Remove superuser from teslamate PG role, transfer extension ownership

teslamate had superuser on the shared blumeops-pg cluster (which also hosts miniflux and authentik). Downgraded to plain database owner with extension ownership (cube, earthdistance) transferred manually so it can still ALTER EXTENSION UPDATE. earthdistance is untrusted in PG so DROP+CREATE would need temporary superuser escalation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 15:36:39 -07:00 · 2026-04-07 15:36:39 -07:00 · efae404d1e
commit efae404d1e
parent fc34a7da5b
3 changed files with 19 additions and 6 deletions
--- a/argocd/manifests/databases/blumeops-pg.yaml
+++ b/argocd/manifests/databases/blumeops-pg.yaml
@ -45,14 +45,15 @@ spec:
        passwordSecret:
          name: blumeops-pg-borgmatic
      # teslamate user for TeslaMate Tesla data logger
-      # Note: superuser required for extension management during migrations
+      # Superuser removed. Extension ownership (cube, earthdistance)
+      # transferred manually so teslamate can ALTER EXTENSION UPDATE.
+      # earthdistance is untrusted — DROP+CREATE needs temporary
+      # superuser escalation during upgrades.
      - name: teslamate
        login: true
-        superuser: true
        connectionLimit: -1
        ensure: present
        inherit: true
-        createdb: true
        passwordSecret:
          name: blumeops-pg-teslamate
      # authentik user for Authentik identity provider (runs on ringtail)