Erich Blume
efae404d1e
teslamate had superuser on the shared blumeops-pg cluster (which also hosts miniflux and authentik). Downgraded to plain database owner with extension ownership (cube, earthdistance) transferred manually so it can still ALTER EXTENSION UPDATE. earthdistance is untrusted in PG so DROP+CREATE would need temporary superuser escalation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
88 lines
2.4 KiB
YAML
88 lines
2.4 KiB
YAML
# PostgreSQL Cluster for blumeops services
|
|
# Managed by CloudNativePG operator
|
|
apiVersion: postgresql.cnpg.io/v1
|
|
kind: Cluster
|
|
metadata:
|
|
name: blumeops-pg
|
|
namespace: databases
|
|
spec:
|
|
instances: 1
|
|
imageName: ghcr.io/cloudnative-pg/postgresql:18.3
|
|
|
|
storage:
|
|
size: 10Gi
|
|
storageClass: standard
|
|
|
|
# Bootstrap creates initial database and owner
|
|
bootstrap:
|
|
initdb:
|
|
database: miniflux
|
|
owner: miniflux
|
|
|
|
# Managed roles - additional users beyond the bootstrap owner
|
|
# Note: connectionLimit, ensure, inherit are CNPG defaults added to prevent ArgoCD drift
|
|
managed:
|
|
roles:
|
|
# eblume superuser for admin access (matches current brew pg setup)
|
|
- name: eblume
|
|
login: true
|
|
superuser: true
|
|
createdb: true
|
|
createrole: true
|
|
connectionLimit: -1
|
|
ensure: present
|
|
inherit: true
|
|
passwordSecret:
|
|
name: blumeops-pg-eblume
|
|
# borgmatic read-only user for backups
|
|
- name: borgmatic
|
|
login: true
|
|
connectionLimit: -1
|
|
ensure: present
|
|
inherit: true
|
|
inRoles:
|
|
- pg_read_all_data
|
|
passwordSecret:
|
|
name: blumeops-pg-borgmatic
|
|
# teslamate user for TeslaMate Tesla data logger
|
|
# Superuser removed. Extension ownership (cube, earthdistance)
|
|
# transferred manually so teslamate can ALTER EXTENSION UPDATE.
|
|
# earthdistance is untrusted — DROP+CREATE needs temporary
|
|
# superuser escalation during upgrades.
|
|
- name: teslamate
|
|
login: true
|
|
connectionLimit: -1
|
|
ensure: present
|
|
inherit: true
|
|
passwordSecret:
|
|
name: blumeops-pg-teslamate
|
|
# authentik user for Authentik identity provider (runs on ringtail)
|
|
- name: authentik
|
|
login: true
|
|
connectionLimit: -1
|
|
ensure: present
|
|
inherit: true
|
|
createdb: true
|
|
passwordSecret:
|
|
name: blumeops-pg-authentik
|
|
|
|
# Resource limits for minikube environment
|
|
resources:
|
|
requests:
|
|
memory: "256Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1Gi"
|
|
cpu: "500m"
|
|
|
|
# PostgreSQL configuration
|
|
postgresql:
|
|
parameters:
|
|
max_connections: "50"
|
|
shared_buffers: "128MB"
|
|
password_encryption: "scram-sha-256"
|
|
pg_hba:
|
|
# Allow all users to connect from any IP with password auth
|
|
# Network security is handled by Tailscale
|
|
- host all all 0.0.0.0/0 scram-sha-256
|
|
- host all all ::/0 scram-sha-256
|