diff --git a/README.md b/README.md
index 3e2afb242..0add3e993 100644
--- a/README.md
+++ b/README.md
@@ -69,6 +69,8 @@ docker pull ghcr.io/voxpupuli/puppetdb:7.13.0-v1.2.1
| **PUPPETDB_POSTGRES_DATABASE** | The name of the puppetdb database in postgres
`puppetdb` |
| **PUPPETDB_USER** | The puppetdb database user
`puppetdb` |
| **PUPPETDB_PASSWORD** | The puppetdb database password
`puppetdb` |
+| **PUPPETDB_READ_USER** | The puppetdb database read-only user
`puppetdb_read` |
+| **PUPPETDB_READ_PASSWORD** | The puppetdb database read-only password
`puppetdb_read` |
| **PUPPETDB_NODE_TTL** | Mark as ‘expired’ nodes that haven’t seen any activity (no new catalogs, facts, or reports) in the specified amount of time
`7d` |
| **PUPPETDB_NODE_PURGE_TTL** | Automatically delete nodes that have been deactivated or expired for the specified amount of time
`14d` |
| **PUPPETDB_REPORT_TTL** | Automatically delete reports that are older than the specified amount of time
`14d` |
diff --git a/puppetdb/Dockerfile b/puppetdb/Dockerfile
index ae6a9ae2e..b7554f93e 100644
--- a/puppetdb/Dockerfile
+++ b/puppetdb/Dockerfile
@@ -22,6 +22,8 @@ ENV PUPPETDB_POSTGRES_HOSTNAME="postgres" \
WAITFORCERT="" \
PUPPETDB_USER=puppetdb \
PUPPETDB_PASSWORD=puppetdb \
+ PUPPETDB_READ_USER=puppetdb_read \
+ PUPPETDB_READ_PASSWORD=puppetdb_read \
PUPPETDB_NODE_TTL=7d \
PUPPETDB_NODE_PURGE_TTL=14d \
PUPPETDB_REPORT_TTL=14d \
diff --git a/puppetdb/conf.d/read-database.conf b/puppetdb/conf.d/read-database.conf
new file mode 100644
index 000000000..74aa211f7
--- /dev/null
+++ b/puppetdb/conf.d/read-database.conf
@@ -0,0 +1,5 @@
+read-database: {
+ subname: "//"${PUPPETDB_POSTGRES_HOSTNAME}":"${PUPPETDB_POSTGRES_PORT}"/"${PUPPETDB_POSTGRES_DATABASE}
+ username: ${PUPPETDB_READ_USER}
+ password: ${PUPPETDB_READ_PASSWORD}
+}