From 425f9ee792bb740da1758c89b6286aaf1bb78436 Mon Sep 17 00:00:00 2001
From: William P <me@williamtpeebles.com>
Date: Tue, 17 Mar 2026 20:08:03 -0400
Subject: [PATCH] black-start cnpg replication config

---
 kubernetes/manifests/cnpg.nix                 | 108 ++++++++++++++++++
 kubernetes/manifests/default.nix              |   1 +
 .../cloudnativepg/weyma-pgsql-replication.nix |  18 +++
 kubernetes/secrets/default.nix                |   1 +
 security/sops.nix                             |   2 +
 security/sops_nix.yaml                        |   5 +-
 6 files changed, 133 insertions(+), 2 deletions(-)
 create mode 100644 kubernetes/manifests/cnpg.nix
 create mode 100644 kubernetes/secrets/cloudnativepg/weyma-pgsql-replication.nix

diff --git a/kubernetes/manifests/cnpg.nix b/kubernetes/manifests/cnpg.nix
new file mode 100644
index 0000000..ddff45d
--- /dev/null
+++ b/kubernetes/manifests/cnpg.nix
@@ -0,0 +1,108 @@
+{
+  services.k3s.manifests = {
+    "objectstore.yaml".content = {
+      apiVersion = "barmancloud.cnpg.io/v1";
+      kind = "ObjectStore";
+      metadata.name = "truenas-s3";
+      metadata.namespace = "cloudnativepg";
+      spec = {
+        configuration = {
+          destinationPath = "s3://weyma-talos-shared-pgsql-new/";
+          endpointURL = "http://10.105.15.20:9000";
+          s3Credentials = {
+            accessKeyId = {
+              key = "s3AccessKey";
+              name = "s3-backup-creds";
+            };
+            secretAccessKey = {
+              key = "s3SecretKey";
+              name = "s3-backup-creds";
+            };
+          };
+        };
+      };
+    };
+    "pg-cluster.yaml".content = {
+      apiVersion = "postgresql.cnpg.io/v1";
+      kind = "Cluster";
+      metadata.name = "weyma-bs-pgsql";
+      metadata.namespace = "cloudnativepg";
+      spec = {
+        instances = 1;
+        imageName = "ghcr.io/cloudnative-pg/postgresql:16.9-5-bullseye";
+        storage = {
+          size = "50Gi";
+          storageClass = "local-path";
+        };
+        plugins = [
+          {
+            name = "barman-cloud.cloudnative-pg.io";
+            parameters.barmanObjectName = "truenas-s3";
+          }
+        ];
+        bootstrap.recovery.source = "weyma-pgsql";
+        externalClusters = [
+          {
+            name = "weyma-bs-pgsql";
+            plugin = {
+              name = "barman-cloud.cloudnative-pg.io";
+              parameters = {
+                barmanObjectName = "truenas-s3";
+                serverName = "weyma-bs-pgsql";
+              };
+            };
+          }
+          {
+            name = "weyma-pgsql";
+            connectionParameters = {
+              host = "10.105.10.24";
+              user = "streaming_replica";
+              dbname = "postgres";
+              sslmode = "require";
+            };
+            plugin = {
+              name = "barman-cloud.cloudnative-pg.io";
+              parameters = {
+                barmanObjectName = "truenas-s3";
+                serverName = "weyma-pgsql";
+              };
+            };
+            sslKey = {
+              name = "weyma-pgsql-replication";
+              key = "tls.key";
+            };
+            sslCert = {
+              name = "weyma-pgsql-replication";
+              key = "tls.crt";
+            };
+            sslRootCert = {
+              name = "weyma-pgsql-ca";
+              key = "ca.crt";
+            };
+          }
+        ];
+        replica = {
+          primary = "weyma-pgsql";
+          source = "weyma-pgsql";
+        };
+        managed.services.additional = [
+          {
+            selectorType = "rw";
+            serviceTemplate = {
+              metadata.name = "weyma-bs-pgsql-ext";
+              spec.type = "LoadBalancer";
+            };
+          }
+        ];
+      };
+    };
+    "weyma-pgsql-ca.yaml".content = {
+      apiVersion = "v1";
+      kind = "Secret";
+      metadata.name = "weyma-pgsql-ca";
+      metadata.namespace = "cloudnativepg";
+      # this is fine to be in plaintext since it's just a cert and contains no key
+      data."ca.crt" = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJtekNDQVVLZ0F3SUJBZ0lRUjMzT3F3OTJKbDlmeXFzMkZyREd0akFLQmdncWhrak9QUVFEQWpBdU1SWXcKRkFZRFZRUUxFdzFqYkc5MVpHNWhkR2wyWlhCbk1SUXdFZ1lEVlFRREV3dDNaWGx0WVMxd1ozTnhiREFlRncweQpOVEV5TWpnd01URTROVEZhRncweU5qQXpNamd3TVRFNE5URmFNQzR4RmpBVUJnTlZCQXNURFdOc2IzVmtibUYwCmFYWmxjR2N4RkRBU0JnTlZCQU1UQzNkbGVXMWhMWEJuYzNGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMEQKQVFjRFFnQUU5c1R4R0tLNWdRVnhmZzNkZWtlbHpFSGlMbG5GaHBZa1hTMzJSYlphV0llZ3ZWWk11cC9TRmU4YQoyai92TWdETldpZVJWcHBTVElBeml0YUxQYXdvSktOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdJRU1BOEdBMVVkCkV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRysxclg2aUgwaG50bE0yaEpXdnpGaW9peTZGTUFvR0NDcUcKU000OUJBTUNBMGNBTUVRQ0lBeXhPS3VGVFhhQUJwaGhJZDI0VXZkU0FLTytPanpIZStvbVJYeDdqbTJOQWlCbAo1TVc0MDZzU3haTDgydTFtL2J3V0JXQWZPTWhLNXVlYmIyemR3QzE0Vmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==";
+    };
+  };
+}
\ No newline at end of file
diff --git a/kubernetes/manifests/default.nix b/kubernetes/manifests/default.nix
index 8928c1a..24136fa 100644
--- a/kubernetes/manifests/default.nix
+++ b/kubernetes/manifests/default.nix
@@ -1,5 +1,6 @@
 {
     imports = [
         ./test.nix
+        ./cnpg.nix
     ];
 }
\ No newline at end of file
diff --git a/kubernetes/secrets/cloudnativepg/weyma-pgsql-replication.nix b/kubernetes/secrets/cloudnativepg/weyma-pgsql-replication.nix
new file mode 100644
index 0000000..1d247f0
--- /dev/null
+++ b/kubernetes/secrets/cloudnativepg/weyma-pgsql-replication.nix
@@ -0,0 +1,18 @@
+{ config, ... }:
+{
+  sops.templates."weyma-pgsql-replication.yaml" = {
+    mode = "0444";
+    content = ''
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: weyma-pgsql-replication
+        namespace: cloudnativepg
+      type: Opaque
+      data:
+        tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJuVENDQVVTZ0F3SUJBZ0lRVEcvaEhOSG5IeGxQVzdtTGI5akIxekFLQmdncWhrak9QUVFEQWpBdU1SWXcKRkFZRFZRUUxFdzFqYkc5MVpHNWhkR2wyWlhCbk1SUXdFZ1lEVlFRREV3dDNaWGx0WVMxd1ozTnhiREFlRncweQpOVEV5TWpnd01URTROVEZhRncweU5qQXpNamd3TVRFNE5URmFNQnd4R2pBWUJnTlZCQU1NRVhOMGNtVmhiV2x1CloxOXlaWEJzYVdOaE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRWVRQzVjb2pzUDMwUTZGcnMKS1draTBjRHpDSkk1eVNoS25PaURRR24yQ1FtNEhmaWRGd3V6cFBOdWlaUHk4TjFmNFRzRlJwNy8ybDhSeUd0OQovWjhUMWFOV01GUXdEZ1lEVlIwUEFRSC9CQVFEQWdPSU1CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUNNQXdHCkExVWRFd0VCL3dRQ01BQXdId1lEVlIwakJCZ3dGb0FVYjdXdGZxSWZTR2UyVXphRWxhL01XS2lMTG9Vd0NnWUkKS29aSXpqMEVBd0lEUndBd1JBSWdWeG5OeEVBM3lGYVdRZk1JTDAxKzB2RXBiZVBGcElNdkkxVkNTT3Z2QzhvQwpJR3k4MVVwYmFucVVRdUd6alJjZmxYWDdrSjRqcUlhUWFWUUE0SmRNNzFpQQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+        tls.key: ${config.sops.placeholder.weyma_pgsql_replication_tls_key}
+    '';
+    path = "/var/lib/rancher/k3s/server/manifests/secrets/weyma-pgsql-replication.yaml";
+  };
+}
\ No newline at end of file
diff --git a/kubernetes/secrets/default.nix b/kubernetes/secrets/default.nix
index fcb196e..44eb527 100644
--- a/kubernetes/secrets/default.nix
+++ b/kubernetes/secrets/default.nix
@@ -1,5 +1,6 @@
 {
   imports = [
     ./cloudnativepg/s3-backup-creds.nix
+    ./cloudnativepg/weyma-pgsql-replication.nix
   ];
 }
\ No newline at end of file
diff --git a/security/sops.nix b/security/sops.nix
index c20dcb7..271273b 100644
--- a/security/sops.nix
+++ b/security/sops.nix
@@ -19,6 +19,8 @@
                 neededForUsers = true;
             };
             cnpg_s3_backup_key = {};
+
+            weyma_pgsql_replication_tls_key = {};
         };
     };
 }
\ No newline at end of file
diff --git a/security/sops_nix.yaml b/security/sops_nix.yaml
index 52ee88e..aa7ab95 100644
--- a/security/sops_nix.yaml
+++ b/security/sops_nix.yaml
@@ -1,6 +1,7 @@
 pw_williamp: ENC[AES256_GCM,data:HuZKDBB+9FHzoMg8KrCIdQ==,iv:DvCAqtsE/JbCGmlW7czAM9X+tB3aQDvOd1OcTWjNrow=,tag:YBsZG+RKlebJlKPToD+cSQ==,type:str]
 pw_root: ENC[AES256_GCM,data:hbPcqxEFhdH4Y6KOFFCMfujL0B9uHzmNAwNNK4qLEVE=,iv:XrwGEYbc9OWckvoRfrKJmjXjB13BJG6lit5TR+Xarn8=,tag:fWtL0tsXBuCQHGorRlNIfw==,type:str]
 cnpg_s3_backup_key: ENC[AES256_GCM,data:zaMuxcu2XwgkmhkYnYKeZQQwRzSEJGPT2662B7k5JHzCH4e1TEEd+A==,iv:Na2iAuqgx8UNnDvXvP3N+csqVZFTsDwqR6OKeO/b/GY=,tag:jHeFVdRdTwk83XG6T1TwGA==,type:str]
+weyma_pgsql_replication_tls_key: ENC[AES256_GCM,data:WHCH9DJMa5/L9BCNAyfYUmgptCLu+NVtEIDjjPeb7adDUfz/fDwAUB7TOXBf19AyXaCD4NTw4IVm6UVp9/8azpAVyQ5uR5R0X3eVYAEdIHUQdOPVQsCmIQTAMwih2G41QedM3Q+gA/JRIqxX+DwtH44Celb069VmiGmlzwLbvPt9d9ZREs3KKr7p/GvVoa2atMk74/qLAKSmkAP9yZJ3q5azmmQ5/skECWmvRJ4prr/uUpIzzMIIQ6kyaafE3sKf8s/+rlsb+zT+6T527OX54xmp0QCDPQuqhEiuFvLXnqxiDwcgZ+QWbFQwj5ubCU++F3GtasCec5/wTSKa26MgNd7DvSwpQH0vdxszOoxStxNAXSouIevwFdKsvAZP60x3jWs+BcFry+cFlVrAMp5NmQ==,iv:JN+9SeyIx4kJfTiuFucLp8cKCEGeWvd3DbNeMsfeVms=,tag:GSkGD1kRmzruG0bWmxa+xA==,type:str]
 sops:
     age:
         - recipient: age1usxppyy4nfqtlvlvj5fgcwze6yy3yyvuqadrcmwwtt5dtctfkfrqzuk5w3
@@ -12,7 +13,7 @@ sops:
             Q1VUZnpnOUh2SVQ2RC9XOG5qUTVzeWMKd4nZfXETJi1tbRrUDb938mk+OOnIru9t
             F66KTiCc7akLC165G1ywBMShMPi5K+X9vRzGfmzUmwOHh2f4tZLBHA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-17T16:34:22Z"
-    mac: ENC[AES256_GCM,data:41TNxYgscdIZbbNxczTXzmPotyT4/ZsxspRihNf9NAj2c4PdQXNPeIMzS9meuH9LD4CTo9ws/pP7SBpPKnx4PzqdDekPvhdj9qIKdLjpKkJd+N0WfFXEgGEj7nAyc0lR2z6oSPuMB15xk8hIKT1prL9lDjjYRH3aKlhjaqP53LQ=,iv:RZpDhBWkbLL/pgwIuoPYUZd1Pmu0n7zt165DO7+uMHM=,tag:DQhFTgaFCgCV62QLCjozUg==,type:str]
+    lastmodified: "2026-03-17T23:33:54Z"
+    mac: ENC[AES256_GCM,data:Sl/Ah1zqTOAXKZhY7YX5Q842UoeYmBUmEFOxPF84NsxkPBLXX4VhvkHv03zptmvFVYnmUUKwzjjcJAzSb8izvNC4pjShhvmYPOZ04cbPP1lCZ21Z5A7PoKUqifDiFgwESZLUj6wyuvJX/euNLAjwr0XED2dILAbXw3h2A8smPu8=,iv:sDuGfuq+kHB6z9HyUZvjBJuIcztd3YlGkDPL0jaa7A8=,tag:oCCO5ge0Dur83IeOamG+vA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0