# PostgreSQL Cluster for Immich on ringtail k3s.
#
# Initially bootstrapped via CNPG pg_basebackup from the minikube
# immich-pg cluster on 2026-05-13, then promoted to primary. The
# externalClusters + bootstrap.pg_basebackup blocks have been pruned
# from this manifest now that the migration is complete — leaving
# them around is a footgun (re-enabling replica.enabled=true would
# try to demote this cluster against a stale source). See
# [[immich-pg-data-migration]] for the procedure used.
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: immich-pg
  namespace: databases
spec:
  instances: 1
  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:17-0.5.0

  storage:
    size: 10Gi
    storageClass: local-path

  # Managed roles
  managed:
    roles:
      - name: borgmatic
        login: true
        connectionLimit: -1
        ensure: present
        inherit: true
        inRoles:
          - pg_read_all_data
        passwordSecret:
          name: immich-pg-borgmatic

  resources:
    requests:
      memory: "256Mi"
      cpu: "100m"
    limits:
      memory: "1Gi"
      cpu: "500m"

  postgresql:
    shared_preload_libraries:
      - "vchord.so"
    parameters:
      max_connections: "50"
      shared_buffers: "128MB"
      password_encryption: "scram-sha-256"
    pg_hba:
      - host all all 0.0.0.0/0 scram-sha-256
      - host all all ::/0 scram-sha-256