diff --git a/cluster/apps/databases/kustomization.yaml b/cluster/apps/databases/kustomization.yaml
index 956b40aa5..b28be040c 100644
--- a/cluster/apps/databases/kustomization.yaml
+++ b/cluster/apps/databases/kustomization.yaml
@@ -3,4 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
+  - postgres
   - redis
diff --git a/cluster/apps/databases/postgres/cluster.yaml b/cluster/apps/databases/postgres/cluster.yaml
new file mode 100644
index 000000000..7bc853770
--- /dev/null
+++ b/cluster/apps/databases/postgres/cluster.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgres
+  namespace: default
+  annotations:
+    kyverno.io/ignore: "true"
+spec:
+  instances: 3
+  primaryUpdateStrategy: unsupervised
+  storage:
+    size: 20Gi
+    storageClass: rook-ceph-block
+  superuserSecret:
+    name: postgres-superuser
+  monitoring:
+    enablePodMonitor: true
+  backup:
+    retentionPolicy: 90d
+    barmanObjectStore:
+      wal:
+        compression: bzip2
+        maxParallel: 8
+      destinationPath: s3://postgresql/
+      endpointURL: https://truenas.${SECRET_DOMAIN}:9000
+      serverName: postgres
+      s3Credentials:
+        accessKeyId:
+          name: postgres-minio
+          key: MINIO_ACCESS_KEY
+        secretAccessKey:
+          name: postgres-minio
+          key: MINIO_SECRET_KEY
diff --git a/cluster/apps/databases/postgres/helm-release.yaml b/cluster/apps/databases/postgres/helm-release.yaml
new file mode 100644
index 000000000..8b2d2be1d
--- /dev/null
+++ b/cluster/apps/databases/postgres/helm-release.yaml
@@ -0,0 +1,40 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: postgres
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: cloudnative-pg
+      version: 0.14.3
+      sourceRef:
+        kind: HelmRepository
+        name: cloudnative-pg-charts
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 5
+  upgrade:
+    remediation:
+      retries: 5
+  values:
+    config:
+      data:
+        INHERITED_ANNOTATIONS: kyverno.io/ignore
+  postRenderers:
+    - kustomize:
+        patches:
+          - target:
+              group: apiextensions.k8s.io
+              version: v1
+              kind: CustomResourceDefinition
+            patch: |-
+              $patch: delete
+              apiVersion: apiextensions.k8s.io/v1
+              kind: CustomResourceDefinition
+              metadata:
+                name: not-used
diff --git a/cluster/apps/databases/postgres/kustomization.yaml b/cluster/apps/databases/postgres/kustomization.yaml
new file mode 100644
index 000000000..6f1fe43aa
--- /dev/null
+++ b/cluster/apps/databases/postgres/kustomization.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - secret.sops.yaml
+  - helm-release.yaml
+  - cluster.yaml
+  - scheduled-backup.yaml
+configMapGenerator:
+  - name: cloudnative-pg-dashboard
+    files:
+      - cloudnative-pg-dashboard.json=https://raw.githubusercontent.com/cloudnative-pg/charts/main/charts/cnpg-sandbox/dashboard.json
+generatorOptions:
+  disableNameSuffixHash: true
+  annotations:
+    kustomize.toolkit.fluxcd.io/substitute: disabled
+  labels:
+    grafana_dashboard: "true"
diff --git a/cluster/apps/databases/postgres/scheduled-backup.yaml b/cluster/apps/databases/postgres/scheduled-backup.yaml
new file mode 100644
index 000000000..a7a03ba28
--- /dev/null
+++ b/cluster/apps/databases/postgres/scheduled-backup.yaml
@@ -0,0 +1,11 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: postgres
+  namespace: default
+spec:
+  schedule: "@daily"
+  immediate: true
+  backupOwnerReference: self
+  cluster:
+    name: postgres
diff --git a/cluster/apps/databases/postgres/secret.sops.yaml b/cluster/apps/databases/postgres/secret.sops.yaml
new file mode 100644
index 000000000..b2f7b0e11
--- /dev/null
+++ b/cluster/apps/databases/postgres/secret.sops.yaml
@@ -0,0 +1,61 @@
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/basic-auth
+metadata:
+    name: postgres-superuser
+    namespace: default
+stringData:
+    username: ENC[AES256_GCM,data:oMwUm7mTJ3U=,iv:hfa6GmA8uFC1gPs7Z0wAaddOhVeHu8FmANOd9n/fLok=,tag:FIv7VhkHlVLq4Q+k7N2DDw==,type:str]
+    password: ENC[AES256_GCM,data:LCUuhRW3wjkeVQgefTuh9Q==,iv:07R0ZUrLQe8jPZo3wFn/15fXg8yc/pa+a03tWkSrjjM=,tag:0YoG2EZ3JbihlY98ay/5eg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQand1M1U2SytHclJSN1I3
+            NzdvdjZMQnJPSW9GUXo1SkZ1elRVY1NvK0FJClpiVk9JVWxHSlIwSXZDSWRoOXI4
+            YkxVeDR5V09OTS92YmpMeUl2a1QyRlUKLS0tIG9iNGJlaDQ3UW1uelFla0cySXRC
+            SzhQOGRzNnYzcEVjVG0rOUt1T1ZJQkkKtbXybUgBFr69GvBmo8+7J1xrtxJ7y1wo
+            ZhV6dzuxc2QSd3o9A6f9J/wg9DHtBHviK5nP0K/edHth9darJw/3Eg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-09-14T11:46:06Z"
+    mac: ENC[AES256_GCM,data:+FQLnaq6xHe/NwKGvBQBDcIyJmdHWi612OhFucMOSfNBIDs70oUV96zay2qg3Ish0O4hTmUY8T4akVnRJj6hAYR/BY0yQ6v0fZAaVMc0AjPEi/kDuCIkvet3FOraU3hdL1sKE7zd+h8Xohen0n7dYsYXfH9ZN7QkPQx6Dn+HQcU=,iv:Wou+7naYwOc+5iw+Gn6BQm9Hmxg8Zycrab+LJZti5rw=,tag:M7t+PDAB50Y2zDxfP1GRag==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
+---
+kind: Secret
+apiVersion: v1
+type: Opaque
+metadata:
+    name: postgres-minio
+    namespace: default
+    labels:
+        k8s.enterprisedb.io/reload: "true"
+stringData:
+    MINIO_ACCESS_KEY: ENC[AES256_GCM,data:lEOKspQaoN5FxOGSnpQuTAzzHrI=,iv:VJQAWK8Sia/wL4iAdpir5fJxBLP1fDQWqj5pBDO6x/g=,tag:5Jf612CStm7NcW1YdrOq1A==,type:str]
+    MINIO_SECRET_KEY: ENC[AES256_GCM,data:Saad8zdhNfJdCDM/3cwVAtp/Cx8F0R4AFERJA3xT7ZC7M0GptDVaGg==,iv:DnmbB6VCRa2itDLAYwGL3LkTBQlf4sVwu1O5+ZmuukQ=,tag:fG6XMj/rC3moGKVZJn9PBA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQand1M1U2SytHclJSN1I3
+            NzdvdjZMQnJPSW9GUXo1SkZ1elRVY1NvK0FJClpiVk9JVWxHSlIwSXZDSWRoOXI4
+            YkxVeDR5V09OTS92YmpMeUl2a1QyRlUKLS0tIG9iNGJlaDQ3UW1uelFla0cySXRC
+            SzhQOGRzNnYzcEVjVG0rOUt1T1ZJQkkKtbXybUgBFr69GvBmo8+7J1xrtxJ7y1wo
+            ZhV6dzuxc2QSd3o9A6f9J/wg9DHtBHviK5nP0K/edHth9darJw/3Eg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-09-14T11:46:06Z"
+    mac: ENC[AES256_GCM,data:+FQLnaq6xHe/NwKGvBQBDcIyJmdHWi612OhFucMOSfNBIDs70oUV96zay2qg3Ish0O4hTmUY8T4akVnRJj6hAYR/BY0yQ6v0fZAaVMc0AjPEi/kDuCIkvet3FOraU3hdL1sKE7zd+h8Xohen0n7dYsYXfH9ZN7QkPQx6Dn+HQcU=,iv:Wou+7naYwOc+5iw+Gn6BQm9Hmxg8Zycrab+LJZti5rw=,tag:M7t+PDAB50Y2zDxfP1GRag==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3
diff --git a/cluster/apps/databases/readme.md b/cluster/apps/databases/readme.md
new file mode 100644
index 000000000..687ff3505
--- /dev/null
+++ b/cluster/apps/databases/readme.md
@@ -0,0 +1,67 @@
+# Databases
+
+## Postgres
+
+### S3 Configuration
+
+1. Create `~/.mc/config.json`
+
+    ```json
+    {
+        "version": "10",
+        "aliases": {
+            "minio": {
+                "url": "https://s3.<domain>",
+                "accessKey": "<access-key>",
+                "secretKey": "<secret-key>",
+                "api": "S3v4",
+                "path": "auto"
+            }
+        }
+    }
+    ```
+
+2. Create the outline user and password
+
+    ```sh
+    mc admin user add minio postgresql <super-secret-password>
+    ```
+
+3. Create the outline bucket
+
+    ```sh
+    mc mb minio/postgresql
+    ```
+
+4. Create `postgresql-user-policy.json`
+
+    ```json
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Action": [
+                    "s3:ListBucket",
+                    "s3:PutObject",
+                    "s3:GetObject",
+                    "s3:DeleteObject"
+                ],
+                "Effect": "Allow",
+                "Resource": ["arn:aws:s3:::postgresql/*", "arn:aws:s3:::postgresql"],
+                "Sid": ""
+            }
+        ]
+    }
+    ```
+
+5. Apply the bucket policies
+
+    ```sh
+    mc admin policy add minio postgresql-private postgresql-user-policy.json
+    ```
+
+6. Associate private policy with the user
+
+    ```sh
+    mc admin policy set minio postgresql-private user=postgresql
+    ```
diff --git a/cluster/charts/cloudnative-pg-charts.yaml b/cluster/charts/cloudnative-pg-charts.yaml
new file mode 100644
index 000000000..eb00d862b
--- /dev/null
+++ b/cluster/charts/cloudnative-pg-charts.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: cloudnative-pg-charts
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://cloudnative-pg.github.io/charts
diff --git a/cluster/charts/kustomization.yaml b/cluster/charts/kustomization.yaml
index eb0276673..00297d20e 100644
--- a/cluster/charts/kustomization.yaml
+++ b/cluster/charts/kustomization.yaml
@@ -5,6 +5,7 @@ resources:
   - bitnami-charts.yaml
   - bjw-s-charts.yaml
   - cert-manager-webhook-ovh.yaml
+  - cloudnative-pg-charts.yaml
   - descheduler-charts.yaml
   - emxq-charts.yaml
   - external-dns-charts.yaml
diff --git a/cluster/crds/cloudnative-pg/crds.yaml b/cluster/crds/cloudnative-pg/crds.yaml
new file mode 100644
index 000000000..53ae4e650
--- /dev/null
+++ b/cluster/crds/cloudnative-pg/crds.yaml
@@ -0,0 +1,30 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: GitRepository
+metadata:
+  name: cloudnative-pg-source
+  namespace: flux-system
+spec:
+  interval: 12h
+  url: https://github.com/cloudnative-pg/charts.git
+  ref:
+    # renovate: registryUrl=https://github.com/cloudnative-pg/charts chart=cloudnative-pg
+    tag: cloudnative-pg-v0.14.0
+  ignore: |
+    # exclude all
+    /*
+    # include crd directory
+    !/charts/cloudnative-pg/templates/crds
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: crds-cloudnative-pg
+  namespace: flux-system
+spec:
+  interval: 30m
+  prune: false
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: cloudnative-pg-source
diff --git a/cluster/crds/cloudnative-pg/kustomization.yaml b/cluster/crds/cloudnative-pg/kustomization.yaml
new file mode 100644
index 000000000..7d6dc05e9
--- /dev/null
+++ b/cluster/crds/cloudnative-pg/kustomization.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - crds.yaml
diff --git a/cluster/crds/kustomization.yaml b/cluster/crds/kustomization.yaml
index 666021cb7..656ccf726 100644
--- a/cluster/crds/kustomization.yaml
+++ b/cluster/crds/kustomization.yaml
@@ -2,8 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - cert-manager
+  - cloudnative-pg
   - external-snapshotter
   - kube-prometheus-stack
-  - node-feature-discovery
   - rook-ceph
-  - system-upgrade-controller
diff --git a/cluster/crds/node-feature-discovery/kustomization.yaml b/cluster/crds/node-feature-discovery/kustomization.yaml
deleted file mode 100644
index 3ac9ece24..000000000
--- a/cluster/crds/node-feature-discovery/kustomization.yaml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - github.com/kubernetes-sigs/node-feature-discovery//deployment/base/nfd-crds?ref=v0.11.2
diff --git a/cluster/crds/system-upgrade-controller/kustomization.yaml b/cluster/crds/system-upgrade-controller/kustomization.yaml
deleted file mode 100644
index f93e9e657..000000000
--- a/cluster/crds/system-upgrade-controller/kustomization.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  # renovate: datasource=docker image=rancher/system-upgrade-controller
-  - https://github.com/rancher/system-upgrade-controller/releases/download/v0.9.1/crd.yaml