diff --git a/hieradata/roles/infra/db/redis.eyaml b/hieradata/roles/infra/db/redis.eyaml
new file mode 100644
index 0000000..13c4ad6
--- /dev/null
+++ b/hieradata/roles/infra/db/redis.eyaml
@@ -0,0 +1,2 @@
+---
+redisha::masterauth: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAV8znsSGAbPpPUhAcyOIWFltVyAcx3yVcIvC+JFndkkuVBT1813GSURrXIreXSilvJEHlwRC03A9NhjWJSsHBIS12uUb+7ap95oh2JJ7OHmeWSVD1GDDRpTQAgDEOikAnioRNJfQ83jUa11nJrsavt46hSq8vDq+rZ2P8ugiNk59mNX5vgYthCPXcEJd7UmpLZhgxZ8+42l4TKo7QpqKRcIMteJXk1NvyYfYGnGTZhknuyHM3xPGauGjKzamMlTzD9dGnn2K0/Q7I4PUyT24ZEG3kNVyDlVHTYcKnIT5q8qvmJdDQfZwOETF3SrzcqhQ2nqFvmI19sCTsQVmveb/2ITBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC9KML3vzwF4vGZdtiu++jmgDAWPZspCckgoXPkgNRMePov3pXSlKUAGxwmdsuIM75rJMxlSTiil2lzMMBWXmUofys=]
diff --git a/hieradata/roles/infra/db/redis.yaml b/hieradata/roles/infra/db/redis.yaml
new file mode 100644
index 0000000..5aaedc8
--- /dev/null
+++ b/hieradata/roles/infra/db/redis.yaml
@@ -0,0 +1,67 @@
+---
+# additional altnames
+profiles::pki::vault::alt_names:
+  - redis.main.unkin.net
+  - redis.service.consul
+  - redis.query.consul
+  - "redis.service.%{facts.country}-%{facts.region}.consul"
+
+profiles::ssh::sign::principals:
+  - redis.main.unkin.net
+  - redis.service.consul
+  - redis.query.consul
+
+
+hiera_include:
+  - redisha
+
+redisha::manage_repo: false
+redisha::redisha_members_lookup: true
+redisha::redisha_members_role: roles::infra::db::redis
+redisha::redis::requirepass: "%{hiera('redisha::masterauth')}"
+redisha::redis::masterauth: "%{hiera('redisha::masterauth')}"
+redisha::sentinel::master_name: "%{facts.country}-%{facts.region}"
+redisha::sentinel::requirepass: "%{hiera('redisha::masterauth')}"
+redisha::sentinel::auth_pass: "%{hiera('redisha::masterauth')}"
+redisha::tools::requirepass: "%{hiera('redisha::masterauth')}"
+
+sudo::configs:
+  consul:
+    priority: 20
+    content: |
+      consul ALL=(ALL) NOPASSWD: /usr/local/sbin/sentineladm info
+consul::services:
+  redis-replica:
+    service_name: "redis-replica-%{facts.environment}"
+    tags:
+      - 'redis'
+      - 'redis-replica'
+    address: "%{facts.networking.ip}"
+    port: 6379
+    checks:
+      - id: 'redis-replica_tcp_check'
+        name: 'Redis Replica TCP Check'
+        tcp: "%{facts.networking.ip}:6379"
+        interval: '10s'
+        timeout: '1s'
+  redis-master:
+    service_name: "redis-master-%{facts.environment}"
+    tags:
+      - 'redis'
+      - 'redis-master'
+    address: "%{facts.networking.ip}"
+    port: 6379
+    checks:
+      - id: 'redis-master_tcp_check'
+        name: "Redis Master Check"
+        args:
+          - '/usr/local/bin/check_redis_master'
+        interval: '10s'
+        timeout: '1s'
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: "redis-replica-%{facts.environment}"
+    disposition: write
+  - resource: service
+    segment: "redis-master-%{facts.environment}"
+    disposition: write