Erich Blume
eb952aae01
## Summary - Fixed borgmatic `borg: command not found` by adding `local_path` config option - Successfully tested disaster recovery: restored miniflux data from borgmatic backup to k8s-pg - Added borgmatic user to k8s-pg via CloudNativePG managed roles - Configured borgmatic to backup both localhost and k8s-pg PostgreSQL databases - Added Tailscale ACL grant for `tag:homelab` → `tag:k8s` on port 5432 - Disabled selfHeal on apps app to allow manual revision changes during development ## Changes - `ansible/roles/borgmatic/` - Added `local_path` and k8s-pg database entry - `ansible/roles/postgresql/tasks/main.yml` - Added k8s-pg to `.pgpass` - `argocd/apps/apps.yaml` - Disabled selfHeal - `argocd/manifests/databases/blumeops-pg.yaml` - Added borgmatic managed role - `argocd/manifests/databases/secret-borgmatic.yaml.tpl` - New secret template - `pulumi/policy.hujson` - Added ACL grant for backup access ## Deployment and Testing - [x] Borgmatic backup runs successfully - [x] Miniflux data restored to k8s-pg (2 users, 2 feeds, 44 entries verified) - [x] borgmatic user created in k8s-pg with pg_read_all_data role - [x] Both localhost and k8s-pg databases in backup archive - [x] zk documentation updated (borgmatic.md, postgresql.md) - [ ] After merge: set blumeops-pg app back to main revision 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/32
60 lines
1.4 KiB
YAML
60 lines
1.4 KiB
YAML
# PostgreSQL Cluster for blumeops services
|
|
# Managed by CloudNativePG operator
|
|
apiVersion: postgresql.cnpg.io/v1
|
|
kind: Cluster
|
|
metadata:
|
|
name: blumeops-pg
|
|
namespace: databases
|
|
spec:
|
|
instances: 1
|
|
|
|
storage:
|
|
size: 10Gi
|
|
storageClass: standard
|
|
|
|
# Bootstrap creates initial database and owner
|
|
bootstrap:
|
|
initdb:
|
|
database: miniflux
|
|
owner: miniflux
|
|
|
|
# Managed roles - additional users beyond the bootstrap owner
|
|
managed:
|
|
roles:
|
|
# eblume superuser for admin access (matches current brew pg setup)
|
|
- name: eblume
|
|
login: true
|
|
superuser: true
|
|
createdb: true
|
|
createrole: true
|
|
passwordSecret:
|
|
name: blumeops-pg-eblume
|
|
# borgmatic read-only user for backups
|
|
- name: borgmatic
|
|
login: true
|
|
superuser: false
|
|
inRoles:
|
|
- pg_read_all_data
|
|
passwordSecret:
|
|
name: blumeops-pg-borgmatic
|
|
|
|
# Resource limits for minikube environment
|
|
resources:
|
|
requests:
|
|
memory: "256Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "1Gi"
|
|
cpu: "500m"
|
|
|
|
# PostgreSQL configuration
|
|
postgresql:
|
|
parameters:
|
|
max_connections: "50"
|
|
shared_buffers: "128MB"
|
|
password_encryption: "scram-sha-256"
|
|
pg_hba:
|
|
# Allow all users to connect from any IP with password auth
|
|
# Network security is handled by Tailscale
|
|
- host all all 0.0.0.0/0 scram-sha-256
|
|
- host all all ::/0 scram-sha-256
|