{
  services.k3s.manifests = {
    "objectstore.yaml".content = {
      apiVersion = "barmancloud.cnpg.io/v1";
      kind = "ObjectStore";
      metadata.name = "truenas-s3";
      metadata.namespace = "cloudnativepg";
      spec = {
        configuration = {
          destinationPath = "s3://weyma-talos-shared-pgsql-new/";
          endpointURL = "http://10.105.15.20:9000";
          s3Credentials = {
            accessKeyId = {
              key = "s3AccessKey";
              name = "s3-backup-creds";
            };
            secretAccessKey = {
              key = "s3SecretKey";
              name = "s3-backup-creds";
            };
          };
        };
      };
    };
    "pg-cluster.yaml".content = {
      apiVersion = "postgresql.cnpg.io/v1";
      kind = "Cluster";
      metadata.name = "weyma-bs-pgsql";
      metadata.namespace = "cloudnativepg";
      spec = {
        instances = 1;
        imageName = "ghcr.io/cloudnative-pg/postgresql:16.9-5-bullseye";
        storage = {
          size = "50Gi";
          storageClass = "local-path";
        };
        plugins = [
          {
            name = "barman-cloud.cloudnative-pg.io";
            parameters.barmanObjectName = "truenas-s3";
          }
        ];
        bootstrap.recovery.source = "weyma-pgsql";
        externalClusters = [
          {
            name = "weyma-bs-pgsql";
            plugin = {
              name = "barman-cloud.cloudnative-pg.io";
              parameters = {
                barmanObjectName = "truenas-s3";
                serverName = "weyma-bs-pgsql";
              };
            };
          }
          {
            name = "weyma-pgsql";
            connectionParameters = {
              host = "10.105.10.24";
              user = "streaming_replica";
              dbname = "postgres";
              sslmode = "require";
            };
            plugin = {
              name = "barman-cloud.cloudnative-pg.io";
              parameters = {
                barmanObjectName = "truenas-s3";
                serverName = "weyma-pgsql";
              };
            };
            sslKey = {
              name = "weyma-pgsql-replication";
              key = "tls.key";
            };
            sslCert = {
              name = "weyma-pgsql-replication";
              key = "tls.crt";
            };
            sslRootCert = {
              name = "weyma-pgsql-ca";
              key = "ca.crt";
            };
          }
        ];
        replica = {
          primary = "weyma-pgsql";
          source = "weyma-pgsql";
        };
        managed.services.additional = [
          {
            selectorType = "rw";
            serviceTemplate = {
              metadata.name = "weyma-bs-pgsql-ext";
              spec.type = "LoadBalancer";
            };
          }
        ];
      };
    };
    "weyma-pgsql-ca.yaml".content = {
      apiVersion = "v1";
      kind = "Secret";
      metadata.name = "weyma-pgsql-ca";
      metadata.namespace = "cloudnativepg";
      # this is fine to be in plaintext since it's just a cert and contains no key
      data."ca.crt" = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJtekNDQVVLZ0F3SUJBZ0lRUjMzT3F3OTJKbDlmeXFzMkZyREd0akFLQmdncWhrak9QUVFEQWpBdU1SWXcKRkFZRFZRUUxFdzFqYkc5MVpHNWhkR2wyWlhCbk1SUXdFZ1lEVlFRREV3dDNaWGx0WVMxd1ozTnhiREFlRncweQpOVEV5TWpnd01URTROVEZhRncweU5qQXpNamd3TVRFNE5URmFNQzR4RmpBVUJnTlZCQXNURFdOc2IzVmtibUYwCmFYWmxjR2N4RkRBU0JnTlZCQU1UQzNkbGVXMWhMWEJuYzNGc01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMEQKQVFjRFFnQUU5c1R4R0tLNWdRVnhmZzNkZWtlbHpFSGlMbG5GaHBZa1hTMzJSYlphV0llZ3ZWWk11cC9TRmU4YQoyai92TWdETldpZVJWcHBTVElBeml0YUxQYXdvSktOQ01FQXdEZ1lEVlIwUEFRSC9CQVFEQWdJRU1BOEdBMVVkCkV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRysxclg2aUgwaG50bE0yaEpXdnpGaW9peTZGTUFvR0NDcUcKU000OUJBTUNBMGNBTUVRQ0lBeXhPS3VGVFhhQUJwaGhJZDI0VXZkU0FLTytPanpIZStvbVJYeDdqbTJOQWlCbAo1TVc0MDZzU3haTDgydTFtL2J3V0JXQWZPTWhLNXVlYmIyemR3QzE0Vmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==";
    };
  };
}