diff --git a/hosts/sql/postgres.nix b/hosts/sql/postgres.nix
new file mode 100644
index 0000000..338950a
--- /dev/null
+++ b/hosts/sql/postgres.nix
@@ -0,0 +1,43 @@
+{ config, ... }:
+
+let
+  fqdn = "sql.${config.networking.domain}";
+  mkEntry = "fancy function that takes a name and IP octed and creates a user, db and auth lines";
+in
+{
+  services = {
+    #nginx = {
+    #  enable = true;
+    #  virtualHosts."${fqdn}" = {
+    #    enableACME = true;
+    #    locations."/".return = "418";
+    #  };
+    #};
+    postgresql = {
+      #enableTCPIP = true;
+      #settings = {
+      #  ssl = "on";
+      #  ssl_cert_file = "${config.security.acme.certs."${fqdn}".directory}/server.crt";
+      #  ssl_key_file = "${config.security.acme.certs."${fqdn}".directory}/server.key";
+      #  ssl_ca_file = "${config.security.acme.certs."${fqdn}".directory}/ca.crt";
+      #};
+      ensureUsers = [
+        {
+          name = "pda";
+          ensureDBOwnership = true;
+        }
+      ];
+      ensureDatabases = [
+        "pda"
+      ];
+      authentication = ''
+        # TYPE  DATABASE  USER  ADDRESS                   METHOD
+        #hostssl pda       pda   195.160.173.15/32         scram-sha-256
+        #hostssl pda       pda   2001:678:760:cccb::15/128 scram-sha-256
+        host    pda       pda   195.160.173.15/32         scram-sha-256
+        host    pda       pda   2001:678:760:cccb::15/128 scram-sha-256
+      '';
+    };
+  };
+}
+