diff --git a/grafana/kustomization.yaml b/grafana/kustomization.yaml
index f087e74..09819bc 100644
--- a/grafana/kustomization.yaml
+++ b/grafana/kustomization.yaml
@@ -49,7 +49,7 @@ helmCharts:
       GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL: "$(OIDC_IDP_URI)"
     envFromSecrets:
      - name: oidc-client-grafana-owner-secrets
-     - name: grafana-database
+     - name: mariadb-secrets
     plugins:
      - yesoreyeram-infinity-datasource
     datasources:
@@ -67,4 +67,4 @@ helmCharts:
 
 resources:
 - ./passmower.yaml
-- ssh://git@git.k-space.ee/secretspace/kube/grafana # secret: grafana-database
+- ./mariadb.yml
\ No newline at end of file
diff --git a/grafana/mariadb.yml b/grafana/mariadb.yml
new file mode 100644
index 0000000..4829f8f
--- /dev/null
+++ b/grafana/mariadb.yml
@@ -0,0 +1,103 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: mariadb
+spec:
+  revisionHistoryLimit: 0
+  serviceName: mariadb
+  selector:
+    matchLabels:
+      app: mariadb
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: mariadb
+      annotations:
+        prometheus.io/port: '9104'
+        prometheus.io/scrape: 'true'
+    spec:
+      containers:
+      - name: exporter
+        image: mirror.gcr.io/prom/mysqld-exporter:latest
+        args: 
+        - --mysqld.username
+        - exporter
+      - name: mariadb
+        image: mirror.gcr.io/library/mariadb:12.1
+        imagePullPolicy: Always
+        env:
+        - name: MYSQL_ROOT_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: mariadb-secrets
+              key: MYSQL_ROOT_PASSWORD
+        - name: MYSQL_USER
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: MYSQL_DATABASE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: MYSQL_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: mariadb-secrets
+              key: MYSQL_PASSWORD
+        volumeMounts:
+        - name: mariadb-data
+          mountPath: /var/lib/mysql
+        - name: mariadb-init
+          mountPath: /docker-entrypoint-initdb.d
+      volumes:
+        - name: mariadb-init
+          configMap:
+            name: mariadb-init-config
+  volumeClaimTemplates:
+  - metadata:
+      name: mariadb-data
+    spec:
+      storageClassName: ceph-rbd
+      accessModes:
+        - ReadWriteOnce
+      resources:
+        requests:
+          storage: 2Gi
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: mariadb-secrets
+spec:
+  size: 32
+  mapping:
+    - key: MYSQL_ROOT_PASSWORD
+      value: "%(plaintext)s"
+    - key: MYSQL_PASSWORD
+      value: "%(plaintext)s"
+    - key: GF_DATABASE_TYPE
+      value: mysql
+    - key: GF_DATABASE_URL
+      value: mysql://grafana:%(plaintext)s@mariadb:3306/grafana
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mariadb
+spec:
+  ports:
+    - protocol: TCP
+      port: 3306
+  selector:
+    app: mariadb
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mariadb-init-config
+data:
+  initdb.sql: |
+    CREATE USER 'exporter'@'127.0.0.1' WITH MAX_USER_CONNECTIONS 3;
+    GRANT PROCESS, REPLICATION CLIENT, SLAVE MONITOR, SELECT ON *.* TO 'exporter'@'127.0.0.1';