eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Remove superuser from teslamate PG role, transfer extension ownership

Browse source 
teslamate had superuser on the shared blumeops-pg cluster (which also
hosts miniflux and authentik). Downgraded to plain database owner with
extension ownership (cube, earthdistance) transferred manually so it
can still ALTER EXTENSION UPDATE. earthdistance is untrusted in PG so
DROP+CREATE would need temporary superuser escalation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-04-07 15:36:39 -07:00
commit efae404d1e
3 changed files with 19 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/reference/services/postgresql.md
View file

@ -38,7 +38,7 @@ The `immich-pg` cluster uses a custom image (`cloudnative-vectorchord`) with vec
|------|---------|------|---------|
| postgres | both | superuser | CNPG internal |
| miniflux | blumeops-pg | app owner | Owns miniflux database |
| teslamate | blumeops-pg | superuser | TeslaMate (needs extensions) |
| teslamate | blumeops-pg | db owner | TeslaMate (owns extensions) |
| authentik | blumeops-pg | createdb | [[authentik]] identity provider |
| eblume | blumeops-pg | superuser | Admin access |
| borgmatic | both | pg_read_all_data | [[borgmatic|Backup]] access |