diff --git a/defaults/main.yml b/defaults/main.yml
index 0d29ff9..7646b9a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -55,6 +55,14 @@ postgres_user: postgres
 postgres_password: postgres
 postgres_db: postgres
 
+# @var postgres_app_user:description: >
+# Application user name without superuser privileges. Full access to `postgres_db`
+# will be granted to this user.
+# @end
+# @var postgres_app_user:value: $ "_unset_"
+# @var postgres_app_password:description: Application user password.
+# @var postgres_app_password:value: $ "_unset_"
+
 postgres_host_auth_method: scram-sha-256
 postgres_initdb_args:
   - --auth-host=scram-sha-256
diff --git a/templates/etc/containers/systemd/postgres.env.j2 b/templates/etc/containers/systemd/postgres.env.j2
index 75d14f7..d402d88 100644
--- a/templates/etc/containers/systemd/postgres.env.j2
+++ b/templates/etc/containers/systemd/postgres.env.j2
@@ -2,6 +2,10 @@
 {{ ansible_managed | comment }}
 POSTGRES_USER={{ postgres_user }}
 POSTGRES_PASSWORD={{ postgres_password }}
+{% if postgres_app_user is defined and postgres_app_password is defined %}
+POSTGRES_APP_USER={{ postgres_app_user }}
+POSTGRES_APP_PASSWORD={{ postgres_app_password }}
+{% enfif %}
 POSTGRES_DB={{ postgres_db }}
 
 {% if postgres_host_auth_method is defined %}