diff --git a/gitea/conf/conf.ini.tpl b/gitea/conf/conf.ini.tpl
index d2db1c8..9578ebb 100644
--- a/gitea/conf/conf.ini.tpl
+++ b/gitea/conf/conf.ini.tpl
@@ -83,28 +83,20 @@ SSH_SERVER_MACS = hmac-sha2-512-etm@openssh.com, hmac-sha2-256-etm@openssh.com,
 
 ; TODO
 ; ; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice
-; DB_TYPE = mysql
-; HOST = 127.0.0.1:3306
+DB_TYPE = sqlite3
+; HOST = mariadb:3306
 ; NAME = gitea
-; USER = root
-; PASSWD =
+; USER = gitea
+; PASSWD = "${mysql-password}"
 ; ; For "postgres" only, either "disable", "require" or "verify-full"
 ; SSL_MODE = disable
 ; ; For "sqlite3" and "tidb", use absolute path when you start as service
-; PATH = data/gitea.db
+PATH = data/gitea.db
 ; ; For "sqlite3" only. Query timeout
 ; SQLITE_TIMEOUT = 500
 ; ; For iterate buffer, default is 50
 ; ITERATE_BUFFER_SIZE = 50
 
-PATH     = /data/gitea/gitea.db
-DB_TYPE  = sqlite3
-HOST     = localhost:3306
-NAME     = gitea
-USER     = root
-PASSWD   =
-SSL_MODE = disable
-
 [session]
 PROVIDER_CONFIG = /data/gitea/sessions
 PROVIDER        = file
diff --git a/gitea/data.tf b/gitea/data.tf
index c0df300..0ac5306 100644
--- a/gitea/data.tf
+++ b/gitea/data.tf
@@ -15,5 +15,6 @@ data "template_file" "gitea-config-file" {
     internal_token = "${var.internal-token}"
     smtp_password  = "${var.smtp-password}"
     lfs-jwt-secret = "${var.lfs-jwt-secret}"
+    mysql-password = "${var.mysql-password}"
   }
 }
diff --git a/gitea/main.tf b/gitea/main.tf
index f3ff71a..33d8e70 100644
--- a/gitea/main.tf
+++ b/gitea/main.tf
@@ -61,6 +61,7 @@ resource "docker_container" "gitea" {
   must_run              = true
   links = [
     "gitea-redis",
+    "mariadb",
   ]
 }
 
diff --git a/gitea/mysql.tf b/gitea/mysql.tf
new file mode 100644
index 0000000..719cde2
--- /dev/null
+++ b/gitea/mysql.tf
@@ -0,0 +1,16 @@
+resource "mysql_database" "gitea" {
+  name = "gitea"
+}
+
+resource "mysql_user" "gitea" {
+  user               = "gitea"
+  host               = "%"
+  plaintext_password = "${var.mysql-password}"
+}
+
+resource "mysql_grant" "gitea" {
+  user       = "${mysql_user.gitea.user}"
+  host       = "${mysql_user.gitea.host}"
+  database   = "${mysql_database.gitea.name}"
+  privileges = ["ALL"]
+}
diff --git a/gitea/variables.tf b/gitea/variables.tf
index a3b9fff..824d462 100644
--- a/gitea/variables.tf
+++ b/gitea/variables.tf
@@ -12,3 +12,4 @@ variable "secret-key" {}
 variable "internal-token" {}
 variable "smtp-password" {}
 variable "lfs-jwt-secret" {}
+variable "mysql-password" {}
diff --git a/main.tf b/main.tf
index c5003bb..14bdff2 100644
--- a/main.tf
+++ b/main.tf
@@ -43,6 +43,7 @@ module "gitea" {
   internal-token = "${var.gitea-internal-token}"
   smtp-password  = "${var.gitea-smtp-password}"
   lfs-jwt-secret = "${var.gitea-lfs-jwt-secret}"
+  mysql-password = "${var.gitea-mysql-password}"
 }
 
 module "radicale" {
diff --git a/variables.tf b/variables.tf
index 104d54c..0b94e74 100644
--- a/variables.tf
+++ b/variables.tf
@@ -22,6 +22,7 @@ variable "mysql_airsonic_password" {}
 variable "mysql_kodi_password" {}
 
 variable "mysql-ttrss-password" {}
+variable "gitea-mysql-password" {}
 
 variable "wiki_session_secret" {
   type = "string"