diff --git a/data/hostname/db0.internal.staging.swh.network.yaml b/data/hostname/db0.internal.staging.swh.network.yaml
index 25f0706b..aa47fa1b 100644
--- a/data/hostname/db0.internal.staging.swh.network.yaml
+++ b/data/hostname/db0.internal.staging.swh.network.yaml
@@ -1,41 +1,46 @@
 ---
 networks:
   default:
     interface: eth0
     address: 192.168.128.3
     netmask: 255.255.255.0
     gateway: 192.168.128.1
 
 swh::dbs:
   storage:
     name: swh
     user: swh
   indexer:
     name: swh-indexer
     user: swh-indexer
   scheduler:
     name: swh-scheduler
     user: swh-scheduler
 
+postgres::server::port: 5433
+postgres::server::listen_addresses:
+  - localhost
+  - 192.168.128.3
+
 pgbouncer::auth_hba_file: /etc/postgresql/11/main/pg_hba.conf
 pgbouncer::listen_addr: 192.168.128.3
 pgbouncer::databases:
   # swh
   - source_db: swh
     host: db0.internal.staging.swh.network
     auth_user: postgres
     port: 5433
     alias: staging-swh
   - source_db: swh-indexer
     host: db0.internal.staging.swh.network
     auth_user: postgres
     port: 5433
     alias: staging-swh-indexer
   - source_db: swh-scheduler
     host: db0.internal.staging.swh.network
     auth_user: postgres
     port: 5433
     alias: staging-swh-scheduler
 
 dar::backup::exclude:
   - srv/softwareheritage/postgres
diff --git a/site-modules/profile/manifests/postgresql/server.pp b/site-modules/profile/manifests/postgresql/server.pp
index 4bac1ad6..61ea17fa 100644
--- a/site-modules/profile/manifests/postgresql/server.pp
+++ b/site-modules/profile/manifests/postgresql/server.pp
@@ -1,45 +1,53 @@
 class profile::postgresql::server {
   class { 'postgresql::globals':
     encoding            => 'UTF-8',
     locale              => 'en_US.UTF-8',
     manage_package_repo => true,
     version             => '11',
   }
 
   $postgres_pass = lookup('swh::deploy::db::postgres::password')
+  $server_port = lookup('postgres::server::port')
+  $server_addresses = lookup('postgres::server::listen_addresses')
 
   class { 'postgresql::server':
-    ip_mask_deny_postgres_user => '0.0.0.0/32',
     ip_mask_allow_all_users    => '0.0.0.0/0',
     ipv4acls                   => ['hostssl all guest 192.168.128.0/24 cert'],
     postgres_password          => $postgres_pass,
-    port                       => 5433,
+    port                       => $server_port,
+    listen_addresses           => $server_addresses,
   }
 
   $guest = 'guest'
   postgresql::server::role { $guest:
     password_hash => postgresql_password($guest, 'guest'),
   }
 
   $dbs = lookup('swh::dbs')
   each($dbs) | $db_type, $db_config | {
     # db_type in {storage, indexer, scheduler, etc...}
     $db_pass = lookup("swh::deploy::db::${db_type}::password")
     $db_name = $db_config['name']
     $db_user = $db_config['user']
 
     postgresql::server::db { $db_name:
       user     => $db_user,
       password => $db_pass,
       owner    => $db_user
     }
 
+    # guest user has read access on tables
+    postgresql::server::database_grant { $db_name:
+      privilege   => 'connect',
+      db          => $db_name,
+      role        => $guest,
+    }
     # guest user has read access on tables
     postgresql::server::table_grant { $db_name:
       privilege   => 'select',
       db          => $db_name,
       role        => $guest,
       table       => 'all',
     }
   }
 }