eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/reference/services/postgresql.md
Erich Blume efae404d1e Remove superuser from teslamate PG role, transfer extension ownership 
teslamate had superuser on the shared blumeops-pg cluster (which also
hosts miniflux and authentik). Downgraded to plain database owner with
extension ownership (cube, earthdistance) transferred manually so it
can still ALTER EXTENSION UPDATE. earthdistance is untrusted in PG so
DROP+CREATE would need temporary superuser escalation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 15:36:39 -07:00

2.3 KiB
Raw Blame History

title modified last-reviewed tags
PostgreSQL 2026-04-07 2026-04-07
service
database

PostgreSQL

Database clusters via CloudNativePG operator.

Quick Reference

Property Value
URL tcp://pg.ops.eblu.me:5432
Metrics http://cnpg-metrics.tail8d86e.ts.net:9187/metrics
Namespace databases
Clusters blumeops-pg, immich-pg
Operator CloudNativePG

Databases

Database Cluster Owner Purpose
miniflux blumeops-pg miniflux miniflux feed data
teslamate blumeops-pg teslamate teslamate vehicle data
authentik blumeops-pg authentik authentik identity provider
immich immich-pg immich immich photo management

The immich-pg cluster uses a custom image (cloudnative-vectorchord) with vector search extensions (vector, vchord, cube, earthdistance).

Users

User Cluster Role Purpose
postgres both superuser CNPG internal
miniflux blumeops-pg app owner Owns miniflux database
teslamate blumeops-pg db owner TeslaMate (owns extensions)
authentik blumeops-pg createdb authentik identity provider
eblume blumeops-pg superuser Admin access
borgmatic both pg_read_all_data [[borgmatic

Backup

Backed up via borgmatic postgresql_databases hook. Streams pg_dump directly to Borg (no intermediate files, no downtime). See backup for overall backup policy.

Credentials

1Password items:

  • guxu3j7ajhjyey6xxl2ovsl2ui - eblume password
  • mw2bv5we7woicjza7hc6s44yvy - borgmatic password

CNPG-managed secrets (blumeops-pg):

  • blumeops-pg-app - miniflux user
  • blumeops-pg-eblume - eblume superuser
  • blumeops-pg-borgmatic - borgmatic backup user
  • blumeops-pg-teslamate - teslamate user
  • blumeops-pg-authentik - authentik user

CNPG-managed secrets (immich-pg):

  • immich-pg-app - immich user
  • immich-pg-borgmatic - borgmatic backup user

Related