diff --git a/apps/fireflyiii/db/firefly-db-secrets.yaml b/apps/fireflyiii/db/firefly-db-secrets.yaml
new file mode 100644
index 0000000..4b168a3
--- /dev/null
+++ b/apps/fireflyiii/db/firefly-db-secrets.yaml
@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: firefly-db-secrets
+  namespace: pg-databases
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: bitwarden
+    kind: ClusterSecretStore
+
+  target:
+    name: firefly-db-secrets
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      mergePolicy: Merge
+      data:
+        APP_DB: '{{ index . "firefly-db-username" }}'
+        APP_USER: '{{ index . "firefly-db-username" }}'
+        APP_PASSWORD: '{{ index . "firefly-db-password" }}'
+
+  data:
+    - secretKey: firefly-db-password
+      remoteRef:
+        key: firefly-db-password
+    - secretKey: firefly-db-username
+      remoteRef:
+        key: firefly-db-username
diff --git a/apps/fireflyiii/db/kustomization.yaml b/apps/fireflyiii/db/kustomization.yaml
index 5b31e2c..afe786e 100644
--- a/apps/fireflyiii/db/kustomization.yaml
+++ b/apps/fireflyiii/db/kustomization.yaml
@@ -1,11 +1,16 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- fireflysecrets.yaml
+- firefly-db-secrets.yaml
 - ../../../infrastructure/modules/postgres-app
 
 namespace: pg-databases
 
+configMapGenerator:
+- name: postgres-app-config
+  literals:
+  - APP_SECRET_NAME=firefly-db-secrets
+
 patches:
 - target:
     kind: Job
diff --git a/apps/fireflyiii/db/fireflysecrets.yaml b/apps/fireflyiii/fireflysecrets.yaml
similarity index 100%
rename from apps/fireflyiii/db/fireflysecrets.yaml
rename to apps/fireflyiii/fireflysecrets.yaml
diff --git a/apps/fireflyiii/kustomization.yaml b/apps/fireflyiii/kustomization.yaml
index 2ed7a6b..3736221 100644
--- a/apps/fireflyiii/kustomization.yaml
+++ b/apps/fireflyiii/kustomization.yaml
@@ -8,3 +8,4 @@ resources:
 - pvc.yaml
 - service.yaml
 - db
+- fireflysecrets.yaml
diff --git a/infrastructure/modules/postgres-app/job.yaml b/infrastructure/modules/postgres-app/job.yaml
index 172177f..3c344da 100644
--- a/infrastructure/modules/postgres-app/job.yaml
+++ b/infrastructure/modules/postgres-app/job.yaml
@@ -25,17 +25,17 @@ spec:
         - name: APP_DB
           valueFrom:
             secretKeyRef:
-              name: app-db-secret
+              name: $(APP_SECRET_NAME)
               key: database
         - name: APP_USER
           valueFrom:
             secretKeyRef:
-              name: app-db-secret
+              name: $(APP_SECRET_NAME)
               key: username
         - name: APP_PASSWORD
           valueFrom:
             secretKeyRef:
-              name: app-db-secret
+              name: $(APP_SECRET_NAME)
               key: password
 
         command: