diff --git a/hieradata/roles/infra/puppetdb/sql.yaml b/hieradata/roles/infra/puppetdb/sql.yaml
index e7aacdb..85c69a7 100644
--- a/hieradata/roles/infra/puppetdb/sql.yaml
+++ b/hieradata/roles/infra/puppetdb/sql.yaml
@@ -15,6 +15,14 @@ profiles::sql::patroni::cluster_name: "patroni-puppetdb-%{facts.environment}"
 profiles::sql::patroni::postgres_exporter_enabled: true
 profiles::sql::patroni::postgres_exporter_user: postgres_exporter
 profiles::sql::patroni::pgsql_version: "17"
+patroni::bootstrap_pg_hba:
+  - 'local all postgres ident'
+  - 'host all all 0.0.0.0/0 md5'
+  - 'host replication repl 0.0.0.0/0 md5'
+patroni::pgsql_pg_hba:
+  - 'local all postgres ident'
+  - 'host all all 0.0.0.0/0 md5'
+  - 'host replication repl 0.0.0.0/0 md5'
 
 # FIXME: puppet-python wants to try manage python-dev, which is required by the ceph package
 python::manage_dev_package: false
diff --git a/hieradata/roles/infra/sql/shared.yaml b/hieradata/roles/infra/sql/shared.yaml
index 455d871..7a124be 100644
--- a/hieradata/roles/infra/sql/shared.yaml
+++ b/hieradata/roles/infra/sql/shared.yaml
@@ -15,6 +15,16 @@ profiles::sql::patroni::cluster_name: "patroni-shared-%{facts.environment}"
 profiles::sql::patroni::postgres_exporter_enabled: true
 profiles::sql::patroni::postgres_exporter_user: postgres_exporter
 profiles::sql::patroni::pgsql_version: "17"
+patroni::bootstrap_pg_hba:
+  - 'local all postgres ident'
+  - 'host all all 0.0.0.0/0 md5'
+  - 'host gitea gitea 0.0.0.0/0 scram-sha-256'
+  - 'host replication repl 0.0.0.0/0 md5'
+patroni::pgsql_pg_hba:
+  - 'local all postgres ident'
+  - 'host all all 0.0.0.0/0 md5'
+  - 'host gitea gitea 0.0.0.0/0 scram-sha-256'
+  - 'host replication repl 0.0.0.0/0 md5'
 
 python::manage_dev_package: false
 
diff --git a/site/profiles/manifests/sql/patroni.pp b/site/profiles/manifests/sql/patroni.pp
index 07bcfa7..079bd3d 100644
--- a/site/profiles/manifests/sql/patroni.pp
+++ b/site/profiles/manifests/sql/patroni.pp
@@ -64,16 +64,6 @@ class profiles::sql::patroni (
     pgsql_parameters              => {
       'max_connections' => 5000,
     },
-    bootstrap_pg_hba              => [
-      'local all postgres ident',
-      'host all all 0.0.0.0/0 md5',
-      'host replication repl 0.0.0.0/0 md5',
-    ],
-    pgsql_pg_hba                  => [
-      'local all postgres ident',
-      'host all all 0.0.0.0/0 md5',
-      'host replication repl 0.0.0.0/0 md5',
-    ],
     superuser_username            => $superuser_username,
     superuser_password            => $superuser_password,
     replication_username          => $replication_username,