diff --git a/k8s/apps/xandikos/external-secrets.yaml b/k8s/apps/xandikos/external-secrets.yaml
new file mode 100644
index 0000000..be3c3ca
--- /dev/null
+++ b/k8s/apps/xandikos/external-secrets.yaml
@@ -0,0 +1,31 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: mmdl-secrets
+spec:
+  target:
+    name: mmdl-secrets
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        DB_DIALECT: 'postgres'
+        DB_HOST: psql.psql.svc
+        DB_USER: mmdl
+        DB_NAME: mmdl
+        DB_PORT: 5432
+        DB_PASS: |-
+          {{ .pg_pass }}
+        AES_PASSWORD: |-
+          {{ .pg_pass }}
+
+  data:
+    - secretKey: pg_pass
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[12].value
diff --git a/k8s/apps/xandikos/kustomization.yaml b/k8s/apps/xandikos/kustomization.yaml
index 5fec373..3f45521 100644
--- a/k8s/apps/xandikos/kustomization.yaml
+++ b/k8s/apps/xandikos/kustomization.yaml
@@ -7,5 +7,5 @@ resources:
   - mmdl-deployment.yaml
   - mmdl-service.yaml
   - ingress.yaml
-
+  - external-secrets.yaml
 
diff --git a/k8s/apps/xandikos/mmdl-deployment.yaml b/k8s/apps/xandikos/mmdl-deployment.yaml
index 4841d98..0cfb25b 100644
--- a/k8s/apps/xandikos/mmdl-deployment.yaml
+++ b/k8s/apps/xandikos/mmdl-deployment.yaml
@@ -26,6 +26,9 @@ spec:
         - name: mmdl
           image: intriin/mmdl:latest
           imagePullPolicy: Always
+          envFrom:
+            - secretRef:
+                name: mmdl-secrets
           env:
             - name: NEXTAUTH_URL
               value: "https://cal.hexor.cy"