diff --git a/hosts/jupiter/users/storm/configs/console/podman/ntfy/entrypoint.sh b/hosts/jupiter/users/storm/configs/console/podman/ntfy/entrypoint.sh
index 0f767ea..16025df 100644
--- a/hosts/jupiter/users/storm/configs/console/podman/ntfy/entrypoint.sh
+++ b/hosts/jupiter/users/storm/configs/console/podman/ntfy/entrypoint.sh
@@ -7,10 +7,10 @@ trap 'rm -f "$PIPE"' EXIT
 
 ntfy serve > "$PIPE" 2>&1 &
 
-NTFY_PID=$!
+pid=$!
 grep -q "INFO Listening on :80\[http\]" < "$PIPE"
-kill "$NTFY_PID"
-wait "$NTFY_PID" || true
+kill "$pid"
+wait "$pid" || true
 
 export NTFY_PASSWORD="$NTFY_ADMIN_PASSWORD"
 ntfy user add "$NTFY_ADMIN_USER" || true
diff --git a/packages/default.nix b/packages/default.nix
index 17699a1..68a4fe7 100644
--- a/packages/default.nix
+++ b/packages/default.nix
@@ -14,6 +14,7 @@
   docker-gitea = import ./docker/gitea { inherit pkgs; };
   docker-grafana = import ./docker/grafana { inherit pkgs; };
   docker-grafana-image-renderer = import ./docker/grafana-image-renderer { inherit pkgs; };
+  docker-mariadb = import ./docker/mariadb { inherit pkgs; };
   docker-ntfy = import ./docker/ntfy { inherit pkgs; };
   docker-oidcwarden = import ./docker/oidcwarden {
     inherit pkgs inputs system;
diff --git a/packages/docker/mariadb/default.nix b/packages/docker/mariadb/default.nix
new file mode 100644
index 0000000..8210fc5
--- /dev/null
+++ b/packages/docker/mariadb/default.nix
@@ -0,0 +1,42 @@
+{ pkgs, ... }:
+let
+  entrypoint = pkgs.writeTextFile {
+    name = "entrypoint";
+    executable = true;
+    destination = "/bin/entrypoint";
+    text = builtins.readFile ./entrypoint.sh;
+  };
+in
+pkgs.dockerTools.buildImage {
+  name = "mariadb";
+  fromImage = import ../base { inherit pkgs; };
+
+  copyToRoot = pkgs.buildEnv {
+    name = "root";
+    paths = with pkgs; [
+      entrypoint
+      mariadb
+      gnused
+    ];
+    pathsToLink = [
+      "/bin"
+      "/lib"
+      "/share"
+    ];
+  };
+
+  runAsRoot = ''
+    mkdir -p /var/lib/mysql /run/mysqld
+  '';
+
+  config = {
+    Entrypoint = [ "/bin/entrypoint" ];
+    WorkingDir = "/var/lib/mysql";
+    ExposedPorts = {
+      "3306/tcp" = { };
+    };
+    Volumes = {
+      "/var/lib/mysql" = { };
+    };
+  };
+}
diff --git a/packages/docker/mariadb/entrypoint.sh b/packages/docker/mariadb/entrypoint.sh
new file mode 100644
index 0000000..dce16e6
--- /dev/null
+++ b/packages/docker/mariadb/entrypoint.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+set -o errexit
+set -o nounset
+
+MYSQL_USER="${MYSQL_USER:-mariadb}"
+MYSQL_PASSWORD="${MYSQL_PASSWORD:-mariadb}"
+MYSQL_ROOT_PASSWORD="${MYSQL_ROOT_PASSWORD:-$MYSQL_PASSWORD}"
+MYSQL_DB="${MYSQL_DB:-$MYSQL_USER}"
+export DATADIR="${DATADIR:-/var/lib/mysql}"
+
+if [ ! -f "$DATADIR/mysql_upgrade_info" ]; then
+  mariadb-install-db --datadir="$DATADIR" --skip-test-db
+
+  mariadbd --user=root --datadir="$DATADIR" --skip-networking --skip-grant-tables &
+  pid="$!"
+
+  while ! mariadb --protocol=socket -e "
+    FLUSH PRIVILEGES;
+
+    ALTER USER 'root'@'localhost' IDENTIFIED BY '$MYSQL_ROOT_PASSWORD';
+
+    CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD';
+    GRANT ALL PRIVILEGES ON *.* TO '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' WITH GRANT OPTION;
+
+    CREATE DATABASE \`$MYSQL_DB\`;
+  "; do
+    sleep 0.1
+  done
+
+  kill -QUIT "$pid"
+  wait "$pid" || true
+fi
+
+trap 'kill -QUIT "$pid"' INT
+mariadbd --user=root --datadir="$DATADIR" "$@" &
+pid=$!
+wait "$pid"
+exit $?