diff --git a/modules/nixos/services/databasus/default.nix b/modules/nixos/services/databasus/default.nix
new file mode 100644
index 0000000..edba63e
--- /dev/null
+++ b/modules/nixos/services/databasus/default.nix
@@ -0,0 +1,23 @@
+{
+  lib,
+  config,
+  namespace,
+  ...
+}:
+let
+  cfg = config.${namespace}.services."databasus";
+in
+{
+  imports = [
+    (lib.${namespace}.mkContainerService {
+      inherit config;
+      name = "databasus";
+      image = "databasus/databasus";
+      internalPort = 4005;
+      volumes = [
+        "${cfg.configDir}/databasus:/databasus-data"
+      ];
+      environmentFiles = [ ];
+    })
+  ];
+}
diff --git a/systems/x86_64-linux/jallen-nas/apps.nix b/systems/x86_64-linux/jallen-nas/apps.nix
index 4016320..ca172df 100755
--- a/systems/x86_64-linux/jallen-nas/apps.nix
+++ b/systems/x86_64-linux/jallen-nas/apps.nix
@@ -103,6 +103,11 @@ in
           envFile = config.sops.templates."ntfy.env".path;
         };
       };
+      databasus = {
+        enable = true;
+        port = 4005;
+        reverseProxy = enabled;
+      };
       dispatcharr = {
         enable = false;
         port = 9191;
diff --git a/systems/x86_64-linux/jallen-nas/nas-defaults.nix b/systems/x86_64-linux/jallen-nas/nas-defaults.nix
index 8dc6965..3c03a0d 100644
--- a/systems/x86_64-linux/jallen-nas/nas-defaults.nix
+++ b/systems/x86_64-linux/jallen-nas/nas-defaults.nix
@@ -46,6 +46,7 @@ in
       "collabora"
       "coturn"
       "crowdsec"
+      "databasus"
       "dispatcharr"
       "free-games-claimer"
       "gitea"
diff --git a/systems/x86_64-linux/jallen-nas/services.nix b/systems/x86_64-linux/jallen-nas/services.nix
index 1979f44..26ca4dc 100755
--- a/systems/x86_64-linux/jallen-nas/services.nix
+++ b/systems/x86_64-linux/jallen-nas/services.nix
@@ -29,6 +29,13 @@ in
           GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO sparkyfitness;
           GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA pg_catalog TO sparkyfitness;
         "
+
+        psql -c "
+          ALTER ROLE databasus WITH PASSWORD 'databasus';
+          ALTER ROLE databasus BYPASSRLS;
+          GRANT CONNECT ON DATABASE nextcloud TO databasus;
+          GRANT pg_read_all_data TO databasus;
+        "
       '';
     };
   };
@@ -99,6 +106,9 @@ in
           name = "suggestarr";
           ensureDBOwnership = true;
         }
+        {
+          name = "databasus";
+        }
       ];
       # pg_hba.conf — use lib.mkForce to replace the module defaults entirely.
       #
@@ -124,6 +134,7 @@ in
 
         # Podman container network — suggestarr server connects via host LAN IP
         host    suggestarr      suggestarr        10.88.0.0/16         scram-sha-256
+        host    all             databasus         10.88.0.0/16         scram-sha-256
       '';
 
       # identMap — maps OS usernames to PostgreSQL usernames for peer auth.