diff --git a/values/badhouseplants/observability/grafana/values.yaml b/values/badhouseplants/observability/grafana/values.yaml
index 3e55cfc..449857e 100644
--- a/values/badhouseplants/observability/grafana/values.yaml
+++ b/values/badhouseplants/observability/grafana/values.yaml
@@ -35,6 +35,25 @@ datasources:
           httpHeaderName1: 'X-Scope-OrgID'
         secureJsonData:
           httpHeaderValue1: 'badhouseplants'
+envFromSecret: grafana-db-creds
+extraObjects:
+  - apiVersion: kinda.rocks/v1beta1
+    kind: Database
+    metadata:
+      name: grafana-postgres17
+    spec:
+      backup:
+        cron: '0 0 * * *'
+        enable: false
+      credentials:
+        templates:
+        - name: DB_HOST
+          secret: true
+          template: '{{ `{{ .Hostname }}:{{ .Port }}` }}'
+      deletionProtected: true
+      instance: postgres17
+      postgres: {}
+      secretName: grafana-db-creds
 grafana.ini:
   server:
     root_url: https://grafana.badhouseplants.net
@@ -51,3 +70,12 @@ grafana.ini:
     api_url: "https://authentik.badhouseplants.net/application/o/userinfo/"
     # Optionally map user groups to Grafana roles
     role_attribute_path: contains(groups, 'Admins') && 'Admin' || contains(groups, 'DevOps') && 'Editor' || 'Viewer'
+  database:
+    type: postgres
+    host: ${DB_HOST}
+    name: ${POSTGRES_DB}
+    user: ${POSTGRES_USER}
+    password: ${POSTGRES_PASSWORD}
+    ssl_mode: disable
+    max_open_conn: 10
+    max_idle_conn: 5