diff --git a/kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml b/kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml
index 8c330c36c..47e42a5e3 100644
--- a/kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml
+++ b/kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml
@@ -24,7 +24,7 @@ spec:
         maxParallel: 8
       destinationPath: s3://postgresql/
       endpointURL: https://truenas.${SECRET_DOMAIN}:51515
-      serverName: postgres-v6
+      serverName: postgres-v7
       s3Credentials:
         accessKeyId:
           name: postgres-minio
@@ -32,11 +32,11 @@ spec:
         secretAccessKey:
           name: postgres-minio
           key: MINIO_SECRET_KEY
-  # bootstrap:
-  #   recovery:
-  #     source: postgres-v5
+  bootstrap:
+    recovery:
+      source: postgres-v6
   externalClusters:
-    - name: postgres-v5
+    - name: postgres-v6
       barmanObjectStore:
         destinationPath: s3://postgresql/
         endpointURL: https://truenas.${SECRET_DOMAIN}:51515
diff --git a/kubernetes/apps/default/immich/app/secret.sops.yaml b/kubernetes/apps/default/immich/app/secret.sops.yaml
index 54383e4f0..922073aed 100644
--- a/kubernetes/apps/default/immich/app/secret.sops.yaml
+++ b/kubernetes/apps/default/immich/app/secret.sops.yaml
@@ -1,24 +1,24 @@
-#ENC[AES256_GCM,data:d1soEhscg51calGZG3O3g98=,iv:KKyg+/5cCcLOnE8cPWUwXdfevdyysydn4RaE7Lp2s88=,tag:HFmPFCxpHxROdyWeBEWKEw==,type:comment]
-apiVersion: ENC[AES256_GCM,data:swg=,iv:I6UARRE9i+ESfo+JrA74b/u/gJuwSuPtbe6/UdS1vV8=,tag:Q3PkuUUYjPZK5O3c0aDLvA==,type:str]
-kind: ENC[AES256_GCM,data:9DK72SsI,iv:yv+MYka8sAKPP0xEJWTBEjHsSU6/Vydkk9mzIO2w22Q=,tag:zlODnYsnb1nKT+8+U+xN2g==,type:str]
+# yamllint disable
+apiVersion: v1
+kind: Secret
 metadata:
-    name: ENC[AES256_GCM,data:PZNQB+A9RzY1ZQ/5ZA==,iv:UoecrHwp3L7FZgizu5epcCuUISkNih63TyKca6ZRy/o=,tag:jhghpNcVosNHn/MtCV2Lew==,type:str]
-    namespace: ENC[AES256_GCM,data:YNaXviACOw==,iv:mcHybOlaqFsGF4glGkoiKPiEePsTBB3bzvh4Ylt8ux4=,tag:OuYXZks+B0vxSqwKQtE0eA==,type:str]
-type: ENC[AES256_GCM,data:iODDP63q,iv:7Wq/KKSlrZxctSw3RkuFTjqjH+xZmjPpPN3cwofb5uc=,tag:bsxLSZpdwV9tOtfDexKS0w==,type:str]
+    name: immich-secret
+    namespace: default
+type: Opaque
 stringData:
-    #ENC[AES256_GCM,data:Ig15EuEqxQ==,iv:32X4zNK9zd9+zFlZcUAqfeflKkGwR/5PoTkWQMQAkok=,tag:4OhEZ9NUBJCY+FlXJULy2Q==,type:comment]
-    DB_DATABASE_NAME: ENC[AES256_GCM,data:zkxzVpLh,iv:H32uQwOUrDdXHBFPNH6gQfubkvx+V2K8vtZMcMfGy3k=,tag:JRFBG6jhdUFoE5pEoOk85w==,type:str]
-    DB_HOSTNAME: ENC[AES256_GCM,data:/OWs4aGVDwXWYl2KcY2gV+PwRSzwwPA23fRcU7ehjRPZW1A+zQ==,iv:rFxRmzC/R6+AHT6inrY+J7OXT1fcbEMa+Cyl8l1lQTw=,tag:svJHOw2OiyVWfHaZore2nA==,type:str]
-    DB_PASSWORD: ENC[AES256_GCM,data:2wpIXgMS38sdFldSG69pJiq51UE=,iv:o/cjdu3WQ/y76TaOGUlwFL5Roxy+iYkE6Js2mi5AAYc=,tag:C6Bi3pmOrsmwhNUQHGUgwA==,type:str]
-    DB_USERNAME: ENC[AES256_GCM,data:mcH9iYVK,iv:/2k5opxxuVaPGM+pt+uUn9TzyKvMZ5kMwio8dPcl09U=,tag:1hyp9tn2EUy15LTh+xrvPg==,type:str]
-    JWT_SECRET: ENC[AES256_GCM,data:1rQ7gEa2uRnglLflaeID1lMaiWWgPgO9dFLpMGsR0Q==,iv:j3wWDSGG3OOy7ddymUTwcRKLVU4Jo8/9RKwJC7eNgAY=,tag:gvkRIlKvcCg0Mip4Jmx43g==,type:str]
-    TYPESENSE_API_KEY: ENC[AES256_GCM,data:TjW6iYXE3TA7ZMXVnJVyR+EemX4=,iv:zd0YwTFgDZ5zKCkAcmX9tBAGsKnoFgt7Q1p06Qqx7KU=,tag:E7ugCnLvWxEzCKU6hPGfrw==,type:str]
-    #ENC[AES256_GCM,data:xLtMNIP/A/i7Oh2A610=,iv:nqEoC5hQynXJqm96egFHsdrTn7jz2pigdhPeFqyvZVg=,tag:WPMPlJEd5oxoWYX/XQOkrw==,type:comment]
-    INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:XaCak/Rz,iv:M6QasIxYsooDhjaTePbFyLBQKZ/u5z9qCGUlKLfydZk=,tag:iIOpkG3pFqGJWQUQOvu/Bg==,type:str]
-    INIT_POSTGRES_HOST: ENC[AES256_GCM,data:YS6X0m9WuR1b+td+iiAFKDYlv5DIasQYS3zWYxxlPsVDJ4uCsA==,iv:fXLKwK7rf0gYirtgwVmYylM0xv1xgYFSdNcD2NVsbiA=,tag:YYzyBIEAKqUzf6ncbJ/w7A==,type:str]
-    INIT_POSTGRES_USER: ENC[AES256_GCM,data:Zo/4bVnP,iv:Lvpk8xwq+ThQxYhxGi8upImuHzd6tdchiLbsHAIMwig=,tag:rBAhiXOHaYX8T569Gel04w==,type:str]
-    INIT_POSTGRES_PASS: ENC[AES256_GCM,data:JtCQrGW7nSrUdZh9ITnNnMdJ+1o=,iv:hHUKZZhAqPeUGnITlJ335X9qAwP5Kcul+iuyAUT17+w=,tag:8EWDHH0gihtbkHHNN+NuEg==,type:str]
-    INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:Z2ceFbaVgUN1nzYD5AsWJg==,iv:ogi+Z9AF6N+Xr+7a7VzOmOTg64Q1cDt3VxsdLCyIJmQ=,tag:8kEHIIvQfyudIawl/7Q4gw==,type:str]
+    #ENC[AES256_GCM,data:M3l1uxCayw==,iv:Vr0yrJF/xDpqANJSg5VpU0RPxknE3N8HW5NPkZ+Ngko=,tag:5X9qYSGAMJ08DMOdpF/fgg==,type:comment]
+    DB_DATABASE_NAME: ENC[AES256_GCM,data:/1JmFMnq,iv:aycc8Tqv4h95ATSrtTp3uOKkJ7uJ3fF8P9rx99+F+jk=,tag:vgciF1KIzr6lIhbpsL4bwQ==,type:str]
+    DB_HOSTNAME: ENC[AES256_GCM,data:Tx7HFLwCYQjXN79Qu6+vKSIdR1Lxs397mV+Hi0XqlL0/vY5kAg==,iv:xVxuZuEeGdT9Ja7FzfWLFhz/dRxCGAk97893jPEPyzk=,tag:+wOzSIjORLrAKPYD+7vtPQ==,type:str]
+    DB_PASSWORD: ENC[AES256_GCM,data:xGc/+0jUa2FcMKSFyjaxYia1ZnU=,iv:A0i5vPLMXLmqNicsQI6vrlOnR8lEJXOMomABnGMOLAQ=,tag:RXPncaj3YxgdK4UpOp2oCw==,type:str]
+    DB_USERNAME: ENC[AES256_GCM,data:usQAPAXx,iv:/dG1qJr2i1uwarjTn9RcxPt12DbY/gAO+rUdSDqeWNA=,tag:JM3zv0xI+rlX+1ju7kyVxw==,type:str]
+    JWT_SECRET: ENC[AES256_GCM,data:177xddBgbYp4B1xLlfHsGqm1SdW6W7S7Z53ExG3dYw==,iv:LAX2iW9hj/fX7n1g6yWAZOtZNH3xXMSXn9nFoffCkvU=,tag:76Kxh3v7pqazzDJDuVcpNQ==,type:str]
+    TYPESENSE_API_KEY: ENC[AES256_GCM,data:XO+r7yIb3FGzQmJl4826pKYFxlQ=,iv:Ce+Xg5iEdCDYVXxH3+2qZCIfjMtYcjNuVejp5e+vSOE=,tag:Zwvvgt7z+eiq2HTPfMvdKg==,type:str]
+    #ENC[AES256_GCM,data:1+sGdHMiMe3clIg6KVo=,iv:II/LS19frtCXo/niP5/HPaVF6IcYr/FBqddAlKFytA0=,tag:IubpMI5HxdnxZB8mSezASA==,type:comment]
+    POSTGRES_DB: ENC[AES256_GCM,data:NMVSQmNi,iv:/5aMX5er4zqsOVidsnaArmBwRreVPLBE9hn5jNSDkso=,tag:vGJDIQgfCOqUOtYFtlL51w==,type:str]
+    POSTGRES_HOST: ENC[AES256_GCM,data:TpU9sKI32nQJ3pFnas9FjLXNlnAzX73heXQ7EwYVuur5AKQwdw==,iv:/SdWujct0FaDNMpUwk9ImuKDwDKL2oun8I6kPfU+P6s=,tag:LUqHoWf8wMkBM4sKri+5Ew==,type:str]
+    POSTGRES_PASS: ENC[AES256_GCM,data:xnX/vIBKWeIDaUUWnSVI7F3538Q=,iv:K59DXnnGxWbLAQKnzn4EEhY3nLKs6NJQv6qNpF/OwH8=,tag:L5mAlCeNh3J2GlG2udEspA==,type:str]
+    POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:mcsuRKRBTmB/mIlfRY0EGA==,iv:OVLvJemtTQINZ3MzsXUhJ/OJsWAP0iI5/jQDJpzmTug=,tag:MKnEYcpR9Qq7/mks67kQPw==,type:str]
+    POSTGRES_USER: ENC[AES256_GCM,data:G6pSju/U,iv:eVTKbpYCD7hv7y2zYKr6wv6Wsca4QmHwC1MZZmQ8aKA=,tag:17QhReyXRFeL7nULag++Bw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -28,14 +28,14 @@ sops:
         - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Wk5lWkZTL1R6UFBqcHpV
-            UFhwR00vRUFRNnl4dmNMSkdYaFhkUWhYUnhvCmE3Tzh6cHpKTUlpZGEwSCsyM0tC
-            cHdWZDY4Zk9TUU1CeEJnM1dwcXlIbFUKLS0tICtpSXlIUTR6VkxwenV4citDVTZ1
-            US9qN3BQWUQ3YUxhcFJsNldyVkl3WkUKpaiuq3nAaRUpFaf5w/uincPjvoJCZITc
-            /KXU6wpMqzQqNvMTevKCQxxlqLoNO/3HMfCuxwgzykCQOAJZP9Y6eQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2NVpnZE1xaXY3VmEwb24z
+            Z2lLQ1d4NzFUdWdUUWphUkVPK0ljRmMvSGpvCkhjT1pyOE94bXkwQkVpL0Ywa0tv
+            VmVhQzA4WEVqK0lxQUVzUTFidXVrL0UKLS0tIEtJSFNqbkVDZm9Mc3ZCbzJiOXov
+            MGN2VjZaRzhTM3JxeWlVelhvQUhlcTgKIQnk7XcpuK9ZWinZf9s/rYFAeFbF2yXX
+            +afSzOZKXq6ENcnTY/Or0A76wXVpYAJ3yaNsfFhXY0QQw/wwE14cMA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-07T18:57:29Z"
-    mac: ENC[AES256_GCM,data:aaErwOuk2NmsmTQN2nbaPRPRWPiDpT0VhWKVH4+SwU/xPv50L2BWj9CDSnJD3FWNUZo0z6rerIfcf9KKoABzcW9MZkUmSf6698SXAoIa8jb5Uacx5+7C/8jGFRpxcYA9oX0lXMK6mBDYjOC4Wt80HCNbtCgPaWRVhbWKt5gRKjs=,iv:mUE6KoAaup5AvpPXDfb1KNPeXUNEv8r0GloA00M5jtI=,tag:KbCHxe9Oo5gaRNDgMji7lA==,type:str]
+    lastmodified: "2023-03-21T20:21:00Z"
+    mac: ENC[AES256_GCM,data:EVvr8WqxjdY+RHvO8F0aqV2qnSyZRLJSDpvwKyvRgj32c9UUFbEQQiSn7Ie6oIRpE6mhl/QRAqvkvChBEVVi3/oyuo2wUH4pqmm6udTOpmAGbABcpQyH0ecxP/ZHgPDNlm8I67qsKTSM8pV7Pmi3MedmgISRXwZ4uFFHM7iX4Bs=,iv:5TOjAc6MlTyLw4YKTcqRySBXcgHHm9sHewLzD9fHDq0=,tag:ZB00nS0d+dQgUw4qRC/vzw==,type:str]
     pgp: []
-    unencrypted_suffix: _unencrypted
+    encrypted_regex: ^(data|stringData)$
     version: 3.7.3
diff --git a/kubernetes/apps/default/immich/app/server/helmrelease.yaml b/kubernetes/apps/default/immich/app/server/helmrelease.yaml
index 87f3e713b..e35313b5d 100644
--- a/kubernetes/apps/default/immich/app/server/helmrelease.yaml
+++ b/kubernetes/apps/default/immich/app/server/helmrelease.yaml
@@ -39,6 +39,26 @@ spec:
               name: &configMap immich-configmap
           - secretRef:
               name: &secret immich-secret
+        env:
+          - name: POSTGRES_HOST
+            value: ${POSTGRES_HOST}
+          - name: POSTGRES_DB
+            value: immich-secret
+          - name: POSTGRES_SUPER_PASS
+            valueFrom:
+              secretKeyRef:
+                name: postgres-superuser
+                key: password
+          - name: POSTGRES_USER
+            valueFrom:
+              secretKeyRef:
+                name: immich-secret
+                key: DB_USERNAME
+          - name: POSTGRES_PASS
+            valueFrom:
+              secretKeyRef:
+                name: immich-secret
+                key: DB_PASSWORD
     controller:
       replicas: 2
       strategy: RollingUpdate
@@ -70,4 +90,4 @@ spec:
     resources:
       requests:
         cpu: 100m
-        memory: 250Mi
\ No newline at end of file
+        memory: 250Mi