diff --git a/ansible.cfg b/ansible.cfg
index 619aeb7bcabf6c7c7653e75578f000e7a9742828..0509dd0e233d454e4f08fe2a12113c549d56cc2f 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,5 +1,5 @@
 [defaults]
-inventory = hosts
+inventory = hosts,hcloud.yml
 library = library
 remote_tmp = $HOME/.ansible/tmp
 remote_user = root
diff --git a/group_vars/all/vault_terraform.yml b/group_vars/all/vault_terraform.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f7fc3cfdc54b17118dd6d9eb26fb5ffe28a1db04
--- /dev/null
+++ b/group_vars/all/vault_terraform.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+30656565643434313362333866306130643134393661383564663033653163666636343963343162
+3037333534363534333632323935633832386666316661300a316266666636616666383035663861
+38383733333332643439353738313762343937393936323839353734326161343835333864376366
+3337333632653733610a326430313761333565323062623566366166323834393864316365376331
+65626631363765613033356565346436396266366539303365626332616130376236396261636362
+38646237336531316235306564353361376461356363326165666439623762396464633861616530
+306331363434653935383063393665633931
diff --git a/hcloud.yml b/hcloud.yml
new file mode 100644
index 0000000000000000000000000000000000000000..0e4534c2628b5e4fc4be212bc91b096b3ced991e
--- /dev/null
+++ b/hcloud.yml
@@ -0,0 +1 @@
+plugin: hcloud
diff --git a/hosts b/hosts
index eb053e95fbf2d581f6a5b26f3298b5a93ec7796e..3455cb5c440cc6de45a08ee95dae51ba3237b1b1 100644
--- a/hosts
+++ b/hosts
@@ -52,5 +52,5 @@ repro2.pkgbuild.com
 [hcloud]
 state.cloud.archlinux.org
 
-[service-terraform-state]
+[terraform-state]
 state.cloud.archlinux.org
diff --git a/playbooks/terraforms-state.yml b/playbooks/terraform-state.yml
similarity index 70%
rename from playbooks/terraforms-state.yml
rename to playbooks/terraform-state.yml
index 3f08a7cd06455d5f82bc56b82a2eed8ed95bda13..d485dc3838f8b4dd63ece75188a8b12d77842a51 100644
--- a/playbooks/terraforms-state.yml
+++ b/playbooks/terraform-state.yml
@@ -1,13 +1,7 @@
 ---
 
-- name: "prepare postgres ssl hosts list"
-  hosts: apollo.archlinux.org
-  tasks:
-      - set_fact: postgres_ssl_hosts4="0.0.0.0/0"
-      - set_fact: postgres_ssl_hosts6="::/0"
-
 - name: setup terraform-state
-  hosts: service-terraform-state
+  hosts: terraform-state
   remote_user: root
   roles:
     - { role: common, tags: ['common'] }
@@ -23,3 +17,4 @@
       postgres_ssl: 'on'
       postgres_shared_buffers: 512MB
       tags: ['postgres']
+    - { role: terraform_state, tags: ['terraform_state'] }
diff --git a/roles/terraform_state/defaults/main.yml b/roles/terraform_state/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ab878320695f8528d472bfa5eb4e730884a9c69e
--- /dev/null
+++ b/roles/terraform_state/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+
+terraform_db_user: "terraform"
+terraform_db: "terraform"
diff --git a/roles/terraform_state/tasks/main.yml b/roles/terraform_state/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..86cfd5decf2d4f863c33eb01d112712a9a479d4a
--- /dev/null
+++ b/roles/terraform_state/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+
+- name: create terraform state db user
+  postgresql_user: name={{ terraform_db_user }} password={{ vault_terraform_db_password }} encrypted=true
+  become: yes
+  become_user: postgres
+  become_method: su
+
+- name: create terraform state db
+  postgresql_db: db="{{ terraform_db }}"
+  become: yes
+  become_user: postgres
+  become_method: su