diff --git a/puppet/oss/compose.yaml b/puppet/oss/compose.yaml
index 00812f8..efbbbf6 100644
--- a/puppet/oss/compose.yaml
+++ b/puppet/oss/compose.yaml
@@ -39,6 +39,7 @@ services:
       - PUPPETDB_USER=${POSTGRES_USER:-puppetdb}
     volumes:
       - puppetdb:/opt/puppetlabs/server/data/puppetdb
+      - ./read-database.ini:/etc/puppetlabs/puppetdb/conf.d/read-database.ini:ro
     restart: always
     ports:
       - 8081:8081
@@ -50,8 +51,8 @@ services:
     hostname: postgres
     environment:
       - POSTGRES_DB=${POSTGRES_DB:-puppetdb}
-      - POSTGRES_USER=${POSTGRES_USER:-puppetdb}
-      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-puppetdb}
+      - POSTGRES_USER=${POSTGRES_SUPERUSER:-postgres}
+      - POSTGRES_PASSWORD=${POSTGRES_SUPERUSER_PASSWORD:-postgres}
     healthcheck:
       test: ["CMD-SHELL", "sh -c 'pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}'"]
       interval: 10s
diff --git a/puppet/oss/postgresql_init/roles.sql b/puppet/oss/postgresql_init/roles.sql
new file mode 100644
index 0000000..8a99e74
--- /dev/null
+++ b/puppet/oss/postgresql_init/roles.sql
@@ -0,0 +1,9 @@
+CREATE USER puppetdb PASSWORD 'puppetdb';
+CREATE USER puppetdb_read PASSWORD 'puppetdb_read';
+
+REVOKE CREATE ON SCHEMA public FROM public;
+GRANT CREATE ON SCHEMA public TO puppetdb;
+
+ALTER DEFAULT PRIVILEGES FOR USER puppetdb IN SCHEMA public GRANT SELECT ON tables TO puppetdb_read;
+ALTER DEFAULT PRIVILEGES FOR USER puppetdb IN SCHEMA public GRANT USAGE ON sequences TO puppetdb_read;
+ALTER DEFAULT PRIVILEGES FOR USER puppetdb IN SCHEMA public GRANT EXECUTE ON functions TO puppetdb_read;
diff --git a/puppet/oss/read-database.ini b/puppet/oss/read-database.ini
new file mode 100644
index 0000000..1aa64de
--- /dev/null
+++ b/puppet/oss/read-database.ini
@@ -0,0 +1,4 @@
+[read-database]
+subname = //postgres:5432/puppetdb
+username = puppetdb_read
+password = puppetdb_read