diff --git a/defaults/main.yaml b/defaults/main.yaml
index 28b43de..21f544e 100644
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@@ -3,3 +3,7 @@
 # zot
 # renovate: datasource=github-releases depName=project-zot/zot versioning=pep440
 zot_version: "2.1.16"
+
+# dockerhub credentials (optional, avoids rate limits)
+# zot_dockerhub_username: ""
+# zot_dockerhub_password: ""
diff --git a/tasks/config.yaml b/tasks/config.yaml
index 5dd4a7d..8de3086 100644
--- a/tasks/config.yaml
+++ b/tasks/config.yaml
@@ -11,7 +11,7 @@
         dest: "/etc/zot/config.json"
         owner: "root"
         group: "root"
-        mode: "0644"
+        mode: "0600"
       notify: "restart zot"
 
     # create systemd service
diff --git a/templates/zot/config.json.j2 b/templates/zot/config.json.j2
index a14b586..acedecc 100644
--- a/templates/zot/config.json.j2
+++ b/templates/zot/config.json.j2
@@ -44,6 +44,12 @@
       "registries": [
         {
           "urls": ["https://registry-1.docker.io"],
+{% if zot_dockerhub_username is defined and zot_dockerhub_password is defined %}
+          "credentials": {
+            "username": "{{ zot_dockerhub_username }}",
+            "password": "{{ zot_dockerhub_password }}"
+          },
+{% endif %}
           "onDemand": true,
           "tlsVerify": true,
           "maxRetries": 3,