diff --git a/lan/justfile b/lan/justfile
index d1287a5..2294765 100644
--- a/lan/justfile
+++ b/lan/justfile
@@ -9,6 +9,7 @@ passwd := `pass pg.monotremata.xyz/terraform`
 # conn_str := f"postgres://{{pg_user}}:{{passwd}}@{{pg_host}}:{{pg_port}}/{{pg_db}}"
 
 export TF_VAR_hetzner_token := `pass hetzner.com/tokens/suricata`
+export TF_VAR_pg_passwd := `pass pg.monotremata.xyz/terraform`
 
 init:
     terraform init -backend-config="conn_str=postgres://{{pg_user}}:{{passwd}}@{{pg_host}}:{{pg_port}}/{{pg_db}}"
diff --git a/lan/main.tf b/lan/main.tf
index ce66a6a..3ec0224 100644
--- a/lan/main.tf
+++ b/lan/main.tf
@@ -12,3 +12,11 @@ module "cert-manager" {
   dns_common_name = var.dns_common_name
   dns_names       = var.dns_names
 }
+
+module "postgresql" {
+  source   = "../modules/postgresql"
+  host     = "pg.monotremata.xyz"
+  password = var.pg_passwd
+  username = "terraform"
+  db_owner = "rilla"
+}
diff --git a/lan/variables.tf b/lan/variables.tf
index b1e0b27..f9a3a9a 100644
--- a/lan/variables.tf
+++ b/lan/variables.tf
@@ -31,3 +31,9 @@ variable "dns_names" {
     "*.suricata.monotremata.xyz",
   ]
 }
+
+variable "pg_passwd" {
+  type        = string
+  sensitive   = true
+  description = "postgresql password"
+}
diff --git a/modules/postgresql/main.tf b/modules/postgresql/main.tf
new file mode 100644
index 0000000..2fc2d24
--- /dev/null
+++ b/modules/postgresql/main.tf
@@ -0,0 +1,43 @@
+terraform {
+  required_providers {
+    postgresql = {
+      source  = "cyrilgdn/postgresql"
+      version = ">= 1.19.0"
+    }
+  }
+}
+
+provider "postgresql" {
+  host     = var.host
+  port     = var.port
+  username = var.username
+  password = var.password
+}
+
+resource "postgresql_database" "terraform_backend_db" {
+  name            = "terraform_backend"
+  owner           = var.db_owner
+  encoding        = "UTF8"
+  tablespace_name = "pg_default"
+}
+
+resource "postgresql_database" "terraform_lan_db" {
+  name            = "terraform_lan"
+  owner           = var.db_owner
+  encoding        = "UTF8"
+  tablespace_name = "pg_default"
+}
+
+resource "postgresql_grant" "terraform_backend_db_grant" {
+  database    = postgresql_database.terraform_backend_db.name
+  privileges  = ["CONNECT", "CREATE", "TEMPORARY"]
+  object_type = "database"
+  role        = var.username
+}
+
+resource "postgresql_grant" "terraform_lan_db_grant" {
+  database    = postgresql_database.terraform_lan_db.name
+  privileges  = ["CONNECT", "CREATE", "TEMPORARY"]
+  object_type = "database"
+  role        = var.username
+}
diff --git a/modules/postgresql/variables.tf b/modules/postgresql/variables.tf
new file mode 100644
index 0000000..62c59f1
--- /dev/null
+++ b/modules/postgresql/variables.tf
@@ -0,0 +1,27 @@
+variable "host" {
+  type        = string
+  description = "postgresql host"
+}
+
+variable "port" {
+  type        = number
+  description = "postgresql post"
+  default     = 5432
+}
+
+variable "password" {
+  type        = string
+  description = "postgresql password"
+  sensitive   = true
+}
+
+variable "username" {
+  type        = string
+  description = "postgresql username"
+  sensitive   = true
+}
+
+variable "db_owner" {
+  type        = string
+  description = "postgresql database owner"
+}