diff --git a/kubernetes/apps/media/immich/app/externalsecret.yaml b/kubernetes/apps/media/immich/app/externalsecret.yaml
new file mode 100644
index 00000000..c77deaac
--- /dev/null
+++ b/kubernetes/apps/media/immich/app/externalsecret.yaml
@@ -0,0 +1,19 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: immich
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: immich-secret
+    template:
+      engineVersion: v2
+      data:
+        DATABASE_URI: "postgresql://{{ .user }}:{{ .password }}@immich-primary-real.media.svc:{{ .port }}/{{ .dbname }}"
+  dataFrom:
+    - extract:
+        key: immich-pguser-immich
diff --git a/kubernetes/apps/media/immich/app/gatus.yaml b/kubernetes/apps/media/immich/app/gatus.yaml
index 5db8d1f7..135567da 100644
--- a/kubernetes/apps/media/immich/app/gatus.yaml
+++ b/kubernetes/apps/media/immich/app/gatus.yaml
@@ -10,7 +10,7 @@ data:
     endpoints:
       - name: immich-postgres
         group: infrastructure
-        url: tcp://immich-primary.media.svc.cluster.local:5432
+        url: tcp://immich-primary-real.media.svc.cluster.local:5432
         interval: 1m
         ui:
           hide-url: true
diff --git a/kubernetes/apps/media/immich/app/kustomization.yaml b/kubernetes/apps/media/immich/app/kustomization.yaml
index b423bbcd..2fa8b224 100644
--- a/kubernetes/apps/media/immich/app/kustomization.yaml
+++ b/kubernetes/apps/media/immich/app/kustomization.yaml
@@ -4,6 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./configmap.yaml
+  - ./externalsecret.yaml
   - ./gatus.yaml
   - ./helmrelease.yaml
   - ./machine-learning