blumeops/docs/zk/postgresql.md

id	aliases	tags
postgresql	postgres pg	blumeops

PostgreSQL Management Log

PostgreSQL database cluster running in Kubernetes (minikube on indri) via CloudNativePG operator, providing storage for miniflux and other services.

Quick Connect

# Connect as superuser (fetches password from 1Password)
PGPASSWORD=$(op --vault blumeops item get guxu3j7ajhjyey6xxl2ovsl2ui --fields password --reveal) psql -h pg.tail8d86e.ts.net -U eblume -d miniflux

Service Details

• URL: tcp://pg.tail8d86e.ts.net:5432
• Metrics: http://cnpg-metrics.tail8d86e.ts.net:9187/metrics
• Namespace: databases
• Cluster name: blumeops-pg
• Operator: CloudNativePG
• ArgoCD app: blumeops-pg

Databases

Database	Owner	Purpose
miniflux	miniflux	Miniflux feed reader data

Users

User	Role	Purpose
postgres	superuser	CNPG internal
miniflux	app owner	Owns miniflux database
eblume	superuser	Admin access
borgmatic	pg_read_all_data	Backup access

Useful Commands

# List databases
PGPASSWORD=$(op --vault blumeops item get guxu3j7ajhjyey6xxl2ovsl2ui --fields password --reveal) psql -h pg.tail8d86e.ts.net -U eblume -c "\l"

# List users
PGPASSWORD=$(op --vault blumeops item get guxu3j7ajhjyey6xxl2ovsl2ui --fields password --reveal) psql -h pg.tail8d86e.ts.net -U eblume -c "\du"

# View CNPG cluster status
kubectl -n databases get cluster blumeops-pg

# View pod logs
kubectl -n databases logs -f blumeops-pg-1

Backup

PostgreSQL data is backed up via borgmatic from indri using the postgresql_databases hook, which streams pg_dump directly to Borg for consistent backups.

Borgmatic config (~/.config/borgmatic/config.yaml):

postgresql_databases:
    - name: miniflux
      hostname: pg.tail8d86e.ts.net
      port: 5432
      username: borgmatic

Password is read from ~/.pgpass (managed by borgmatic ansible role).

ArgoCD Management

# Sync cluster changes
argocd app sync blumeops-pg

# Force reconcile
kubectl annotate cluster blumeops-pg -n databases cnpg.io/reconcile=$(date +%s) --overwrite

Files:

• Cluster spec: argocd/manifests/databases/blumeops-pg.yaml
• Tailscale service: argocd/manifests/databases/service-tailscale.yaml
• Secrets: secret-eblume.yaml.tpl, secret-borgmatic.yaml.tpl (via op inject)

Credentials

1Password items:

• guxu3j7ajhjyey6xxl2ovsl2ui - eblume superuser password
• mw2bv5we7woicjza7hc6s44yvy - borgmatic user password

CNPG-managed secrets:

• blumeops-pg-app - miniflux user (auto-generated password)
• blumeops-pg-eblume - eblume superuser
• blumeops-pg-borgmatic - borgmatic backup user

Log

Wed Jan 22 2026

• Added CNPG metrics collection via Tailscale service at cnpg-metrics.tail8d86e.ts.net:9187
• Updated PostgreSQL Grafana dashboard to use CNPG metric names (cnpg_* prefix)
• Prometheus on indri now scrapes CNPG metrics directly

Sun Jan 19 2026 (P4)

• Retired brew PostgreSQL - k8s CloudNativePG is now the only PostgreSQL
• Renamed Tailscale hostname from k8s-pg to pg (canonical)
• Removed postgresql ansible role from indri
• Moved .pgpass management to borgmatic role
• Updated borgmatic to backup only pg.tail8d86e.ts.net
• Fixed table ownership issue: P3 restore created tables owned by eblume, transferred to miniflux

Sun Jan 19 2026 (P3)

• Successfully tested disaster recovery: restored miniflux data from borgmatic backup to k8s-pg
• Added borgmatic user to k8s-pg via CloudNativePG managed roles
• Both brew and k8s PostgreSQL backed up by borgmatic during migration
• Added Tailscale ACL: tag:homelab → tag:k8s on port 5432 for backup access

Thu Jan 16 2026

• Initial setup with PostgreSQL 18 (brew)
• Created miniflux database and user
• Exposed via Tailscale at pg.tail8d86e.ts.net