diff --git a/ops/nixos/etheroute-lon01/default.nix b/ops/nixos/etheroute-lon01/default.nix
index 6a6fdd9249..e2fe887fc4 100644
--- a/ops/nixos/etheroute-lon01/default.nix
+++ b/ops/nixos/etheroute-lon01/default.nix
@@ -167,6 +167,10 @@ in {
     (bindMountSvc "/var/lib/tailscale" "tailscaled.service")
   ];
 
+  services.redis = {
+    enable = true;
+    bind = "127.0.0.1";
+  };
   services.pomerium = {
     enable = true;
     secretsFile = machineSecrets.pomeriumSecrets;
@@ -178,6 +182,9 @@ in {
       idp_provider = "google";
       idp_client_id = "136257844546-qsa6hi1oqqoq2bnt93deo4e70ggbn1p8.apps.googleusercontent.com";
 
+      databroker_storage_type = "redis";
+      databroker_storage_url = "redis://127.0.0.1:6379/15";
+
       forward_auth_url = "https://fwdauth.int.lukegb.com";
       authenticate_service_url = "https://auth.int.lukegb.com";
 
@@ -209,8 +216,8 @@ in {
     };
   };
   systemd.services.pomerium.serviceConfig = {
-    After = [ "acme-finished-int.lukegb.com.target" ];
-    Wants = [ "acme-finished-int.lukegb.com.target" ];
+    After = [ "acme-finished-int.lukegb.com.target" "redis.service" ];
+    Wants = [ "acme-finished-int.lukegb.com.target" "redis.service" ];
     LoadCredential = [
       "certfullchain.pem:/var/lib/acme/int.lukegb.com/fullchain.pem"
       "certkey.pem:/var/lib/acme/int.lukegb.com/key.pem"