 0755); err != nil {
 			log.Fatalln(err)
 		}
-		db, err = sqlite.New(cfg.DBPath())
+		db, err := sqlite.New(cfg.DBPath())
 		if err != nil {
 			log.Fatalln(err)
 		}
+		cfg.WithDB(db)
+	}
+	if err := cfg.createDefaultConfigRepoAndUsers(); err != nil {
+		log.Fatalln(err)
 	}
-	return cfg.WithDB(db).WithDataPath(cfg.DataPath)
+	return &cfg
 }
 
 // DB returns the database for the configuration.
diff --git a/server/config/config_test.go b/server/config/config_test.go
index 6a8eb7e4890f4ff535b7523491936a6273590755..08a1682c533f74571561d61f20a094fe2d63108b 100644
--- a/server/config/config_test.go
+++ b/server/config/config_test.go
@@ -9,11 +9,13 @@ import (
 
 func TestParseMultipleKeys(t *testing.T) {
 	is := is.New(t)
-	is.NoErr(os.Setenv("SOFT_SERVE_INITIAL_ADMIN_KEY", "testdata/k1.pub\ntestdata/k2.pub"))
+	is.NoErr(os.Setenv("SOFT_SERVE_INITIAL_ADMIN_KEY", "testdata/k1.pub\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFxIobhwtfdwN7m1TFt9wx3PsfvcAkISGPxmbmbauST8"))
 	t.Cleanup(func() { is.NoErr(os.Unsetenv("SOFT_SERVE_INITIAL_ADMIN_KEY")) })
+	is.NoErr(os.Setenv("SOFT_SERVE_DATA_PATH", t.TempDir()))
+	t.Cleanup(func() { is.NoErr(os.Unsetenv("SOFT_SERVE_DATA_PATH")) })
 	cfg := DefaultConfig()
 	is.Equal(cfg.InitialAdminKeys, []string{
-		"testdata/k1.pub",
-		"testdata/k2.pub",
+		"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMwLvyV3ouVrTysUYGoJdl5Vgn5BACKov+n9PlzfPwH a@b",
+		"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFxIobhwtfdwN7m1TFt9wx3PsfvcAkISGPxmbmbauST8",
 	})
 }
diff --git a/server/config/default.go b/server/config/default.go
index 8ceda6f1fa1360dc618874d0c896d099917f5588..c555896b550b213db6eafd04145fccaf2917705b 100644
--- a/server/config/default.go
+++ b/server/config/default.go
@@ -21,11 +21,10 @@ func (cfg *Config) createDefaultConfigRepoAndUsers() error {
 	rp := filepath.Join(cfg.RepoPath(), defaultConfigRepo) + ".git"
 	_, err := gogit.PlainOpen(rp)
 	if errors.Is(err, gogit.ErrRepositoryNotExists) {
-		repo, err := gogit.PlainInit(rp, true)
-		if err != nil {
+		if err := cfg.Create(defaultConfigRepo, "Config", "Soft Serve Config", true); err != nil {
 			return err
 		}
-		repo, err = gogit.Clone(memory.NewStorage(), memfs.New(), &gogit.CloneOptions{
+		repo, err := gogit.Clone(memory.NewStorage(), memfs.New(), &gogit.CloneOptions{
 			URL: rp,
 		})
 		if err != nil && err != transport.ErrEmptyRemoteRepository {
diff --git a/server/config/repo.go b/server/config/repo.go
index effb631d1aef4cd599fd47c7a45afa9811d19901..f3f4d9cdfb355feb58fdb3b8626d45b797e885a6 100644
--- a/server/config/repo.go
+++ b/server/config/repo.go
@@ -16,10 +16,11 @@ var _ proto.MetadataProvider = &Config{}
 
 // Metadata returns the repository's metadata.
 func (c *Config) Metadata(name string) (proto.Metadata, error) {
-	i, err := c.db.GetRepo(name)
+	i, err := c.DB().GetRepo(name)
 	if err != nil {
 		return nil, err
 	}
+	log.Printf("info for %q: %v", name, i.Private)
 	return &repo{
 		cfg:  c,
 		info: i,
@@ -52,7 +53,7 @@ func (c *Config) ListRepos() ([]proto.Metadata, error) {
 	}
 	for _, d := range ds {
 		name := strings.TrimSuffix(d.Name(), ".git")
-		r, err := c.db.GetRepo(name)
+		r, err := c.DB().GetRepo(name)
 		if err != nil || r == nil {
 			md = append(md, &emptyMetadata{
 				name: name,
@@ -75,7 +76,7 @@ func (c *Config) Create(name string, projectName string, description string, isP
 	if _, err := git.Init(filepath.Join(c.RepoPath(), name+".git"), true); err != nil {
 		return err
 	}
-	if err := c.db.AddRepo(name, projectName, description, isPrivate); err != nil {
+	if err := c.DB().AddRepo(name, projectName, description, isPrivate); err != nil {
 		return err
 	}
 	return nil
@@ -87,7 +88,7 @@ func (c *Config) Delete(name string) error {
 	if err := os.RemoveAll(filepath.Join(c.RepoPath(), name+".git")); err != nil {
 		return err
 	}
-	if err := c.db.DeleteRepo(name); err != nil {
+	if err := c.DB().DeleteRepo(name); err != nil {
 		return err
 	}
 	return nil
@@ -100,7 +101,7 @@ func (c *Config) Rename(name string, newName string) error {
 	if err := os.Rename(filepath.Join(c.RepoPath(), name+".git"), filepath.Join(c.RepoPath(), newName+".git")); err != nil {
 		return err
 	}
-	if err := c.db.SetRepoName(name, newName); err != nil {
+	if err := c.DB().SetRepoName(name, newName); err != nil {
 		return err
 	}
 	return nil
@@ -109,7 +110,7 @@ func (c *Config) Rename(name string, newName string) error {
 // SetProjectName sets the repository's project name.
 func (c *Config) SetProjectName(name string, projectName string) error {
 	name = strings.TrimSuffix(name, ".git")
-	if err := c.db.SetRepoProjectName(name, projectName); err != nil {
+	if err := c.DB().SetRepoProjectName(name, projectName); err != nil {
 		return err
 	}
 	return nil
@@ -118,7 +119,7 @@ func (c *Config) SetProjectName(name string, projectName string) error {
 // SetDescription sets the repository's description.
 func (c *Config) SetDescription(name string, description string) error {
 	name = strings.TrimSuffix(name, ".git")
-	if err := c.db.SetRepoDescription(name, description); err != nil {
+	if err := c.DB().SetRepoDescription(name, description); err != nil {
 		return err
 	}
 	return nil
@@ -127,7 +128,7 @@ func (c *Config) SetDescription(name string, description string) error {
 // SetPrivate sets the repository's privacy.
 func (c *Config) SetPrivate(name string, isPrivate bool) error {
 	name = strings.TrimSuffix(name, ".git")
-	if err := c.db.SetRepoPrivate(name, isPrivate); err != nil {
+	if err := c.DB().SetRepoPrivate(name, isPrivate); err != nil {
 		return err
 	}
 	return nil
@@ -223,7 +224,7 @@ func (r *repo) IsPrivate() bool {
 // Collabs returns the repository's collaborators.
 func (r *repo) Collabs() []proto.User {
 	collabs := make([]proto.User, 0)
-	cs, err := r.cfg.db.ListRepoCollabs(r.Name())
+	cs, err := r.cfg.DB().ListRepoCollabs(r.Name())
 	if err != nil {
 		return collabs
 	}
diff --git a/server/config/user.go b/server/config/user.go
index 414dccd61751fbeffc9784f3913bf285dcb1d7f3..1b2c302258cd8403a01b028f3f16c42f12cd5454 100644
--- a/server/config/user.go
+++ b/server/config/user.go
@@ -58,7 +58,7 @@ func (u *user) PublicKeys() []ssh.PublicKey {
 	}
 	keys := u.keys
 	if keys == nil || len(keys) == 0 {
-		ks, err := u.cfg.db.GetUserPublicKeys(u.user)
+		ks, err := u.cfg.DB().GetUserPublicKeys(u.user)
 		if err != nil {
 			log.Printf("error getting public keys for %q: %v", u.Name(), err)
 			return nil