blumeops/argocd/manifests/databases/blumeops-pg.yaml

# PostgreSQL Cluster for blumeops services
# Managed by CloudNativePG operator
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: blumeops-pg
  namespace: databases
spec:
  instances: 1
  imageName: ghcr.io/cloudnative-pg/postgresql:18.3

  storage:
    size: 10Gi
    storageClass: standard

  # Bootstrap creates initial database and owner
  bootstrap:
    initdb:
      database: miniflux
      owner: miniflux

  # Managed roles - additional users beyond the bootstrap owner
  # Note: connectionLimit, ensure, inherit are CNPG defaults added to prevent ArgoCD drift
  managed:
    roles:
      # eblume superuser for admin access (matches current brew pg setup)
      - name: eblume
        login: true
        superuser: true
        createdb: true
        createrole: true
        connectionLimit: -1
        ensure: present
        inherit: true
        passwordSecret:
          name: blumeops-pg-eblume
      # borgmatic read-only user for backups
      - name: borgmatic
        login: true
        connectionLimit: -1
        ensure: present
        inherit: true
        inRoles:
          - pg_read_all_data
        passwordSecret:
          name: blumeops-pg-borgmatic
      # teslamate user for TeslaMate Tesla data logger
      # Superuser removed. Extension ownership (cube, earthdistance)
      # transferred manually so teslamate can ALTER EXTENSION UPDATE.
      # earthdistance is untrusted — DROP+CREATE needs temporary
      # superuser escalation during upgrades.
      - name: teslamate
        login: true
        connectionLimit: -1
        ensure: present
        inherit: true
        passwordSecret:
          name: blumeops-pg-teslamate
      # authentik user for Authentik identity provider (runs on ringtail)
      - name: authentik
        login: true
        connectionLimit: -1
        ensure: present
        inherit: true
        createdb: true
        passwordSecret:
          name: blumeops-pg-authentik
      # paperless user for Paperless-ngx document management
      - name: paperless
        login: true
        connectionLimit: -1
        ensure: present
        inherit: true
        passwordSecret:
          name: blumeops-pg-paperless

  # Resource limits for minikube environment
  resources:
    requests:
      memory: "256Mi"
      cpu: "100m"
    limits:
      memory: "1Gi"
      cpu: "500m"

  # PostgreSQL configuration
  postgresql:
    parameters:
      max_connections: "50"
      shared_buffers: "128MB"
      password_encryption: "scram-sha-256"
    pg_hba:
      # Allow all users to connect from any IP with password auth
      # Network security is handled by Tailscale
      - host all all 0.0.0.0/0 scram-sha-256
      - host all all ::/0 scram-sha-256