diff --git a/group_vars/nextcloud.yml b/group_vars/nextcloud.yml
index 683f9ef..20f295d 100644
--- a/group_vars/nextcloud.yml
+++ b/group_vars/nextcloud.yml
@@ -19,3 +19,6 @@ nextcloud_smtp:
   host: mail.pyrocufflink.blue
   port: 25
 dnf_automatic_exclude: nextcloud
+
+postgresql_config_dir: /var/lib/pgsql/data
+postgresql_allow_remote: false
diff --git a/group_vars/postgresql.yml b/group_vars/postgresql.yml
new file mode 100644
index 0000000..761950e
--- /dev/null
+++ b/group_vars/postgresql.yml
@@ -0,0 +1,51 @@
+data_volumes:
+- dev: /dev/vdb
+  fstype: ext4
+  mountpoint: /var/lib/pgsql
+
+postgresql_cert_domain: postgresql.{{ ansible_domain }}
+postgresql_cert_acme_email: '{{ ansible_hostname }}@pyrocufflink.net'
+postgresql_cert_acme_server: https://ca.pyrocufflink.blue:32599/acme/acme/directory
+postgresql_allow_remote: true
+postgresql_allow_sameuser_peer: false
+
+postgresql_config:
+  listen_addresses: '''*'''
+  ssl: 'on'
+  ssl_cert_file: '''{{ postgresql_config_dir }}/server.cer'''
+  ssl_key_file: '''{{ postgresql_config_dir }}/server.key'''
+  ssl_ca_file: '''{{ postgresql_config_dir }}/ca.crt'''
+
+  archive_mode: '''on'''
+  archive_timeout: 5min
+  archive_command: '''wal-g-pg --config /etc/postgresql/wal-g.yml wal-push %p'''
+  restore_command: '''wal-g-pg --config /etc/postgresql/wal-g.yml wal-fetch %f %p'''
+  hot_standby: 'on'
+
+pg_hba_extra:
+- type: hostssl
+  database: sameuser
+  user: all
+  address: 0.0.0.0/0
+  method: cert
+
+postgresql_restore_command: >-
+  runuser -u postgres --
+  wal-g-pg --config /etc/postgresql/wal-g.yml backup-fetch {{ pgdata_dir }} LATEST
+
+wal_g_aws_access_key_id: Ps0tjAlLFxnQkelX
+wal_g_aws_secret_access_key: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  31313034633265346365356533623137323835386434313738353362386338666531656635306663
+  3032636433343062366537306663383739633838383633350a353030316534356239363962333164
+  30663565333566616563333766323163643466363639613733323262363135333362663364356533
+  3161646331336265640a333639393463376538343466373362353133626562623562316539356464
+  38613465326234346465336261306336623065613962363362383534346435633637626132613364
+  3062396235663433623535373065626238643663623831306464
+
+wal_g_pg_config:
+  AWS_ACCESS_KEY_ID: '{{ wal_g_aws_access_key_id }}'
+  AWS_SECRET_ACCESS_KEY: '{{ wal_g_aws_secret_access_key }}'
+  WALG_S3_PREFIX: s3://pgbackup/spilo/postgresql-default/wal/15
+  AWS_S3_FORCE_PATH_STYLE: true
+  AWS_ENDPOINT: https://burp.pyrocufflink.blue:9000
diff --git a/hosts b/hosts
index ca04424..ef263d3 100644
--- a/hosts
+++ b/hosts
@@ -90,7 +90,6 @@ cloud0.pyrocufflink.blue
 burp1.pyrocufflink.blue
 
 [postgresql]
-cloud0.pyrocufflink.blue
 
 [public-web]
 web0.pyrocufflink.blue
diff --git a/nextcloud.yml b/nextcloud.yml
index 0f6739a..e9737b1 100644
--- a/nextcloud.yml
+++ b/nextcloud.yml
@@ -2,5 +2,6 @@
   vars_files:
   - vault/nextcloud
   roles:
+  - postgresql-server
   - apache
   - nextcloud
diff --git a/postgresql.yml b/postgresql.yml
index 22f74e3..2f84ac4 100644
--- a/postgresql.yml
+++ b/postgresql.yml
@@ -1,3 +1,11 @@
 - hosts: postgresql
   roles:
+  - role: trustca
+    ca: dch-root-ca-r2
+  - role: postgresql-cert
+    tags:
+    - postgresql-cert
+  - role: wal-g-pg
+    tags:
+    - wal-g
   - postgresql-server