diff --git a/config.yaml b/config.yaml
index 0692900..e10943f 100644
--- a/config.yaml
+++ b/config.yaml
@@ -59,3 +59,7 @@ systemd:
     - name: docker-matrixdotorg-matrix-appservice-irc.service
       enabled: false
       contents_local: docker-matrixdotorg-matrix-appservice-irc.service
+    # generate-secrets.service
+    - name: generate-secrets.service
+      enabled: true
+      contents_local: generate-secrets.service
diff --git a/files/generate-secrets.service b/files/generate-secrets.service
new file mode 100644
index 0000000..ef7c7db
--- /dev/null
+++ b/files/generate-secrets.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Create secrets if they don't exist
+ConditionPathExists=!/home/core/postgresql/secret
+
+[Service]
+Type=oneshot
+ExecStart=/bin/bash -c 'echo "POSTGRES_PASSWORD=$(/usr/bin/openssl rand -base64 20)" > /home/core/postgresql/secret'
+
+[Install]
+WantedBy=sysinit.target