diff --git a/argocd/manifests/databases/README.md b/argocd/manifests/databases/README.md
index 7696217..c82f4d1 100644
--- a/argocd/manifests/databases/README.md
+++ b/argocd/manifests/databases/README.md
@@ -14,15 +14,16 @@ Single-instance PostgreSQL cluster for blumeops services.
 
 ### Users/Roles
 
-| User     | Role        | Purpose                          | Password Source                    |
-|----------|-------------|----------------------------------|------------------------------------|
-| postgres | superuser   | CNPG internal (avoid using)      | `blumeops-pg-superuser` secret     |
-| miniflux | app owner   | Owns miniflux database           | `blumeops-pg-app` secret           |
-| eblume   | superuser   | Admin access (matches brew pg)   | `blumeops-pg-eblume` secret (manual) |
+| User      | Role           | Purpose                          | Password Source                       |
+|-----------|----------------|----------------------------------|---------------------------------------|
+| postgres  | superuser      | CNPG internal (avoid using)      | `blumeops-pg-superuser` secret        |
+| miniflux  | app owner      | Owns miniflux database           | `blumeops-pg-app` secret              |
+| eblume    | superuser      | Admin access (matches brew pg)   | `blumeops-pg-eblume` secret (manual)  |
+| borgmatic | pg_read_all_data | Backup access for borgmatic    | `blumeops-pg-borgmatic` secret (manual) |
 
 ### Manual Secret Setup
 
-Before deploying, create the eblume password secret:
+Before deploying, create the password secrets:
 
 ```bash
 # Create namespace first
@@ -30,6 +31,9 @@ kubectl create namespace databases
 
 # Apply eblume password from 1Password
 op inject -i argocd/manifests/databases/secret-eblume.yaml.tpl | kubectl apply -f -
+
+# Apply borgmatic password from 1Password
+op inject -i argocd/manifests/databases/secret-borgmatic.yaml.tpl | kubectl apply -f -
 ```
 
 The `miniflux` user password is auto-generated by CloudNativePG and stored in `blumeops-pg-app`.
diff --git a/argocd/manifests/databases/blumeops-pg.yaml b/argocd/manifests/databases/blumeops-pg.yaml
index 93d30a2..3834c43 100644
--- a/argocd/manifests/databases/blumeops-pg.yaml
+++ b/argocd/manifests/databases/blumeops-pg.yaml
@@ -29,6 +29,14 @@ spec:
         createrole: true
         passwordSecret:
           name: blumeops-pg-eblume
+      # borgmatic read-only user for backups
+      - name: borgmatic
+        login: true
+        superuser: false
+        inRoles:
+          - pg_read_all_data
+        passwordSecret:
+          name: blumeops-pg-borgmatic
 
   # Resource limits for minikube environment
   resources:
diff --git a/argocd/manifests/databases/secret-borgmatic.yaml.tpl b/argocd/manifests/databases/secret-borgmatic.yaml.tpl
new file mode 100644
index 0000000..5aff760
--- /dev/null
+++ b/argocd/manifests/databases/secret-borgmatic.yaml.tpl
@@ -0,0 +1,13 @@
+# Template for borgmatic backup user password
+# Apply with: op inject -i secret-borgmatic.yaml.tpl | kubectl apply -f -
+#
+# Uses the same borgmatic password from 1Password as the brew PostgreSQL setup
+apiVersion: v1
+kind: Secret
+metadata:
+  name: blumeops-pg-borgmatic
+  namespace: databases
+type: kubernetes.io/basic-auth
+stringData:
+  username: borgmatic
+  password: {{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/mw2bv5we7woicjza7hc6s44yvy/password }}