diff --git a/infrastructure/addons/rancher/kustomization.yaml b/infrastructure/addons/rancher/kustomization.yaml
index d52d44a..704e6b2 100644
--- a/infrastructure/addons/rancher/kustomization.yaml
+++ b/infrastructure/addons/rancher/kustomization.yaml
@@ -5,4 +5,5 @@ resources:
   - helmrepository-rancher.yaml
   - helmrelease-rancher.yaml
   - rancher-bootstrap-password-externalsecret.yaml
+  - rancher-db-password-externalsecret.yaml
   - rancher-tailscale-service.yaml
diff --git a/infrastructure/addons/rancher/rancher-db-password-externalsecret.yaml b/infrastructure/addons/rancher/rancher-db-password-externalsecret.yaml
new file mode 100644
index 0000000..106037e
--- /dev/null
+++ b/infrastructure/addons/rancher/rancher-db-password-externalsecret.yaml
@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: rancher-db-password
+  namespace: cattle-system
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: doppler-hetznerterra
+    kind: ClusterSecretStore
+  target:
+    name: rancher-db-password
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      data:
+        password: "{{ .RANCHER_DB_PASSWORD }}"
+  data:
+    - secretKey: RANCHER_DB_PASSWORD
+      remoteRef:
+        key: RANCHER_DB_PASSWORD