diff --git a/playbooks/apollo.yml b/playbooks/apollo.yml
index 21d34e41ae8d579d716174c1124a4568673165d1..c7e34c428a3b10eb37162e002b0420588ff7202e 100644
--- a/playbooks/apollo.yml
+++ b/playbooks/apollo.yml
@@ -7,12 +7,16 @@
 - name: "prepare postgres ssl hosts list"
   hosts: apollo.archlinux.org
   tasks:
-      - set_fact: postgres_ssl_hosts="{{ [orion4] + [orion6] + detected_ips}}"
+      - set_fact: postgres_ssl_hosts4="{{ [orion4] + detected_ips}}"
         vars:
-            orion4: "{{ hostvars['orion.archlinux.org']['ipv4_address'] }}{{ hostvars['orion.archlinux.org']['ipv4_netmask'] }}"
-            orion6: "{{ hostvars['orion.archlinux.org']['ipv6_address'] }}{{ hostvars['orion.archlinux.org']['ipv6_netmask'] }}"
+            orion4: "{{ hostvars['orion.archlinux.org']['ipv4_address'] }}"
             detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | map('regex_replace', '^(.*)$', '\\1/32') | list}}"
         tags: ["postgres"]
+      - set_fact: postgres_ssl_hosts6="{{ [orion6] + detected_ips}}"
+        vars:
+            orion6: "{{ hostvars['orion.archlinux.org']['ipv6_address'] }}"
+            detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ansible_default_ipv6', 'address']) | map('regex_replace', '^(.*)$', '\\1/32') | list}}"
+        tags: ["postgres"]
 
 - name: setup apollo
   hosts: apollo.archlinux.org
diff --git a/roles/postgres/defaults/main.yml b/roles/postgres/defaults/main.yml
index bb3e2d00dce6b47d4111c67d384a69cd3457932b..d3a0060fabeea027512bcf5fe497d6e587cab9c0 100644
--- a/roles/postgres/defaults/main.yml
+++ b/roles/postgres/defaults/main.yml
@@ -10,4 +10,5 @@ postgres_ssl_ca_file: '/var/lib/postgres/data/chain.pem'
 
 postgres_shared_buffers: '128MB'
 
-postgres_ssl_hosts: []
+postgres_ssl_hosts4: []
+postgres_ssl_hosts6: []
diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml
index 5254a2958cc2af0e40ab01a95aea3517aa415b3d..9e171e47095d59cea803b3689c6bdd4f68fd9558 100644
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@@ -50,7 +50,18 @@
         remote_src=true owner=postgres group=postgres mode=0400
   when: postgres_ssl == 'on'
 
-- name: open firewall holes to known postgresql clients
-  firewalld: service=postgresql permanent=true state=enabled source={{item}} immediate=yes
-  with_items: "{{ postgres_ssl_hosts }}"
+- name: open firewall holes to known postgresql ipv4 clients
+  firewalld: permanent=true state=enabled immediate=yes
+    rich_rule="rule family=ipv4 source address={{item}} port protocol=tcp port=5432 accept"
+  with_items: "{{ postgres_ssl_hosts4 }}"
   when: configure_firewall
+  tags:
+    - firewall
+
+- name: open firewall holes to known postgresql ipv6 clients
+  firewalld: permanent=true state=enabled immediate=yes
+    rich_rule="rule family=ipv4 source address={{item}} port protocol=tcp port=5432 accept"
+  with_items: "{{ postgres_ssl_hosts6 }}"
+  when: configure_firewall
+  tags:
+    - firewall
diff --git a/roles/postgres/templates/pg_hba.conf.j2 b/roles/postgres/templates/pg_hba.conf.j2
index 1d7602cb08fa2bb4b9627be18bd866e53dfd1651..712f15be4690ae7998226de44251c3f3fa85721f 100644
--- a/roles/postgres/templates/pg_hba.conf.j2
+++ b/roles/postgres/templates/pg_hba.conf.j2
@@ -90,6 +90,13 @@ host    sameuser        all             ::1/128                 md5
 #local   replication     all                                     peer
 #host    replication     all             127.0.0.1/32            md5
 #host    replication     all             ::1/128                 md5
-{% for host in postgres_ssl_hosts %}
+
+# IPv4 Remote Clients
+{% for host in postgres_ssl_hosts4 %}
+hostssl all             all             {{ host }}              md5
+{% endfor %}
+
+# IPv6 Remote Clients
+{% for host in postgres_ssl_hosts6 %}
 hostssl all             all             {{ host }}              md5
 {% endfor %}