diff --git a/kaarana.tf b/kaarana.tf
new file mode 100644
index 0000000..e0fe45d
--- /dev/null
+++ b/kaarana.tf
@@ -0,0 +1,20 @@
+# kaarana related stuff
+
+module "kaarana" {
+  source = "./kaarana"
+
+  root_db_password = "${data.pass_password.kaarana-root-db-password.password}"
+  db_password      = "${data.pass_password.kaarana-db-password.password}"
+
+  providers = {
+    docker = "docker.sydney"
+  }
+}
+
+data "pass_password" "kaarana-root-db-password" {
+  path = "KAARANA_DB_ROOT_PASSWORD"
+}
+
+data "pass_password" "kaarana-db-password" {
+  path = "KAARANA_DB_PASSWORD"
+}
diff --git a/kaarana/database.tf b/kaarana/database.tf
new file mode 100644
index 0000000..48e7473
--- /dev/null
+++ b/kaarana/database.tf
@@ -0,0 +1,40 @@
+// Create a small database network
+resource "docker_network" "kaarana-db" {
+  name = "kaarana-db"
+
+  labels = {
+    internal = "true"
+    role     = "database"
+  }
+
+  internal = true
+
+  ipam_config {
+    subnet  = "172.20.0.0/29"
+    gateway = "172.20.0.1"
+  }
+}
+
+// Run a small mySQL container in this subnet
+
+resource "docker_container" "mysql" {
+  image = "${docker_image.db.latest}"
+  name  = "kaarana-mariadb"
+
+  env = [
+    "MYSQL_ROOT_PASSWORD=${var.root_db_password}",
+    "MYSQL_USER=${local.username}",
+    "MYSQL_PASSWORD=${var.db_password}",
+    "MYSQL_DATABASE=${local.database}",
+  ]
+
+  volumes {
+    host_path      = "/mnt/disk/kaarana-db"
+    container_path = "/var/lib/mysql"
+  }
+
+  networks_advanced {
+    name    = "kaarana-db"
+    aliases = ["${local.db_hostname}"]
+  }
+}
diff --git a/kaarana/images.tf b/kaarana/images.tf
new file mode 100644
index 0000000..f1e3e77
--- /dev/null
+++ b/kaarana/images.tf
@@ -0,0 +1,26 @@
+data "docker_registry_image" "wp" {
+  name = "wordpress:latest"
+}
+
+resource "docker_image" "wp" {
+  name          = "wordpress"
+  pull_triggers = ["${data.docker_registry_image.wp.sha256_digest}"]
+}
+
+data "docker_registry_image" "db" {
+  name = "mariadb:10.4"
+}
+
+resource "docker_image" "db" {
+  name          = "mariadb"
+  pull_triggers = ["${data.docker_registry_image.db.sha256_digest}"]
+}
+
+data "docker_registry_image" "traefik" {
+  name = "traefik:v2.0"
+}
+
+resource "docker_image" "traefik" {
+  name          = "traefik"
+  pull_triggers = ["${data.docker_registry_image.db.sha256_digest}"]
+}
diff --git a/kaarana/traefik.tf b/kaarana/traefik.tf
new file mode 100644
index 0000000..59107a6
--- /dev/null
+++ b/kaarana/traefik.tf
@@ -0,0 +1,11 @@
+// Create a small database network
+resource "docker_network" "traefik" {
+  name = "traefik"
+
+  labels = {
+    internal = "true"
+    role     = "ingress"
+  }
+
+  internal = true
+}
diff --git a/kaarana/vars.tf b/kaarana/vars.tf
new file mode 100644
index 0000000..a826515
--- /dev/null
+++ b/kaarana/vars.tf
@@ -0,0 +1,8 @@
+variable "root_db_password" {}
+variable "db_password" {}
+
+locals {
+  username    = "wordpress"
+  database    = "wordpress"
+  db_hostname = "kaarana.db"
+}
diff --git a/kaarana/wordpress.tf b/kaarana/wordpress.tf
new file mode 100644
index 0000000..a06e00e
--- /dev/null
+++ b/kaarana/wordpress.tf
@@ -0,0 +1,34 @@
+resource "docker_container" "wp" {
+  image = "${docker_image.wp.latest}"
+  name  = "kaarana-wordpress"
+
+  env = [
+    "WORDPRESS_DB_HOST=${local.db_hostname}",
+    "WORDPRESS_DB_USER=${local.username}",
+    "WORDPRESS_DB_PASSWORD=${var.db_password}",
+    "WORDPRESS_DB_NAME=${local.database}",
+    "WORDPRESS_TABLE_PREFIX=",
+  ]
+
+  volumes {
+    host_path      = "/mnt/disk/kaarana-wp"
+    container_path = "/var/www/html"
+  }
+
+  ports {
+    internal = 8080
+    external = 8213
+    ip       = "10.8.0.1"
+  }
+
+  networks_advanced = [
+    {
+      name = "kaarana-db"
+    },
+    {
+      // TODO: Once configuration/plugins have stabilized
+      // remove internet access from wordpress
+      name = "bridge"
+    },
+  ]
+}
diff --git a/kayak.tf b/kayak.tf
index e76eff2..3b131b8 100644
--- a/kayak.tf
+++ b/kayak.tf
@@ -10,15 +10,14 @@
 #     docker = "docker.kayak"
 #   }
 # }
-provider "docker" {
-  host          = "tcp://${cloudflare_record.kayak-docker.hostname}:2376"
-  version       = "~> 2.0.0"
-  alias         = "kayak"
-  ca_material   = "${module.kayak.docker_ca_cert}"
-  cert_material = "${module.kayak.docker_client_cert}"
-  key_material  = "${module.kayak.docker_client_key}"
-}
-
+# provider "docker" {
+#   host          = "tcp://${cloudflare_record.kayak-docker.hostname}:2376"
+#   version       = "~> 2.0.0"
+#   alias         = "kayak"
+#   ca_material   = "${module.kayak.docker_ca_cert}"
+#   cert_material = "${module.kayak.docker_client_cert}"
+#   key_material  = "${module.kayak.docker_client_key}"
+# }
 # resource "cloudflare_record" "kayak-docker" {
 #   name   = "docker.kayak"
 #   value  = "${module.kayak.droplet_ipv4}"
diff --git a/providers.tf b/providers.tf
index dd9d533..5b660f3 100644
--- a/providers.tf
+++ b/providers.tf
@@ -1,7 +1,14 @@
 provider "docker" {
   host      = "tcp://docker.vpn.bb8.fun:2376"
   cert_path = "./secrets/tatooine"
-  version   = "~> 2.0.0"
+  version   = "~> 2.2.0"
+}
+
+provider "docker" {
+  host      = "tcp://docker.dovpn.bb8.fun:2376"
+  cert_path = "./secrets/sydney"
+  version   = "~> 2.2.0"
+  alias     = "sydney"
 }
 
 provider "kubernetes" {
diff --git a/server.tf b/server.tf
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/server.tf
@@ -0,0 +1 @@
+