diff --git a/flux2/core/base/single-sign-on/kustomization.yaml b/flux2/core/base/single-sign-on/kustomization.yaml
index e659f8e9f752293cac7c8b204b4bafb4ab1b0617..354f7bb3bf7f25e633ada0129e9c5f96284f468a 100644
--- a/flux2/core/base/single-sign-on/kustomization.yaml
+++ b/flux2/core/base/single-sign-on/kustomization.yaml
@@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: stackspin
 resources:
-  - pvc.yaml
+  - pvc-userbackend.yaml
+  - pvc-database.yaml
   - release.yaml
   - single-sign-on-values-configmap.yaml
diff --git a/flux2/core/base/single-sign-on/pvc-database.yaml b/flux2/core/base/single-sign-on/pvc-database.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d75e6df3af49a929350a4d37f29ef801635fad50
--- /dev/null
+++ b/flux2/core/base/single-sign-on/pvc-database.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: single-sign-on-database
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: local-path
diff --git a/flux2/core/base/single-sign-on/pvc.yaml b/flux2/core/base/single-sign-on/pvc-userbackend.yaml
similarity index 85%
rename from flux2/core/base/single-sign-on/pvc.yaml
rename to flux2/core/base/single-sign-on/pvc-userbackend.yaml
index a657233950205414831ce6dd65ab0650860c37df..e21e9d6f89efd66e56682d5d74dcaf3c193d3311 100644
--- a/flux2/core/base/single-sign-on/pvc.yaml
+++ b/flux2/core/base/single-sign-on/pvc-userbackend.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -9,4 +10,4 @@ spec:
   resources:
     requests:
       storage: 1Gi
-  storageClassName: local-path
\ No newline at end of file
+  storageClassName: local-path
diff --git a/flux2/core/base/single-sign-on/release.yaml b/flux2/core/base/single-sign-on/release.yaml
index 110530a048758ecbd0de55cc91de808e4d5f6ce6..3d8ea129fed24704f8d2209526f1700bf53b98f6 100644
--- a/flux2/core/base/single-sign-on/release.yaml
+++ b/flux2/core/base/single-sign-on/release.yaml
@@ -19,6 +19,7 @@ spec:
   install:
     remediation:
       retries: 3
+    timeout: 10m
   valuesFrom:
     - kind: ConfigMap
       name: stackspin-single-sign-on-values
diff --git a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
index 3238f62f623c02660a006eeaf812a6bf1563d41a..e77ce0cd67d25c4c54abd59c9ad2fe821a5eb605 100644
--- a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
+++ b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
@@ -39,6 +39,18 @@ data:
         # Let the backup system include nextcloud database data.
         backup.velero.io/backup-volumes: "database"
 
+    postgresql:
+      persistence:
+        existingClaim: single-sign-on-database
+      initdbScripts:
+        setup.sql: |
+          CREATE USER hydra WITH PASSWORD '${hydra_postgresql_password}';
+          CREATE USER kratos WITH PASSWORD '${kratos_postgresql_password}';
+          CREATE USER stackspin WITH PASSWORD '${dashboard_postgresql_password}';
+          CREATE DATABASE kratos WITH OWNER kratos;
+          CREATE DATABASE hydra WITH OWNER hydra;
+          CREATE DATABASE stackspin WITH OWNER stackspin;
+
     hydra:
       hydra:
         config:
@@ -50,7 +62,7 @@ data:
           secrets:
             system:
               - "${hydra_system_secret}"
-          dsn: "memory"
+          dsn: "postgres://hydra:${hydra_postgresql_password}@single-sign-on-postgresql:5432/hydra"
       ingress:
         public:
           enabled: true
@@ -69,6 +81,11 @@ data:
         admin:
           enabled: false
 
+    kratos:
+      kratos:
+        config:
+          dsn: "postgres://kratos:${kratos_postgresql_password}@single-sign-on-postgresql:5432/kratos"
+
     oAuthClients:
     - clientName: *USER_PANEL
       clientSecret: "${userpanel_oauth_client_secret}"
diff --git a/flux2/infrastructure/sources/single-sign-on.yaml b/flux2/infrastructure/sources/single-sign-on.yaml
index a418f77a05388da3a8af9825d18b55a1b8e15b65..03acee2b6812bd23b24bb907995a0f88f54d811a 100644
--- a/flux2/infrastructure/sources/single-sign-on.yaml
+++ b/flux2/infrastructure/sources/single-sign-on.yaml
@@ -14,4 +14,4 @@ spec:
   # For all available options, see:
   # https://toolkit.fluxcd.io/components/source/api/#source.toolkit.fluxcd.io/v1beta1.GitRepositoryRef
   ref:
-    tag: 0.4.1
+    tag: 0.4.2
diff --git a/install/templates/stackspin-single-sign-on-variables.yaml.jinja b/install/templates/stackspin-single-sign-on-variables.yaml.jinja
index 1484b58aa9e6efc3fd70c0aaf2fd11efa1e5ac33..70caab6571ab5622d5d681b67baa39696db28e83 100644
--- a/install/templates/stackspin-single-sign-on-variables.yaml.jinja
+++ b/install/templates/stackspin-single-sign-on-variables.yaml.jinja
@@ -8,3 +8,6 @@ data:
   userbackend_admin_password: "{{ 32 | generate_password | b64encode }}"
   userbackend_postgres_password: "{{ 32 | generate_password | b64encode }}"
   hydra_system_secret: "{{ 32 | generate_password | b64encode }}"
+  hydra_postgresql_password: "{{ 32 | generate_password | b64encode }}"
+  kratos_postgresql_password: "{{ 32 | generate_password | b64encode }}"
+  dashboard_postgresql_password: "{{ 32 | generate_password | b64encode }}"