diff --git a/roles/ejabberd.rb b/roles/ejabberd.rb
index 4034261..561ca33 100644
--- a/roles/ejabberd.rb
+++ b/roles/ejabberd.rb
@@ -1,10 +1,12 @@
 name "ejabberd"
 
 default_run_list = %w(
+  role[postgresql_client]
   kosmos-ejabberd::default
 )
 
 production_run_list = %w(
+  role[postgresql_client]
   kosmos-ejabberd::default
   kosmos-ejabberd::letsencrypt
   kosmos-ejabberd::backup
diff --git a/roles/gitea.rb b/roles/gitea.rb
index b6f5069..5f7fd2a 100644
--- a/roles/gitea.rb
+++ b/roles/gitea.rb
@@ -1,6 +1,7 @@
 name "gitea"
 
 run_list %w(
+  role[postgresql_client]
   kosmos_gitea::default
   kosmos_gitea::backup
 )
diff --git a/roles/postgresql_client.rb b/roles/postgresql_client.rb
new file mode 100644
index 0000000..18771f2
--- /dev/null
+++ b/roles/postgresql_client.rb
@@ -0,0 +1,5 @@
+# This role is used by the kosmos-postgresql::default recipe to add access
+# rules to every server that is a PostgreSQL client
+name "postgresql_client"
+
+run_list []
diff --git a/site-cookbooks/kosmos-postgresql/recipes/default.rb b/site-cookbooks/kosmos-postgresql/recipes/default.rb
index 5fe7ba0..c7d289b 100644
--- a/site-cookbooks/kosmos-postgresql/recipes/default.rb
+++ b/site-cookbooks/kosmos-postgresql/recipes/default.rb
@@ -48,6 +48,24 @@ systemctl start postgresql@12-main
   only_if { ::File.exist? "/var/lib/postgresql/10/main" }
 end
 
+# Services that connect to PostgreSQL need to have the postgresql_client role
+# as part of their run list. See the gitea and ejabberd roles.
+postgresql_clients = search(:node, "roles:postgresql_client AND chef_environment:#{node.chef_environment}") || []
+
+postgresql_clients.each do |client|
+  ip = ip_for(client)
+  hostname = client[:hostname]
+
+  postgresql_access "#{hostname} all" do
+    access_type "host"
+    access_db "all"
+    access_user "all"
+    access_addr "#{ip}/32"
+    access_method "md5"
+    notifies :reload, "service[#{postgresql_service}]", :immediately
+  end
+end
+
 postgresql_replicas.each do |replica|
   postgresql_access "#{replica[:hostname]} replication" do
     access_type "host"
@@ -58,25 +76,6 @@ postgresql_replicas.each do |replica|
     notifies :reload, "service[#{postgresql_service}]", :immediately
   end
 
-  gitea_servers = search(:node, "role:gitea AND chef_environment:#{node.chef_environment}") || []
-  ejabberd_servers = search(:node, "role:ejabberd AND chef_environment:#{node.chef_environment}") || []
-
-  servers = (gitea_servers + ejabberd_servers).uniq
-
-  servers.each do |server|
-    ip = ip_for(server)
-    hostname = server[:hostname]
-
-    postgresql_access "#{hostname} all" do
-      access_type "host"
-      access_db "all"
-      access_user "all"
-      access_addr "#{ip}/32"
-      access_method "md5"
-      notifies :reload, "service[#{postgresql_service}]", :immediately
-    end
-  end
-
   unless node.chef_environment == "development"
     include_recipe "firewall"