diff --git a/pillar/dbserver/cluster-A.sls b/pillar/dbserver/cluster-A.sls
index 3ac2008..a31bb37 100644
--- a/pillar/dbserver/cluster-A.sls
+++ b/pillar/dbserver/cluster-A.sls
@@ -1,49 +1,66 @@
 dbserver_postgresql:
 
   server:
     cluster: A
 
     # Fantoir database needs the pg_trgm extension
     with_contrib: True
 
     listen_addresses: "*"
 
   users:
     # Password paths are relative to ops/secrets/
 
     airflow:
       password: dbserver/cluster-A/users/airflow
       privileges:
         - database: airflow
           scope: schema
           privileges:
             - ALL
 
     fantoir:
       password: dbserver/cluster-A/users/fantoir
       privileges:
         - database: fantoir
           scope: schema
           privileges:
             - ALL
 
+    orbeon:
+      password: dbserver/cluster-A/users/orbeon
+      privileges:
+        - database: forms
+          scope: schema
+          privileges:
+            - ALL
+
   databases:
     airflow:
       encoding: UTF8
       owner: airflow
 
     fantoir:
       encoding: UTF8
       owner: fantoir
       extensions:
         - pg_trgm
 
+    forms:
+      encoding: UTF8
+      owner: orbeon
+
   # Network connections allowed in pg_hba.conf
   connections:
     - db: airflow
       user: airflow
       ips: 172.27.27.0/28
 
     - db: fantoir
       user: fantoir
       ips: 172.27.27.0/28
+
+    - db: forms
+      user: orbeon
+      ips: &dwellers 172.27.27.4/32
+      method: password
diff --git a/roles/dbserver-pgsql/server/files/pg_hba.conf b/roles/dbserver-pgsql/server/files/pg_hba.conf
index 4792689..4102e49 100644
--- a/roles/dbserver-pgsql/server/files/pg_hba.conf
+++ b/roles/dbserver-pgsql/server/files/pg_hba.conf
@@ -1,34 +1,34 @@
 #   -------------------------------------------------------------
 #   PostgreSQL
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 #   Project:        Nasqueron
 #   License:        Trivial work, not eligible to copyright
 #   Source file:    roles/dbserver-pgsql/server/files/pg_hba.conf
 #   -------------------------------------------------------------
 #
 #   <auto-generated>
 #       This file is managed by our rOPS SaltStack repository.
 #
 #       Changes to this file may cause incorrect behavior
 #       and will be lost if the state is redeployed.
 #   </auto-generated>
 
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 
 # "local" is for Unix domain socket connections only
 local   all             all                                     peer
 
 # Local connections
 host    all             all             127.0.0.1/32            scram-sha-256
 host    all             all             ::1/128                 scram-sha-256
 
 # External connections
 {%- for conn in connections %}
-host    {{ "%-15s" | format(conn.db) }} {{ "%-15s" | format(conn.user) }} {{ "%-23s" | format(conn.ips) }} scram-sha-256
+host    {{ "%-15s" | format(conn.db) }} {{ "%-15s" | format(conn.user) }} {{ "%-23s" | format(conn.ips) }} {{ conn.method | default("scram-sha-256") }}
 {%- endfor %}
 
 # Allow replication connections from localhost, by a user with the
 # replication privilege.
 local   replication     all                                     peer
 host    replication     all             127.0.0.1/32            scram-sha-256
 host    replication     all             ::1/128                 scram-sha-256