diff --git a/.env.sample b/.env.sample
index a856e3a..e6aff1f 100644
--- a/.env.sample
+++ b/.env.sample
@@ -10,6 +10,11 @@ LETS_ENCRYPT_ENV=production
 
 COMPOSE_FILE="compose.yml"
 
+# PostgreSQL
+
+#COMPOSE_FILE="$COMPOSE_FILE:compose.postgresql.yml"
+#SECRET_DB_PASSWORD_VERSION=v1
+
 # OAuth, see https://docs.hedgedoc.org/guides/auth/keycloak/
 
 #COMPOSE_FILE="$COMPOSE_FILE:compose.oauth.yml"
diff --git a/compose.postgresql.yml b/compose.postgresql.yml
new file mode 100644
index 0000000..6fc8ee5
--- /dev/null
+++ b/compose.postgresql.yml
@@ -0,0 +1,55 @@
+version: "3.8"
+services:
+  app:
+    environment:
+      - CMD_DB_URL=
+      - CMD_DB_NAME=codimd
+      - CMD_DB_USER=codimd
+      - CMD_DB_HOST=db
+      - CMD_DB_PASSWORD_FILE=/run/secrets/db_password
+    depends_on:
+      - db
+    networks:
+      - internal
+    secrets:
+      - db_password
+  db:
+    image: postgres:16.4-alpine
+    environment:
+      - POSTGRES_USER=codimd
+      - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
+      - POSTGRES_DB=codimd
+    volumes:
+      - "postgres:/var/lib/postgresql/data"
+    secrets:
+      - db_password
+    networks:
+      - internal
+    deploy:
+      labels:
+        backupbot.backup: "${ENABLE_BACKUPS:-true}"
+        backupbot.backup.pre-hook: "/pg_backup.sh backup"
+        backupbot.backup.volumes.postgres.path: "backup.sql"
+        backupbot.restore.post-hook: '/pg_backup.sh restore'
+    healthcheck:
+      test: "pg_isready"
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 1m
+    configs:
+        - source: pg_backup
+          target: /pg_backup.sh
+          mode: 0555
+volumes:
+  postgres:
+secrets:
+  db_password:
+    external: true
+    name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
+networks:
+  internal:
+configs:
+  pg_backup:
+    name: ${STACK_NAME}_pg_backup_${PG_BACKUP_VERSION}
+    file: pg_backup.sh