diff --git a/defaults/main.yaml b/defaults/main.yaml
index 88cdddb..666c4b8 100644
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@@ -1,13 +1,14 @@
 postgresql_version: "15.2"
 
 # Options
+postgresql_group: "postgresql"
 postgresql_superuser_db: "postgres"
 postgresql_superuser_name: "postgres"
 postgresql_superuser_password: "postgres"
 
 # SSL options
 postgresql_ssl: true
-postgresql_group: "postgresql"
+postgresql_ssl_keep_nonssl_endpoint: false
 postgresql_self_signed_cert: true
 postgresql_self_signed_cert_name: "cert"
 
diff --git a/templates/13-pg_hba.conf.j2 b/templates/13-pg_hba.conf.j2
index d037313..e88b4df 100644
--- a/templates/13-pg_hba.conf.j2
+++ b/templates/13-pg_hba.conf.j2
@@ -47,10 +47,10 @@
 # or "samenet" to match any address in any subnet that the server is
 # directly connected to.
 #
-# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
+# METHOD can be "trust", "reject", "md5", "password", "{{ postgresql_password_encryption_algorithm }}",
 # "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
 # Note that "password" sends passwords in clear text; "md5" or
-# "scram-sha-256" are preferred since they send encrypted passwords.
+# "{{ postgresql_password_encryption_algorithm }}" are preferred since they send encrypted passwords.
 #
 # OPTIONS are a set of options for the authentication in the format
 # NAME=VALUE.  The available options depend on the different
@@ -85,14 +85,17 @@ local   all             all                                     trust
 # "local" is for Unix domain socket connections only
 local   all             all                                     peer
 # IPv4 local connections:
-host    all             all             127.0.0.1/32            scram-sha-256
+host    all             all             127.0.0.1/32            {{ postgresql_password_encryption_algorithm }}
 # IPv6 local connections:
-host    all             all             ::1/128                 scram-sha-256
+host    all             all             ::1/128                 {{ postgresql_password_encryption_algorithm }}
 # Allow replication connections from localhost, by a user with the
 # replication privilege.
 local   replication     all                                     peer
-host    replication     all             127.0.0.1/32            scram-sha-256
-host    replication     all             ::1/128                 scram-sha-256
-{% if postgresql_ssl|bool %}
-hostssl all             all             0.0.0.0/0               scram-sha-256
+host    replication     all             127.0.0.1/32            {{ postgresql_password_encryption_algorithm }}
+host    replication     all             ::1/128                 {{ postgresql_password_encryption_algorithm }}
+{% if not postgresql_ssl|bool or postgresql_ssl_keep_nonssl_endpoint|bool %}
+host    all             all             0.0.0.0/0               {{ postgresql_password_encryption_algorithm }}
+{% endif %}
+{% if postgresql_ssl|bool %}
+hostssl all             all             0.0.0.0/0               {{ postgresql_password_encryption_algorithm }}
 {% endif %}
diff --git a/templates/14-pg_hba.conf.j2 b/templates/14-pg_hba.conf.j2
index d037313..e88b4df 100644
--- a/templates/14-pg_hba.conf.j2
+++ b/templates/14-pg_hba.conf.j2
@@ -47,10 +47,10 @@
 # or "samenet" to match any address in any subnet that the server is
 # directly connected to.
 #
-# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
+# METHOD can be "trust", "reject", "md5", "password", "{{ postgresql_password_encryption_algorithm }}",
 # "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
 # Note that "password" sends passwords in clear text; "md5" or
-# "scram-sha-256" are preferred since they send encrypted passwords.
+# "{{ postgresql_password_encryption_algorithm }}" are preferred since they send encrypted passwords.
 #
 # OPTIONS are a set of options for the authentication in the format
 # NAME=VALUE.  The available options depend on the different
@@ -85,14 +85,17 @@ local   all             all                                     trust
 # "local" is for Unix domain socket connections only
 local   all             all                                     peer
 # IPv4 local connections:
-host    all             all             127.0.0.1/32            scram-sha-256
+host    all             all             127.0.0.1/32            {{ postgresql_password_encryption_algorithm }}
 # IPv6 local connections:
-host    all             all             ::1/128                 scram-sha-256
+host    all             all             ::1/128                 {{ postgresql_password_encryption_algorithm }}
 # Allow replication connections from localhost, by a user with the
 # replication privilege.
 local   replication     all                                     peer
-host    replication     all             127.0.0.1/32            scram-sha-256
-host    replication     all             ::1/128                 scram-sha-256
-{% if postgresql_ssl|bool %}
-hostssl all             all             0.0.0.0/0               scram-sha-256
+host    replication     all             127.0.0.1/32            {{ postgresql_password_encryption_algorithm }}
+host    replication     all             ::1/128                 {{ postgresql_password_encryption_algorithm }}
+{% if not postgresql_ssl|bool or postgresql_ssl_keep_nonssl_endpoint|bool %}
+host    all             all             0.0.0.0/0               {{ postgresql_password_encryption_algorithm }}
+{% endif %}
+{% if postgresql_ssl|bool %}
+hostssl all             all             0.0.0.0/0               {{ postgresql_password_encryption_algorithm }}
 {% endif %}
diff --git a/templates/15-pg_hba.conf.j2 b/templates/15-pg_hba.conf.j2
index d037313..e88b4df 100644
--- a/templates/15-pg_hba.conf.j2
+++ b/templates/15-pg_hba.conf.j2
@@ -47,10 +47,10 @@
 # or "samenet" to match any address in any subnet that the server is
 # directly connected to.
 #
-# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
+# METHOD can be "trust", "reject", "md5", "password", "{{ postgresql_password_encryption_algorithm }}",
 # "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
 # Note that "password" sends passwords in clear text; "md5" or
-# "scram-sha-256" are preferred since they send encrypted passwords.
+# "{{ postgresql_password_encryption_algorithm }}" are preferred since they send encrypted passwords.
 #
 # OPTIONS are a set of options for the authentication in the format
 # NAME=VALUE.  The available options depend on the different
@@ -85,14 +85,17 @@ local   all             all                                     trust
 # "local" is for Unix domain socket connections only
 local   all             all                                     peer
 # IPv4 local connections:
-host    all             all             127.0.0.1/32            scram-sha-256
+host    all             all             127.0.0.1/32            {{ postgresql_password_encryption_algorithm }}
 # IPv6 local connections:
-host    all             all             ::1/128                 scram-sha-256
+host    all             all             ::1/128                 {{ postgresql_password_encryption_algorithm }}
 # Allow replication connections from localhost, by a user with the
 # replication privilege.
 local   replication     all                                     peer
-host    replication     all             127.0.0.1/32            scram-sha-256
-host    replication     all             ::1/128                 scram-sha-256
-{% if postgresql_ssl|bool %}
-hostssl all             all             0.0.0.0/0               scram-sha-256
+host    replication     all             127.0.0.1/32            {{ postgresql_password_encryption_algorithm }}
+host    replication     all             ::1/128                 {{ postgresql_password_encryption_algorithm }}
+{% if not postgresql_ssl|bool or postgresql_ssl_keep_nonssl_endpoint|bool %}
+host    all             all             0.0.0.0/0               {{ postgresql_password_encryption_algorithm }}
+{% endif %}
+{% if postgresql_ssl|bool %}
+hostssl all             all             0.0.0.0/0               {{ postgresql_password_encryption_algorithm }}
 {% endif %}