diff --git a/README.md b/README.md
index a6c4af3..5a5b2e0 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,10 @@ See [Variable
 precedence](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#ansible-variable-precedence)
 to find where you should put your own variables.
 
+Then define at least `coller_db_password` with a strong and secure password,
+encrypted using
+[ansible-vault](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html).
+
 See list of [default variables](defaults/main.yml).
 
 
diff --git a/defaults/main.yml b/defaults/main.yml
index 3ebcdba..90169ba 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -3,3 +3,6 @@ coller_config_dir: /etc/coller
 coller_port: 8080
 coller_manage_iptables: false
 coller_allowed_sources: []
+coller_db_name: coller
+coller_db_user: coller
+#coller_db_password:
diff --git a/tasks/main.yml b/tasks/main.yml
index 2681538..38bfa7b 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,4 +1,9 @@
 ---
+- name: check password
+  ansible.builtin.assert:
+    that:
+      - coller_db_password | mandatory
+
 - name: download source code
   ansible.builtin.git:
     repo: https://git.riou.xyz/jriou/coller.git
@@ -14,22 +19,29 @@
   loop:
     - "{{ coller_config_dir }}"
 
-- name: create docker-compose file
+- name: create docker-compose files
   ansible.builtin.template:
-    src: docker-compose.yml.j2
-    dest: "{{ coller_config_dir }}/docker-compose.yml"
+    src: "{{ item.src }}.j2"
+    dest: "{{ coller_config_dir }}/{{ item.src }}"
     owner: root
     group: root
-    mode: "0644"
+    mode: "{{ item.mode }}"
+  loop:
+    - src: docker-compose.yml
+      mode: "0644"
+    - src: db.env
+      mode: "0600"
 
 - name: create configuration file
   ansible.builtin.copy:
     content:
-      listen_address: '0.0.0.0'
+      database_type: postgres
+      database_dsn: "host=db dbname={{ coller_db_name }} user={{ coller_db_user }} password={{ coller_db_password }}"
     dest: "{{ coller_config_dir }}/collerd.json"
     owner: root
     group: root
     mode: "0640"
+  no_log: true
 
 - name: start service
   community.docker.docker_compose_v2:
@@ -37,7 +49,6 @@
     files:
       - docker-compose.yml
 
-
 - name: manage iptables
   when: coller_manage_iptables
   ansible.builtin.include_tasks: manage-iptables.yml
diff --git a/templates/db.env.j2 b/templates/db.env.j2
new file mode 100644
index 0000000..511cba4
--- /dev/null
+++ b/templates/db.env.j2
@@ -0,0 +1,6 @@
+{{ ansible_managed | comment }}
+POSTGRES_USER={{ coller_db_user }}
+POSTGRES_PASSWORD={{ coller_db_password }}
+POSTGRES_DB={{ coller_db_name }}
+POSTGRES_INITDB_ARGS="--data-checksums"
+POSTGRES_HOST_AUTH_METHOD=scram-sha-256
diff --git a/templates/docker-compose.yml.j2 b/templates/docker-compose.yml.j2
index 4efdbaf..95b9230 100644
--- a/templates/docker-compose.yml.j2
+++ b/templates/docker-compose.yml.j2
@@ -6,8 +6,27 @@ services:
     build: /opt/coller
     container_name: collerd
     restart: always
+    networks:
+        - coller
     ports:
       - "{{ coller_port }}:8080"
     volumes:
       - "{{ coller_config_dir }}/collerd.json:/etc/collerd.json:ro"
     command: collerd -config /etc/collerd.json
+
+  db:
+    image: postgres:17
+    hostname: db
+    container_name: collerd_db
+    restart: always
+    env_file: {{ coller_config_dir }}/db.env
+    networks:
+      - coller
+    volumes:
+      - coller:/var/lib/postgresql/data
+
+networks:
+  coller:
+
+volumes:
+  coller: