# pg-app stub — full config lands in M4.1.
# Host: vm-data. Resource budget per INFRASTRUCTURE.md §6 co-tenant notes.
# RISK-1 (§12): single instance owns tenant_registry + compliance schemas. Split into pg-registry + pg-compliance at Tier B.

[[service]]
name = "pg-app"
image = "postgres:16-alpine"
port = 5432

[service.placement]
node = "vm-data"

[service.resources]
memory = "3Gi"
cpu = 1.0

[service.volume]
path = "/var/lib/postgresql/data"

[service.env]
POSTGRES_DB = "platform"
POSTGRES_USER = "platform"
POSTGRES_PASSWORD = "${secrets.PG_APP_PASSWORD}"