Erich Blume
46f0002178
Final step of the wave-1 indri-k8s migration. paperless, teslamate, mealie run on ringtail with data migrated, verified, and backed up (local + BorgBase offsite via PR #364). - Remove minikube paperless/teslamate/mealie manifest dirs + ArgoCD app defs (prunes the parked Deployments/Services + redundant minikube mealie/paperless PVCs) - Drop paperless/teslamate roles + ExternalSecrets from the minikube blumeops-pg cluster - miniflux + authentik stay on minikube (later waves) Finalization after merge: sync apps + databases to prune, then DROP DATABASE paperless/teslamate on indri's blumeops-pg (fresh safety dump taken first). Reviewed-on: #365
79 lines
2.2 KiB
YAML
79 lines
2.2 KiB
YAML
# PostgreSQL Cluster for blumeops services
|
|
# Managed by CloudNativePG operator
|
|
apiVersion: postgresql.cnpg.io/v1
|
|
kind: Cluster
|
|
metadata:
|
|
name: blumeops-pg
|
|
namespace: databases
|
|
spec:
|
|
instances: 1
|
|
imageName: ghcr.io/cloudnative-pg/postgresql:18.3
|
|
|
|
storage:
|
|
size: 10Gi
|
|
storageClass: standard
|
|
|
|
# Bootstrap creates initial database and owner
|
|
bootstrap:
|
|
initdb:
|
|
database: miniflux
|
|
owner: miniflux
|
|
|
|
# Managed roles - additional users beyond the bootstrap owner
|
|
# Note: connectionLimit, ensure, inherit are CNPG defaults added to prevent ArgoCD drift
|
|
managed:
|
|
roles:
|
|
# eblume superuser for admin access (matches current brew pg setup)
|
|
- name: eblume
|
|
login: true
|
|
superuser: true
|
|
createdb: true
|
|
createrole: true
|
|
connectionLimit: -1
|
|
ensure: present
|
|
inherit: true
|
|
passwordSecret:
|
|
name: blumeops-pg-eblume
|
|
# borgmatic read-only user for backups
|
|
- name: borgmatic
|
|
login: true
|
|
connectionLimit: -1
|
|
ensure: present
|
|
inherit: true
|
|
inRoles:
|
|
- pg_read_all_data
|
|
passwordSecret:
|
|
name: blumeops-pg-borgmatic
|
|
# teslamate + paperless roles removed: migrated to ringtail blumeops-pg
|
|
# (wave-1 decommission). Their databases were dropped from this cluster
|
|
# after the cutover was verified and backed up.
|
|
# authentik user for Authentik identity provider (runs on ringtail)
|
|
- name: authentik
|
|
login: true
|
|
connectionLimit: -1
|
|
ensure: present
|
|
inherit: true
|
|
createdb: true
|
|
passwordSecret:
|
|
name: blumeops-pg-authentik
|
|
|
|
# Resource limits for minikube environment
|
|
resources:
|
|
requests:
|
|
memory: "256Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1Gi"
|
|
cpu: "500m"
|
|
|
|
# PostgreSQL configuration
|
|
postgresql:
|
|
parameters:
|
|
max_connections: "50"
|
|
shared_buffers: "128MB"
|
|
password_encryption: "scram-sha-256"
|
|
pg_hba:
|
|
# Allow all users to connect from any IP with password auth
|
|
# Network security is handled by Tailscale
|
|
- host all all 0.0.0.0/0 scram-sha-256
|
|
- host all all ::/0 scram-sha-256
|