diff --git a/defaults/main.yml b/defaults/main.yml
index 9c63663..7b2a818 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -64,6 +64,9 @@ postgres_replica_user_password: ""
 postgres_replica_auth_method: "scram-sha-256"
 postgres_replication_bind_address: ""
 postgres_replica_address: ""
+backup_db_user: ""
+backup_db_password: ""
+backup_db_name: ""
 
 # Enable TLS for traefik
 enable_tls: false
diff --git a/tasks/replication.yml b/tasks/replication.yml
index b313c8d..8fe09b6 100644
--- a/tasks/replication.yml
+++ b/tasks/replication.yml
@@ -40,3 +40,21 @@
     login_user: "{{ database_username }}"
     login_password: "{{ database_password }}"
     query: "SELECT pg_reload_conf()"
+
+- name: Create postgres backup user
+  community.postgresql.postgresql_user:
+    login_host: "{{ postgres_replication_bind_address }}"
+    login_user: "{{ database_username }}"
+    login_password: "{{ database_password }}"
+    name: "{{ backup_db_user }}"
+    password: "{{ backup_db_password }}"
+
+- name: Grant role pg_read_all_data to backup user
+  community.postgresql.postgresql_membership:
+    login_host: "{{ postgres_replication_bind_address }}"
+    login_user: "{{ database_username }}"
+    login_password: "{{ database_password }}"
+    group: pg_read_all_data
+    target_roles:
+      - "{{ backup_db_user }}"
+    state: present