default to enforcing TLS and verifying CA and server cert hostname

Author: tykling

src/bornhack/environment_settings.py.dist

@@ -4,14 +4,15 @@ SECRET_KEY = '{{ django_secret_key }}'
 ALLOWED_HOSTS = {{ django_allowed_hostnames }}
 
 # Database settings
-# https://docs.djangoproject.com/en/1.10/ref/settings/#databases
 DATABASES = {
     'default': {
         'ENGINE': 'django_prometheus.db.backends.postgis',
         'NAME': '{{ django_postgres_dbname }}',
         'USER': '{{ django_postgres_user }}',
         'PASSWORD': '{{ django_postgres_password }}',
         'HOST': '{{ django_postgres_host }}',
+        # comment this out for non-tls connection to postgres
+        'OPTIONS': {'sslmode': 'verify-full', 'sslrootcert': 'system'},
     },
 }