diff --git a/main.tf b/main.tf
index 4cd26c2a..888a81c6 100644
--- a/main.tf
+++ b/main.tf
@@ -97,6 +97,7 @@ variable "cloudflare_proxied_names" {}
 variable "cloudflare_non_proxied_names" {}
 variable "cloudflare_tunnel_token" {}
 variable "owntracks_credentials" {}
+variable "dawarich_database_password" {}
 
 # data "terraform_remote_state" "foo" {
 #   backend = "kubernetes"
@@ -403,6 +404,8 @@ module "kubernetes_cluster" {
   cloudflare_tunnel_token      = var.cloudflare_tunnel_token
 
   owntracks_credentials = var.owntracks_credentials
+
+  dawarich_database_password = var.dawarich_database_password
 }
 
 
diff --git a/modules/kubernetes/dawarich/main.tf b/modules/kubernetes/dawarich/main.tf
index e69de29b..8fbd851f 100644
--- a/modules/kubernetes/dawarich/main.tf
+++ b/modules/kubernetes/dawarich/main.tf
@@ -0,0 +1,227 @@
+variable "tls_secret_name" {}
+variable "database_password" {}
+
+resource "kubernetes_namespace" "dawarich" {
+  metadata {
+    name = "dawarich"
+    labels = {
+      "istio-injection" : "disabled"
+    }
+  }
+}
+
+module "tls_secret" {
+  source          = "../setup_tls_secret"
+  namespace       = "dawarich"
+  tls_secret_name = var.tls_secret_name
+}
+
+resource "kubernetes_deployment" "dawarich" {
+  metadata {
+    name      = "dawarich"
+    namespace = "dawarich"
+    labels = {
+      app = "dawarich"
+    }
+    annotations = {
+      "reloader.stakater.com/search" = "true"
+    }
+  }
+  spec {
+    replicas = 1
+    strategy {
+      type = "Recreate"
+    }
+    selector {
+      match_labels = {
+        app = "dawarich"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "dawarich"
+        }
+        annotations = {
+          "diun.enable"       = "true"
+          "diun.include_tags" = "latest"
+        }
+      }
+      spec {
+
+        container {
+          image = "freikin/dawarich:latest"
+          name  = "dawarich"
+          port {
+            name           = "http"
+            container_port = 3000
+          }
+          command = ["dev-entrypoint.sh"]
+          args    = ["bin/dev"]
+          env {
+            name  = "REDIS_URL"
+            value = "redis://redis.redis.svc.cluster.local:6379/0"
+          }
+          env {
+            name  = "DATABASE_HOST"
+            value = "postgresql.dbaas"
+          }
+          env {
+            name  = "DATABASE_USERNAME"
+            value = "dawarich"
+          }
+          env {
+            name  = "DATABASE_PASSWORD"
+            value = var.database_password
+          }
+          env {
+            name  = "DATABASE_NAME"
+            value = "dawarich"
+          }
+          env {
+            name  = "MIN_MINUTES_SPENT_IN_CITY"
+            value = "60"
+          }
+          env {
+            name  = "TIME_ZONE"
+            value = "Europe/London"
+          }
+          env {
+            name  = "DISTANCE_UNIT"
+            value = "km"
+          }
+          env {
+            name  = "ENABLE_TELEMETRY"
+            value = "true"
+          }
+          env {
+            name  = "APPLICATION_HOSTS"
+            value = "dawarich.viktorbarzin.me"
+          }
+
+          #   volume_mount {
+          #     name       = "watched"
+          #     mount_path = "/var/app/tmp/imports/watched"
+          #   }
+        }
+        container {
+          image   = "freikin/dawarich:latest"
+          name    = "dawarich-sidekiq"
+          command = ["dev-entrypoint.sh"]
+          args    = ["sidekiq"]
+          env {
+            name  = "REDIS_URL"
+            value = "redis://redis.redis.svc.cluster.local:6379/0"
+          }
+          env {
+            name  = "DATABASE_HOST"
+            value = "postgresql.dbaas"
+          }
+          env {
+            name  = "DATABASE_USERNAME"
+            value = "dawarich"
+          }
+          env {
+            name  = "DATABASE_PASSWORD"
+            value = var.database_password
+          }
+          env {
+            name  = "DATABASE_NAME"
+            value = "dawarich"
+          }
+          env {
+            name  = "MIN_MINUTES_SPENT_IN_CITY"
+            value = "60"
+          }
+          env {
+            name  = "BACKGROUND_PROCESSING_CONCURRENCY"
+            value = "10"
+          }
+          env {
+            name  = "DISTANCE_UNIT"
+            value = "km"
+          }
+          env {
+            name  = "ENABLE_TELEMETRY"
+            value = "true"
+          }
+          env {
+            name  = "APPLICATION_HOST"
+            value = "dawarich.viktorbarzin.me"
+          }
+
+          #   volume_mount {
+          #     name       = "watched"
+          #     mount_path = "/var/app/tmp/imports/watched"
+          #   }
+        }
+        volume {
+          name = "watched"
+          nfs {
+            path   = "/mnt/main/dawarich"
+            server = "10.0.10.15"
+          }
+        }
+      }
+    }
+  }
+}
+
+
+resource "kubernetes_service" "dawarich" {
+  metadata {
+    name      = "dawarich"
+    namespace = "dawarich"
+    labels = {
+      "app" = "dawarich"
+    }
+  }
+
+  spec {
+    selector = {
+      app = "dawarich"
+    }
+    port {
+      name        = "http"
+      port        = 443
+      target_port = 3000
+      protocol    = "TCP"
+    }
+  }
+}
+
+resource "kubernetes_ingress_v1" "dawarich" {
+  metadata {
+    name      = "dawarich"
+    namespace = "dawarich"
+    annotations = {
+      "kubernetes.io/ingress.class" = "nginx"
+      #   "nginx.ingress.kubernetes.io/auth-type"   = "basic" # support only basic auth; can't use authentik
+      #   "nginx.ingress.kubernetes.io/auth-secret" = kubernetes_secret.basic_auth.metadata[0].name
+      #   "nginx.ingress.kubernetes.io/auth-realm"  = "Authentication Required"
+    }
+  }
+
+  spec {
+    tls {
+      hosts       = ["dawarich.viktorbarzin.me"]
+      secret_name = var.tls_secret_name
+    }
+    rule {
+      host = "dawarich.viktorbarzin.me"
+      http {
+        path {
+          path = "/"
+          backend {
+            service {
+              name = "dawarich"
+              port {
+                number = 443
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf
index c2b62735..3cfe772d 100644
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@@ -76,6 +76,7 @@ variable "public_ip" {}
 variable "cloudflare_proxied_names" {}
 variable "cloudflare_non_proxied_names" {}
 variable "owntracks_credentials" {}
+variable "dawarich_database_password" {}
 
 resource "null_resource" "core_services" {
   # List all the core modules that must be provisioned first
@@ -563,3 +564,9 @@ module "owntracks" {
   tls_secret_name       = var.tls_secret_name
   owntracks_credentials = var.owntracks_credentials
 }
+
+module "dawarich" {
+  source            = "./dawarich"
+  tls_secret_name   = var.tls_secret_name
+  database_password = var.dawarich_database_password
+}
diff --git a/modules/kubernetes/owntracks/main.tf b/modules/kubernetes/owntracks/main.tf
index 07dddec4..e4bcba31 100644
--- a/modules/kubernetes/owntracks/main.tf
+++ b/modules/kubernetes/owntracks/main.tf
@@ -37,6 +37,9 @@ resource "kubernetes_secret" "basic_auth" {
   }
 
   type = "Opaque"
+  lifecycle {
+    ignore_changes = [data]
+  }
 }
 
 resource "kubernetes_deployment" "owntracks" {
@@ -88,6 +91,10 @@ resource "kubernetes_deployment" "owntracks" {
             name       = "data"
             mount_path = "/store"
           }
+          volume_mount {
+            name       = "data"
+            mount_path = "/config"
+          }
         }
         volume {
           name = "data"
diff --git a/terraform.tfstate b/terraform.tfstate
index 8a54ca01..9b7398bf 100644
Binary files a/terraform.tfstate and b/terraform.tfstate differ
diff --git a/terraform.tfvars b/terraform.tfvars
index fdf4afaf..dc39011e 100644
Binary files a/terraform.tfvars and b/terraform.tfvars differ