diff --git a/flake.nix b/flake.nix
index a3151c5..aa1690b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -39,6 +39,8 @@
           # Should wait until this is merged in nixos-unstable.
           # pkgs-unstable.nixos-anywhere
           pkgs-unstable.deploy-rs
+          pkgs.openssl
+          pkgs.postgresql_15
         ];
       };
 
diff --git a/modules/custom/terraform-database.nix b/modules/custom/terraform-database.nix
index 06b5611..bdad8a7 100644
--- a/modules/custom/terraform-database.nix
+++ b/modules/custom/terraform-database.nix
@@ -21,17 +21,17 @@ in {
       enableTCPIP = true;
       dataDir = lib.mkIf config.custom.dataDisk.enable
         "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";
-      # dataDir =
-      #   "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";
-      # TODO: for now trust, replace this with client certificate later
       authentication = ''
-        hostssl terraformstates terraform all trust
+        hostssl terraformstates terraform all cert
       '';
-      settings = {
-        ssl = true;
-        ssl_cert_file = builtins.toFile "postgresql_server.crt"
+      settings = let
+        serverCert = builtins.toFile "postgresql_server.crt"
           (builtins.readFile ../../postgresql_server.crt);
+      in {
+        ssl = true;
+        ssl_cert_file = serverCert;
         ssl_key_file = config.age.secrets."postgresql_server.key".path;
+        ssl_ca_file = serverCert;
       };
       ensureUsers = [{
         name = "terraform";