diff --git a/ansible/roles/postgresql/tasks/main.yml b/ansible/roles/postgresql/tasks/main.yml
index c4e8658..6a6ff30 100644
--- a/ansible/roles/postgresql/tasks/main.yml
+++ b/ansible/roles/postgresql/tasks/main.yml
@@ -166,10 +166,12 @@
 
 # === Write credential files for local access ===
 
-- name: Write .pgpass file for local authentication
+# .pgpass is used by borgmatic for pg_dump backups
+# Only includes read-only roles (borgmatic has pg_read_all_data)
+- name: Write .pgpass file for borgmatic backups
   ansible.builtin.copy:
     content: |
-      localhost:{{ postgresql_port }}:*:{{ ansible_user_id }}:{{ pg_superuser_password }}
+      # Managed by ansible - only read-only roles
       localhost:{{ postgresql_port }}:*:borgmatic:{{ pg_user_passwords['borgmatic'] }}
     dest: ~/.pgpass
     mode: '0600'