diff --git a/argocd/manifests/databases-ringtail/immich-pg.yaml b/argocd/manifests/databases-ringtail/immich-pg.yaml
index 4650109..e878e39 100644
--- a/argocd/manifests/databases-ringtail/immich-pg.yaml
+++ b/argocd/manifests/databases-ringtail/immich-pg.yaml
@@ -1,13 +1,13 @@
 # PostgreSQL Cluster for Immich on ringtail k3s.
 #
-# Mirror of argocd/manifests/databases/immich-pg.yaml (minikube), with
-# ringtail-specific tweaks (storageClass: local-path). The bootstrap
-# section may be rewritten when [[immich-pg-data-migration]] picks an
-# import method — both pg_dump/restore and CNPG externalCluster
-# basebackup require touching this block.
+# Initial bring-up is via CNPG pg_basebackup against the minikube
+# immich-pg cluster (reachable on the tailnet at
+# immich-pg.tail8d86e.ts.net). Once the basebackup completes and
+# the replica catches up, set replica.enabled=false to promote.
 #
-# Uses VectorChord (successor to pgvecto.rs) for AI-powered vector
-# search. See: https://github.com/immich-app/immich/discussions/9060
+# After promotion, the externalClusters and bootstrap blocks can be
+# left in place (CNPG ignores them once initialized) or pruned in a
+# follow-up commit. See [[immich-pg-data-migration]] for procedure.
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
@@ -15,27 +15,40 @@ metadata:
   namespace: databases
 spec:
   instances: 1
-  # VectorChord image for PostgreSQL 17 with VectorChord 0.5.0
   imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17-0.5.0
 
   storage:
     size: 10Gi
     storageClass: local-path
 
-  # Bootstrap creates initial database and owner.
-  # Empty initdb today; replaced by the chosen data-migration method
-  # in immich-pg-data-migration.
-  bootstrap:
-    initdb:
-      database: immich
-      owner: immich
-      postInitSQL:
-        - CREATE EXTENSION IF NOT EXISTS vector;
-        - CREATE EXTENSION IF NOT EXISTS vchord CASCADE;
-        - CREATE EXTENSION IF NOT EXISTS cube CASCADE;
-        - CREATE EXTENSION IF NOT EXISTS earthdistance CASCADE;
+  # Streaming replica of the minikube source until promoted.
+  replica:
+    enabled: true
+    source: source-immich-pg
 
-  # Managed roles
+  # Bootstrap from the source via pg_basebackup.
+  bootstrap:
+    pg_basebackup:
+      source: source-immich-pg
+
+  externalClusters:
+    - name: source-immich-pg
+      connectionParameters:
+        host: immich-pg.tail8d86e.ts.net
+        user: streaming_replica
+        sslmode: verify-ca
+        dbname: postgres
+      sslCert:
+        name: source-immich-pg-replication
+        key: tls.crt
+      sslKey:
+        name: source-immich-pg-replication
+        key: tls.key
+      sslRootCert:
+        name: source-immich-pg-ca
+        key: ca.crt
+
+  # Managed roles (applied after promotion)
   managed:
     roles:
       - name: borgmatic