diff --git a/internal/user/admin.go b/internal/user/admin.go
new file mode 100644
index 0000000..9c9796e
--- /dev/null
+++ b/internal/user/admin.go
@@ -0,0 +1,44 @@
+package user
+
+import (
+	"context"
+	"log"
+	"os"
+
+	"gitea.local/admin/hspguard/internal/repository"
+	"github.com/google/uuid"
+)
+
+func EnsureAdminUser(ctx context.Context, repo *repository.Queries) {
+	adminName := os.Getenv("ADMIN_NAME")
+	if adminName == "" {
+		adminName = "admin"
+	}
+
+	adminEmail := os.Getenv("ADMIN_EMAIL")
+	adminPassword := os.Getenv("ADMIN_PASSWORD")
+
+	if adminEmail == "" {
+		log.Fatalln("ERR: ADMIN_EMAIL env variable is required")
+	}
+
+	_, err := repo.FindUserEmail(ctx, adminEmail)
+	if err != nil {
+		if adminPassword == "" {
+			log.Fatalln("ERR: ADMIN_PASSWORD env variable is required")
+		}
+
+		if _, err := createAdmin(ctx, adminName, adminEmail, adminPassword, repo); err != nil {
+			log.Fatalln("ERR: Failed to create admin account:", err)
+		}
+	}
+}
+
+func createAdmin(ctx context.Context, name, email, password string, repo *repository.Queries) (uuid.UUID, error) {
+	return repo.InsertUser(ctx, repository.InsertUserParams{
+		FullName:     name,
+		Email:        email,
+		PasswordHash: password,
+		IsAdmin:      true,
+	})
+}