Remove superuser from teslamate PG role, transfer extension ownership

teslamate had superuser on the shared blumeops-pg cluster (which also
hosts miniflux and authentik). Downgraded to plain database owner with
extension ownership (cube, earthdistance) transferred manually so it
can still ALTER EXTENSION UPDATE. earthdistance is untrusted in PG so
DROP+CREATE would need temporary superuser escalation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

argocd/manifests/databases/blumeops-pg.yaml

@@ -45,14 +45,15 @@ spec:
         passwordSecret:
           name: blumeops-pg-borgmatic
       # teslamate user for TeslaMate Tesla data logger
-      # Note: superuser required for extension management during migrations
+      # Superuser removed. Extension ownership (cube, earthdistance)
+      # transferred manually so teslamate can ALTER EXTENSION UPDATE.
+      # earthdistance is untrusted — DROP+CREATE needs temporary
+      # superuser escalation during upgrades.
       - name: teslamate
         login: true
-        superuser: true
         connectionLimit: -1
         ensure: present
         inherit: true
-        createdb: true
         passwordSecret:
           name: blumeops-pg-teslamate
       # authentik user for Authentik identity provider (runs on ringtail)

docs/reference/services/postgresql.md

@@ -38,7 +38,7 @@ The `immich-pg` cluster uses a custom image (`cloudnative-vectorchord`) with vec
 |------|---------|------|---------|
 | postgres | both | superuser | CNPG internal |
 | miniflux | blumeops-pg | app owner | Owns miniflux database |
-| teslamate | blumeops-pg | superuser | TeslaMate (needs extensions) |
+| teslamate | blumeops-pg | db owner | TeslaMate (owns extensions) |
 | authentik | blumeops-pg | createdb | [[authentik]] identity provider |
 | eblume | blumeops-pg | superuser | Admin access |
 | borgmatic | both | pg_read_all_data | [[borgmatic|Backup]] access |

docs/reference/services/teslamate.md

@@ -1,6 +1,6 @@
 ---
 title: TeslaMate
-modified: 2026-03-23
+modified: 2026-04-07
 last-reviewed: 2026-03-23
 tags:
   - service
@@ -39,7 +39,19 @@ Self-hosted Tesla data logger collecting vehicle telemetry from the Tesla API.
 - Drive Stats, Charging Stats, Projected Range
 - Timeline, Updates, Visited
 
-Dashboards use PostgreSQL datasource (not Prometheus).
+Dashboards use PostgreSQL datasource (not Prometheus). The Grafana datasource connects as the `teslamate` database user.
+
+## Database Permissions
+
+The `teslamate` role was initially provisioned as superuser to allow extension creation (`cube`, `earthdistance`) during initial setup. Superuser has been removed — `teslamate` is now a plain database owner with extension ownership transferred so it can `ALTER EXTENSION ... UPDATE` without superuser.
+
+Note: `earthdistance` is not a trusted extension in PostgreSQL, so `CREATE EXTENSION earthdistance` still requires superuser. If a future TeslaMate migration does `DROP EXTENSION ... CASCADE` + re-create (as happened in the 2024 migration), it will fail. In that case, temporarily grant superuser for the migration and remove it afterward.
+
+Extension ownership persists across pod restarts and CNPG failovers, but a full cluster rebuild (major PG upgrade, fresh `initdb`) would re-create extensions as `postgres`. After any rebuild, transfer ownership back:
+
+```sql
+UPDATE pg_extension SET extowner = (SELECT oid FROM pg_roles WHERE rolname = 'teslamate') WHERE extname IN ('cube', 'earthdistance');
+```
 
 ## Authentication