diff --git a/CHANGELOG b/CHANGELOG
index 5bb42a6..d7a70fa 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -9,6 +9,7 @@
 - Support changing the 'signin_enabled' option (Konstantinos Paliouras)
 - Fix Nginx HTTP-to-HTTPS log configuration error (Konstantinos Paliouras)
 - Create the authorized-keys.lock file for gitlab-shell 1.9.4
+- Use sockets and peer authentication for Postgres
 
 6.9.1
 - Fix Nginx HTTP-to-HTTPS log configuration error (Konstantinos Paliouras)
diff --git a/files/gitlab-cookbooks/gitlab/attributes/default.rb b/files/gitlab-cookbooks/gitlab/attributes/default.rb
index a98acd7..089cb37 100644
--- a/files/gitlab-cookbooks/gitlab/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -106,8 +106,8 @@ default['gitlab']['gitlab-rails']['db_encoding'] = "unicode"
 default['gitlab']['gitlab-rails']['db_database'] = "gitlabhq_production"
 default['gitlab']['gitlab-rails']['db_pool'] = 10
 default['gitlab']['gitlab-rails']['db_username'] = "gitlab"
-default['gitlab']['gitlab-rails']['db_password'] = "password"
-default['gitlab']['gitlab-rails']['db_host'] = "localhost"
+default['gitlab']['gitlab-rails']['db_password'] = nil
+default['gitlab']['gitlab-rails']['db_host'] = nil
 default['gitlab']['gitlab-rails']['db_port'] = 5432
 default['gitlab']['gitlab-rails']['db_socket'] = nil
 
@@ -155,12 +155,11 @@ default['gitlab']['postgresql']['shell'] = "/bin/sh"
 default['gitlab']['postgresql']['home'] = "/var/opt/gitlab/postgresql"
 default['gitlab']['postgresql']['user_path'] = "/opt/gitlab/embedded/bin:/opt/gitlab/bin:$PATH"
 default['gitlab']['postgresql']['sql_user'] = "gitlab"
-default['gitlab']['postgresql']['sql_password'] = "snakepliskin"
 default['gitlab']['postgresql']['port'] = 5432
-default['gitlab']['postgresql']['listen_address'] = 'localhost'
+default['gitlab']['postgresql']['listen_address'] = nil
 default['gitlab']['postgresql']['max_connections'] = 200
-default['gitlab']['postgresql']['md5_auth_cidr_addresses'] = [ ]
-default['gitlab']['postgresql']['trust_auth_cidr_addresses'] = [ '127.0.0.1/32', '::1/128' ]
+default['gitlab']['postgresql']['md5_auth_cidr_addresses'] = []
+default['gitlab']['postgresql']['trust_auth_cidr_addresses'] = []
 default['gitlab']['postgresql']['shmmax'] = kernel['machine'] =~ /x86_64/ ? 17179869184 : 4294967295
 default['gitlab']['postgresql']['shmall'] = kernel['machine'] =~ /x86_64/ ? 4194304 : 1048575
 
diff --git a/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb b/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
index 6732a24..28b9bb0 100644
--- a/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
+++ b/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
@@ -65,16 +65,12 @@ module Gitlab
         end
       end
 
-      Gitlab['postgresql']['sql_password'] ||= generate_hex(50)
       Gitlab['gitlab_rails']['secret_token'] ||= generate_hex(64)
 
       if File.directory?("/etc/gitlab")
         File.open("/etc/gitlab/gitlab-secrets.json", "w") do |f|
           f.puts(
             Chef::JSONCompat.to_json_pretty({
-              'postgresql' => {
-                'sql_password' => Gitlab['postgresql']['sql_password'],
-              },
               'gitlab_rails' => {
                 'secret_token' => Gitlab['gitlab_rails']['secret_token'],
               }
diff --git a/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb b/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb
index 66fa5c3..a04c3de 100644
--- a/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb
@@ -71,6 +71,7 @@ template_symlink File.join(gitlab_rails_etc_dir, "database.yml") do
   group "root"
   mode "0644"
   variables database_attributes
+  helpers SingleQuoteHelper
   restarts dependent_services
 end
 
diff --git a/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb b/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
index a753e46..2953b08 100644
--- a/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
@@ -112,6 +112,13 @@ template pg_hba_config do
   notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql")
 end
 
+template File.join(postgresql_data_dir, "pg_ident.conf") do
+  owner node['gitlab']['postgresql']['username']
+  mode "0644"
+  variables(node['gitlab']['postgresql'].to_hash)
+  notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql")
+end
+
 should_notify = OmnibusHelper.should_notify?("postgresql")
 
 runit_service "postgresql" do
@@ -141,9 +148,9 @@ bin_dir = "/opt/gitlab/embedded/bin"
 db_name = "gitlabhq_production"
 
 sql_user        = node['gitlab']['postgresql']['sql_user']
-sql_user_passwd = node['gitlab']['postgresql']['sql_password']
 
-execute "#{bin_dir}/psql --port #{pg_port} -d template1 -c \"CREATE USER #{sql_user} WITH ENCRYPTED PASSWORD '#{sql_user_passwd}'\"" do
+execute "create #{sql_user} database user" do
+  command "#{bin_dir}/psql --port #{pg_port} -d template1 -c \"CREATE USER #{sql_user}\""
   user pg_user
   not_if { !pg_helper.is_running? || pg_helper.sql_user_exists? }
 end
diff --git a/files/gitlab-cookbooks/gitlab/templates/default/database.yml.erb b/files/gitlab-cookbooks/gitlab/templates/default/database.yml.erb
index 8e2f3a9..5a5ae3e 100644
--- a/files/gitlab-cookbooks/gitlab/templates/default/database.yml.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/database.yml.erb
@@ -7,8 +7,8 @@ production:
   encoding: <%= @db_encoding %>
   database: <%= @db_database %>
   pool: <%= @db_pool %>
-  username: "<%= @db_username %>"
-  password: "<%= @db_password %>"
-  host: <%= @db_host %>
+  username: <%= single_quote(@db_username) %>
+  password: <%= single_quote(@db_password) %>
+  host: <%= single_quote(@db_host) %>
   port: <%= @db_port %>
-  socket: <%= @db_socket %>
+  socket: <%= single_quote(@db_socket) %>
diff --git a/files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb b/files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb
index be48fa3..c45f4d8 100644
--- a/files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb
@@ -67,7 +67,7 @@
 # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
 
 # "local" is for Unix domain socket connections only
-local   all         all                               trust
+local   all         all                               peer map=gitlab
 
 <% node['gitlab']['postgresql']['trust_auth_cidr_addresses'].each do |cidr| %>
 host    all         all         <%= cidr %>           trust
diff --git a/files/gitlab-cookbooks/gitlab/templates/default/pg_ident.conf.erb b/files/gitlab-cookbooks/gitlab/templates/default/pg_ident.conf.erb
new file mode 100644
index 0000000..e023b7e
--- /dev/null
+++ b/files/gitlab-cookbooks/gitlab/templates/default/pg_ident.conf.erb
@@ -0,0 +1,45 @@
+# PostgreSQL User Name Maps
+# =========================
+#
+# Refer to the PostgreSQL documentation, chapter "Client
+# Authentication" for a complete description.  A short synopsis
+# follows.
+#
+# This file controls PostgreSQL user name mapping.  It maps external
+# user names to their corresponding PostgreSQL user names.  Records
+# are of the form:
+#
+# MAPNAME  SYSTEM-USERNAME  PG-USERNAME
+#
+# (The uppercase quantities must be replaced by actual values.)
+#
+# MAPNAME is the (otherwise freely chosen) map name that was used in
+# pg_hba.conf.  SYSTEM-USERNAME is the detected user name of the
+# client.  PG-USERNAME is the requested PostgreSQL user name.  The
+# existence of a record specifies that SYSTEM-USERNAME may connect as
+# PG-USERNAME.
+#
+# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a
+# regular expression.  Optionally this can contain a capture (a
+# parenthesized subexpression).  The substring matching the capture
+# will be substituted for \1 (backslash-one) if present in
+# PG-USERNAME.
+#
+# Multiple maps may be specified in this file and used by pg_hba.conf.
+#
+# No map names are defined in the default configuration.  If all
+# system user names and PostgreSQL user names are the same, you don't
+# need anything in this file.
+#
+# This file is read on server startup and when the postmaster receives
+# a SIGHUP signal.  If you edit the file on a running system, you have
+# to SIGHUP the postmaster for the changes to take effect.  You can
+# use "pg_ctl reload" to do that.
+
+# Put your actual configuration here
+# ----------------------------------
+
+# MAPNAME       SYSTEM-USERNAME         PG-USERNAME
+gitlab  <%= node['gitlab']['user']['username'] %>  <%= node['gitlab']['postgresql']['sql_user'] %>
+# Default to a 1-1 mapping between system usernames and Postgres usernames
+gitlab  /^(.*)$  \1
--
libgit2 0.21.2