diff --git a/data/hostname/db0.internal.staging.swh.network.yaml b/data/hostname/db0.internal.staging.swh.network.yaml
index 3f19e27b..26c64f87 100644
--- a/data/hostname/db0.internal.staging.swh.network.yaml
+++ b/data/hostname/db0.internal.staging.swh.network.yaml
@@ -1,45 +1,48 @@
 ---
 networks:
   default:
     interface: eth0
     address: 192.168.128.3
     netmask: 255.255.255.0
     gateway: 192.168.128.1
 
 swh::dbs:
   storage:
     name: swh
     user: swh
   indexer:
     name: swh-indexer
     user: swh-indexer
   scheduler:
     name: swh-scheduler
     user: swh-scheduler
 
 postgres::server::port: 5433
 postgres::server::listen_addresses:
   - localhost
   - 192.168.128.3
+postgres::server::network_access:
+  - 192.168.100.0/24
+  - 192.168.128.0/24
 
 pgbouncer::auth_hba_file: /etc/postgresql/11/main/pg_hba.conf
 pgbouncer::listen_addr: 192.168.128.3
 pgbouncer::databases:
   - source_db: swh
     host: db0.internal.staging.swh.network
     auth_user: postgres
     port: 5433
     alias: staging-swh
   - source_db: swh-indexer
     host: db0.internal.staging.swh.network
     auth_user: postgres
     port: 5433
     alias: staging-swh-indexer
   - source_db: swh-scheduler
     host: db0.internal.staging.swh.network
     auth_user: postgres
     port: 5433
     alias: staging-swh-scheduler
 
 dar::backup::exclude:
   - srv/softwareheritage/postgres
diff --git a/site-modules/profile/manifests/postgresql/server.pp b/site-modules/profile/manifests/postgresql/server.pp
index 61ea17fa..249f9e16 100644
--- a/site-modules/profile/manifests/postgresql/server.pp
+++ b/site-modules/profile/manifests/postgresql/server.pp
@@ -1,53 +1,57 @@
 class profile::postgresql::server {
   class { 'postgresql::globals':
     encoding            => 'UTF-8',
     locale              => 'en_US.UTF-8',
     manage_package_repo => true,
     version             => '11',
   }
 
   $postgres_pass = lookup('swh::deploy::db::postgres::password')
   $server_port = lookup('postgres::server::port')
-  $server_addresses = lookup('postgres::server::listen_addresses')
+  $server_addresses = lookup('postgres::server::listen_addresses').join(',')
+  # allow access through credentials
+  $network_access = lookup('postgres::server::network_access').map | $nwk | {
+      "host all all ${nwk} md5"
+  }
 
   class { 'postgresql::server':
     ip_mask_allow_all_users    => '0.0.0.0/0',
-    ipv4acls                   => ['hostssl all guest 192.168.128.0/24 cert'],
+    ipv4acls                   => $network_access,
     postgres_password          => $postgres_pass,
     port                       => $server_port,
-    listen_addresses           => $server_addresses,
+    listen_addresses           => [$server_addresses],
   }
 
   $guest = 'guest'
   postgresql::server::role { $guest:
     password_hash => postgresql_password($guest, 'guest'),
   }
 
   $dbs = lookup('swh::dbs')
   each($dbs) | $db_type, $db_config | {
     # db_type in {storage, indexer, scheduler, etc...}
     $db_pass = lookup("swh::deploy::db::${db_type}::password")
     $db_name = $db_config['name']
     $db_user = $db_config['user']
 
     postgresql::server::db { $db_name:
       user     => $db_user,
       password => $db_pass,
       owner    => $db_user
     }
 
     # guest user has read access on tables
     postgresql::server::database_grant { $db_name:
       privilege   => 'connect',
       db          => $db_name,
       role        => $guest,
     }
     # guest user has read access on tables
     postgresql::server::table_grant { $db_name:
       privilege   => 'select',
       db          => $db_name,
       role        => $guest,
       table       => 'all',
     }
   }
 }