diff --git a/README.md b/README.md
index f2df9f3..2a8e1b9 100644
--- a/README.md
+++ b/README.md
@@ -33,14 +33,32 @@ On phosphoric-acid, you will additionally need to create a principal
 called `ceod/admin` (remember to addprinc **and** ktadd).
 
 #### Database
-create superuser `mysql` with password `mysql`
-```
-mysql -u root
+**Note**: The instructions below apply to the dev environment only; in
+production, the DB superusers should be restricted to the host where
+the DB is running.
+
+Attach to the coffee container, run `mysql`, and run the following:
 
-CREATE USER 'mysql'@'localhost' IDENTIFIED BY 'mysql';
-GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION;
 ```
-modify superuser `postgres` for password authentication and restrict new users
+CREATE USER 'mysql' IDENTIFIED BY 'mysql';
+GRANT ALL PRIVILEGES ON *.* TO 'mysql' WITH GRANT OPTION;
+```
+(In prod, the superuser should have '@localhost' appended to its name.)
+
+Now open /etc/mysql/mariadb.conf.d/50-server.cnf and comment out the following line:
+```
+bind-address = 127.0.0.1
+```
+Then restart MariaDB:
+```
+systemctl restart mariadb
+```
+
+Install PostgreSQL in the container:
+```
+apt install -y postgresql
+```
+Modify the superuser `postgres` for password authentication and restrict new users:
 ```
 su postgres
 psql
@@ -49,7 +67,7 @@ ALTER USER postgres WITH PASSWORD 'postgres';
 REVOKE ALL ON SCHEMA public FROM public;
 GRANT ALL ON SCHEMA public TO postgres;
 ```
-create a new `pg_hba.conf` to force password authentication 
+Create a new `pg_hba.conf`:
 ```
 cd /etc/postgresql/<version>/<branch>/
 mv pg_hba.conf pg_hba.conf.old
@@ -57,23 +75,33 @@ mv pg_hba.conf pg_hba.conf.old
 ```
 # new pg_hba.conf
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
+local   all             postgres                                peer
+host    all             postgres        0.0.0.0/0               md5
+
+local   all             all                                     peer
+host    all             all             localhost               md5
+
+local   sameuser        all                                     md5
+host    sameuser        all             0.0.0.0/0               md5
+```
+**Warning**: in prod, the postgres user should only be allowed to connect locally,
+so the relevant snippet in pg_hba.conf should look something like
+```
 local   all             postgres                                md5
 host    all             postgres        localhost               md5
 host    all             postgres        0.0.0.0/0               reject
 host    all             postgres        ::/0                    reject
-local   sameuser        all                                     md5
-host    sameuser        all             0.0.0.0/0               md5
-host    sameuser        all             ::/0                    md5
 ```
+Add the following to postgresql.conf:
 ```
-# modified postgresql.conf
-# listen_addresses = 'localhost'
-listen_address = '*'
+listen_addresses = '*'
 ```
+Now restart PostgreSQL:
 ```
 systemctl restart postgresql
 ```
-users can login remotely but superusers (`postgres` and `mysql`) are only allowed to login from the database host
+**In prod**, users can login remotely but superusers (`postgres` and `mysql`) are only
+allowed to login from the database host.
 
 #### Mailman
 You should create the following mailing lists from the mail container: