diff --git a/roles/postgres/tasks/update.yml b/roles/postgres/tasks/update.yml
index 6806cbd..625984f 100644
--- a/roles/postgres/tasks/update.yml
+++ b/roles/postgres/tasks/update.yml
@@ -3,6 +3,21 @@
     path: "{{ project_dir }}"
     state: directory
 
+- name: "Create (if not exists) directory {{ volumes['postgres_datadir'] }} & set permissions"
+  file:
+    path: "{{ volumes['postgres_datadir'] }}"
+    state: directory
+    owner: "{{ users['postgres'] + uid_shift }}"
+    group: "{{ users['postgres'] + uid_shift }}"
+    mode: '700'
+  become: true
+
+- name: "Check if directory {{ volumes['postgres_datadir'] }} is empty"
+  find:
+    paths: "{{ volumes['postgres_datadir'] }}"
+  register: postgres_find_datadir_result
+  become: true
+
 - name: Template docker-compose.yaml & .env to project directory
   template:
     src: "{{ item }}"
@@ -14,15 +29,6 @@
     - docker-compose.yaml
     - .env
 
-- name: "Create (if not exists) directory {{ volumes['postgres_datadir'] }} & set permissions"
-  file:
-    path: "{{ volumes['postgres_datadir'] }}"
-    state: directory
-    owner: "{{ users['postgres'] + uid_shift }}"
-    group: "{{ users['postgres'] + uid_shift }}"
-    mode: '700'
-  become: true
-
 - name: Pull project services
   community.docker.docker_compose:
     project_src: "{{ project_dir }}"
diff --git a/roles/postgres/templates/.env b/roles/postgres/templates/.env
index d6235f5..5c8ad89 100644
--- a/roles/postgres/templates/.env
+++ b/roles/postgres/templates/.env
@@ -1,4 +1,5 @@
-POSTGRES_PASSWORD='{{ postgres_password | default("") }}'
+# After initial setup, set to empty string to hide password
+POSTGRES_PASSWORD='{{ (postgres_find_datadir_result.matched == 0) | ternary(lookup("community.general.random_string", special=false, length=64), "") }}'
 # Required for Synapse
 LANG=C
 POSTGRES_INITDB_ARGS="--locale=C --encoding=UTF8"
diff --git a/secrets.yml.example b/secrets.yml.example
index 602951c..4d22762 100644
--- a/secrets.yml.example
+++ b/secrets.yml.example
@@ -13,9 +13,6 @@ coturn_secrets:
 hedgedoc_secrets:
   mysql_root_password:
 
-# Password of the 'postgres' superuser
-postgres_password:
-
 searxng_secrets:
   searxng_secret: