diff --git a/nix/services/kn/django.nix b/nix/services/kn/django.nix
index fe51b537..bad6cdd6 100644
--- a/nix/services/kn/django.nix
+++ b/nix/services/kn/django.nix
@@ -93,7 +93,7 @@ in {
         DynamicUser = true;
         User = "kndjango";
         Group = "kndjango";
-        SupplementaryGroups = [ "fotos" "infra" ];
+        SupplementaryGroups = [ "fotos" "infra" "mongodb" ];
         ReadWritePaths = [ config.kn.fotos.dir ];
         CacheDirectory = "fotos";
         Restart = "on-failure";
diff --git a/nix/services/kn/giedo.nix b/nix/services/kn/giedo.nix
index 26850120..8994d170 100644
--- a/nix/services/kn/giedo.nix
+++ b/nix/services/kn/giedo.nix
@@ -57,7 +57,7 @@ in {
         ReadWritePaths = ["/run/infra"];
         ExecStart = "${pkgs.kninfra}/utils/giedo.py";
         Restart = "on-failure";
-        SupplementaryGroups = "infra";
+        SupplementaryGroups = [ "infra" "mongodb" ];
         Type = "notify";
         NotifyAccess = "all";
         EnvironmentFile = config.age.secrets.kn-env.path;
diff --git a/nix/services/kn/settings.nix b/nix/services/kn/settings.nix
index 22bfc630..7e79cad7 100644
--- a/nix/services/kn/settings.nix
+++ b/nix/services/kn/settings.nix
@@ -40,7 +40,7 @@ in {
     DEFAULT_FROM_EMAIL =
       "Karpe Noktems ledenadministratie <root@${MAILDOMAIN}>";
 
-    MONGO_HOST = "localhost";
+    MONGO_HOST = "mongodb://%2Frun%2Fmongodb%2Fmongodb.sock";
     MONGO_DB = "kn";
 
     MODED_MAILINGLISTS = [ "discussie" "in" "uit" "test" ];
diff --git a/nix/services/kn/shared.nix b/nix/services/kn/shared.nix
index c4d7aba2..2bdb7c6e 100644
--- a/nix/services/kn/shared.nix
+++ b/nix/services/kn/shared.nix
@@ -29,42 +29,50 @@ in {
       # GRPC_VERBOSITY="DEBUG";
       # GRPC_TRACE="tcp";
     };
-    # TODO: limit access to mongodb
     services.mongodb.enable = true;
+    services.mongodb.bind_ip = "/run/mongodb/mongodb.sock";
     users.groups.infra = {};
     environment.systemPackages = [ pkgs.mongosh knshell ];
-    systemd.services = lib.mkIf cfg.initialDB {
-      kn_initial_state = rec {
-        requires = [ "mongodb.service" ];
-        after = requires;
-        requiredBy = [ "giedo.service" "kndjango.service" "rimapd.service" ];
-        before = requiredBy;
-        serviceConfig = {
-          StateDirectory = "kndjango";
-          Type = "oneshot";
-          RemainAfterExit = true;
-          EnvironmentFile = config.age.secrets.kn-env.path;
-        };
-        script = ''
-          # initialize the DB if this has not happened before
-          if [ ! -f /var/lib/kndjango/database-initialized ]; then
-            ${pkgs.kninfra}/libexec/initializeDb.py
-            touch /var/lib/kndjango/database-initialized
-          fi
+    systemd.services = lib.mkMerge [
+      {
+        mongodb.serviceConfig.RuntimeDirectory = "mongodb";
+        mongodb.postStart = ''
+          chmod g+rw /run/mongodb/mongodb.sock
         '';
-      };
-      kn_initial_sync = rec {
-        requires = [ "giedo.service" "hans.service" "daan.service" ];
-        after = requires;
-        wantedBy = [ "multi-user.target" ];
-        serviceConfig = {
-          Type = "oneshot";
-          RemainAfterExit = true;
-          EnvironmentFile = config.age.secrets.kn-env.path;
-          ExecStart = "${pkgs.kninfra}/utils/giedo-sync.py";
+      }
+      (lib.mkIf cfg.initialDB {
+        kn_initial_state = rec {
+          requires = [ "mongodb.service" ];
+          after = requires;
+          requiredBy = [ "giedo.service" "kndjango.service" "rimapd.service" ];
+          before = requiredBy;
+          serviceConfig = {
+            StateDirectory = "kndjango";
+            Type = "oneshot";
+            RemainAfterExit = true;
+            EnvironmentFile = config.age.secrets.kn-env.path;
+          };
+          script = ''
+            # initialize the DB if this has not happened before
+            if [ ! -f /var/lib/kndjango/database-initialized ]; then
+              ${pkgs.kninfra}/libexec/initializeDb.py
+              touch /var/lib/kndjango/database-initialized
+            fi
+          '';
         };
-        environment = cfg.env;
-      };
-    };
+        kn_initial_sync = rec {
+          requires = [ "giedo.service" "hans.service" "daan.service" ];
+          after = requires;
+          wantedBy = [ "multi-user.target" ];
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+            EnvironmentFile = config.age.secrets.kn-env.path;
+            ExecStart = "${pkgs.kninfra}/utils/giedo-sync.py";
+          };
+          environment = cfg.env;
+        };
+      })
+    ];
   };
 }
diff --git a/salt/states/sankhara/initializeDb.py b/salt/states/sankhara/initializeDb.py
index d6effb98..5e8b8699 100644
--- a/salt/states/sankhara/initializeDb.py
+++ b/salt/states/sankhara/initializeDb.py
@@ -6,7 +6,7 @@
 import yaml
 
 MONGO_DATABASE = 'kn'
-MONGO_HOST = 'localhost'
+MONGO_HOST = 'mongodb://%2Frun%2Fmongodb%2Fmongodb.sock'
 DB_FILE = os.path.join(os.path.dirname(__file__), "initial-db.yaml")
 
 yaml.SafeLoader.add_constructor('!id',