2026-03-07 14:30:36 +00:00
|
|
|
variable "tls_secret_name" {
|
|
|
|
|
type = string
|
|
|
|
|
sensitive = true
|
|
|
|
|
}
|
|
|
|
|
variable "dawarich_database_password" {
|
|
|
|
|
type = string
|
|
|
|
|
sensitive = true
|
|
|
|
|
}
|
|
|
|
|
variable "geoapify_api_key" {
|
|
|
|
|
type = string
|
|
|
|
|
sensitive = true
|
|
|
|
|
}
|
2026-02-22 13:56:34 +00:00
|
|
|
|
|
|
|
|
|
2026-02-22 15:13:55 +00:00
|
|
|
variable "image_version" {
|
|
|
|
|
type = string
|
|
|
|
|
default = "0.37.1"
|
|
|
|
|
}
|
[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability
Phase 1 - Critical Security:
- Netbox: move hardcoded DB/superuser passwords to variables
- MeshCentral: disable public registration, add Authentik auth
- Traefik: disable insecure API dashboard (api.insecure=false)
- Traefik: configure forwarded headers with Cloudflare trusted IPs
Phase 2 - Security Hardening:
- Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
- Add Kyverno pod security policies in audit mode (privileged, host
namespaces, SYS_ADMIN, trusted registries)
- Tighten rate limiting (avg=10, burst=50)
- Add Authentik protection to grampsweb
Phase 3 - Monitoring & Alerting:
- Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale,
Authentik, Loki)
- Increase Loki retention from 7 to 30 days (720h)
- Add predictive PV filling alert (predict_linear)
- Re-enable Hackmd and Privatebin down alerts
Phase 4 - Reliability:
- Add resource requests/limits to Redis, DBaaS, Technitium, Headscale,
Vaultwarden, Uptime Kuma
- Increase Alloy DaemonSet memory to 512Mi/1Gi
Phase 6 - Maintainability:
- Extract duplicated tiers locals to terragrunt.hcl generate block
(removed from 67 stacks)
- Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114
instances across 63 files)
- Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references
with variables across ~35 stacks
- Migrate xray raw ingress resources to ingress_factory modules
2026-02-23 22:05:28 +00:00
|
|
|
variable "nfs_server" { type = string }
|
|
|
|
|
variable "redis_host" { type = string }
|
|
|
|
|
variable "postgresql_host" { type = string }
|
2026-02-22 15:13:55 +00:00
|
|
|
|
|
|
|
|
resource "kubernetes_namespace" "dawarich" {
|
|
|
|
|
metadata {
|
|
|
|
|
name = "dawarich"
|
|
|
|
|
labels = {
|
|
|
|
|
"istio-injection" : "disabled"
|
|
|
|
|
tier = local.tiers.edge
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
module "tls_secret" {
|
|
|
|
|
source = "../../modules/kubernetes/setup_tls_secret"
|
|
|
|
|
namespace = kubernetes_namespace.dawarich.metadata[0].name
|
|
|
|
|
tls_secret_name = var.tls_secret_name
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "kubernetes_deployment" "dawarich" {
|
|
|
|
|
metadata {
|
|
|
|
|
name = "dawarich"
|
|
|
|
|
namespace = kubernetes_namespace.dawarich.metadata[0].name
|
|
|
|
|
labels = {
|
|
|
|
|
app = "dawarich"
|
|
|
|
|
tier = local.tiers.edge
|
|
|
|
|
}
|
|
|
|
|
annotations = {
|
|
|
|
|
"reloader.stakater.com/search" = "true"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
spec {
|
|
|
|
|
replicas = 1
|
|
|
|
|
strategy {
|
|
|
|
|
type = "Recreate"
|
|
|
|
|
}
|
|
|
|
|
selector {
|
|
|
|
|
match_labels = {
|
|
|
|
|
app = "dawarich"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
template {
|
|
|
|
|
metadata {
|
|
|
|
|
labels = {
|
|
|
|
|
app = "dawarich"
|
|
|
|
|
}
|
|
|
|
|
annotations = {
|
|
|
|
|
# "diun.enable" = "true"
|
|
|
|
|
# "diun.include_tags" = "latest"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
spec {
|
|
|
|
|
|
|
|
|
|
container {
|
|
|
|
|
image = "freikin/dawarich:${var.image_version}"
|
|
|
|
|
name = "dawarich"
|
|
|
|
|
port {
|
|
|
|
|
name = "http"
|
|
|
|
|
container_port = 3000
|
|
|
|
|
}
|
|
|
|
|
port {
|
|
|
|
|
name = "prometheus"
|
|
|
|
|
container_port = 9394
|
|
|
|
|
}
|
|
|
|
|
command = ["web-entrypoint.sh"]
|
|
|
|
|
args = ["bin/dev"]
|
|
|
|
|
env {
|
|
|
|
|
name = "REDIS_URL"
|
[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability
Phase 1 - Critical Security:
- Netbox: move hardcoded DB/superuser passwords to variables
- MeshCentral: disable public registration, add Authentik auth
- Traefik: disable insecure API dashboard (api.insecure=false)
- Traefik: configure forwarded headers with Cloudflare trusted IPs
Phase 2 - Security Hardening:
- Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
- Add Kyverno pod security policies in audit mode (privileged, host
namespaces, SYS_ADMIN, trusted registries)
- Tighten rate limiting (avg=10, burst=50)
- Add Authentik protection to grampsweb
Phase 3 - Monitoring & Alerting:
- Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale,
Authentik, Loki)
- Increase Loki retention from 7 to 30 days (720h)
- Add predictive PV filling alert (predict_linear)
- Re-enable Hackmd and Privatebin down alerts
Phase 4 - Reliability:
- Add resource requests/limits to Redis, DBaaS, Technitium, Headscale,
Vaultwarden, Uptime Kuma
- Increase Alloy DaemonSet memory to 512Mi/1Gi
Phase 6 - Maintainability:
- Extract duplicated tiers locals to terragrunt.hcl generate block
(removed from 67 stacks)
- Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114
instances across 63 files)
- Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references
with variables across ~35 stacks
- Migrate xray raw ingress resources to ingress_factory modules
2026-02-23 22:05:28 +00:00
|
|
|
value = "redis://${var.redis_host}:6379"
|
2026-02-22 15:13:55 +00:00
|
|
|
}
|
|
|
|
|
env {
|
|
|
|
|
name = "DATABASE_HOST"
|
[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability
Phase 1 - Critical Security:
- Netbox: move hardcoded DB/superuser passwords to variables
- MeshCentral: disable public registration, add Authentik auth
- Traefik: disable insecure API dashboard (api.insecure=false)
- Traefik: configure forwarded headers with Cloudflare trusted IPs
Phase 2 - Security Hardening:
- Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
- Add Kyverno pod security policies in audit mode (privileged, host
namespaces, SYS_ADMIN, trusted registries)
- Tighten rate limiting (avg=10, burst=50)
- Add Authentik protection to grampsweb
Phase 3 - Monitoring & Alerting:
- Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale,
Authentik, Loki)
- Increase Loki retention from 7 to 30 days (720h)
- Add predictive PV filling alert (predict_linear)
- Re-enable Hackmd and Privatebin down alerts
Phase 4 - Reliability:
- Add resource requests/limits to Redis, DBaaS, Technitium, Headscale,
Vaultwarden, Uptime Kuma
- Increase Alloy DaemonSet memory to 512Mi/1Gi
Phase 6 - Maintainability:
- Extract duplicated tiers locals to terragrunt.hcl generate block
(removed from 67 stacks)
- Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114
instances across 63 files)
- Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references
with variables across ~35 stacks
- Migrate xray raw ingress resources to ingress_factory modules
2026-02-23 22:05:28 +00:00
|
|
|
value = var.postgresql_host
|
2026-02-22 15:13:55 +00:00
|
|
|
}
|
|
|
|
|
env {
|
|
|
|
|
name = "DATABASE_USERNAME"
|
|
|
|
|
value = "dawarich"
|
|
|
|
|
}
|
|
|
|
|
env {
|
|
|
|
|
name = "DATABASE_PASSWORD"
|
|
|
|
|
value = var.dawarich_database_password
|
|
|
|
|
}
|
|
|
|
|
env {
|
|
|
|
|
name = "DATABASE_NAME"
|
|
|
|
|
value = "dawarich"
|
|
|
|
|
}
|
|
|
|
|
env {
|
|
|
|
|
name = "MIN_MINUTES_SPENT_IN_CITY"
|
|
|
|
|
value = "60"
|
|
|
|
|
}
|
|
|
|
|
env {
|
|
|
|
|
name = "TIME_ZONE"
|
|
|
|
|
value = "Europe/London"
|
|
|
|
|
}
|
|
|
|
|
env {
|
|
|
|
|
name = "DISTANCE_UNIT"
|
|
|
|
|
value = "km"
|
|
|
|
|
}
|
|
|
|
|
env {
|
|
|
|
|
name = "ENABLE_TELEMETRY"
|
|
|
|
|
value = "true"
|
|
|
|
|
}
|
|
|
|
|
env {
|
|
|
|
|
name = "APPLICATION_HOSTS"
|
|
|
|
|
value = "dawarich.viktorbarzin.me"
|
|
|
|
|
}
|
|
|
|
|
# env {
|
|
|
|
|
# name = "PROMETHEUS_EXPORTER_ENABLED"
|
|
|
|
|
# value = "true"
|
|
|
|
|
# }
|
|
|
|
|
# env {
|
|
|
|
|
# name = "PROMETHEUS_EXPORTER_PORT"
|
|
|
|
|
# value = "9394"
|
|
|
|
|
# }
|
|
|
|
|
# env {
|
|
|
|
|
# name = "PROMETHEUS_EXPORTER_HOST"
|
|
|
|
|
# value = "0.0.0.0"
|
|
|
|
|
# }
|
|
|
|
|
env {
|
|
|
|
|
name = "SELF_HOSTED"
|
|
|
|
|
value = "true"
|
|
|
|
|
}
|
|
|
|
|
# env {
|
|
|
|
|
# name = "PHOTON_API_HOST"
|
|
|
|
|
# value = "photon.dawarich"
|
|
|
|
|
# }
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# volume_mount {
|
|
|
|
|
# name = "watched"
|
|
|
|
|
# mount_path = "/var/app/tmp/imports/watched"
|
|
|
|
|
# }
|
[ci skip] right-size all pod resources based on VPA + live metrics audit
Full cluster resource audit: cross-referenced Goldilocks VPA recommendations,
live kubectl top metrics, and Terraform definitions for 100+ containers.
Critical fixes:
- dashy: CPU throttled at 98% (490m/500m) → 2 CPU limit
- stirling-pdf: CPU throttled at 99.7% (299m/300m) → 2 CPU limit
- traefik auth-proxy/bot-block-proxy: mem limit 32Mi → 128Mi
Added explicit resources to ~40 containers that had none:
- audiobookshelf, changedetection, cyberchef, dawarich, diun, echo,
excalidraw, freshrss, hackmd, isponsorblocktv, linkwarden, n8n,
navidrome, ntfy, owntracks, privatebin, send, shadowsocks, tandoor,
tor-proxy, wealthfolio, networking-toolbox, rybbit, mailserver,
cloudflared, pgadmin, phpmyadmin, crowdsec-web, xray, wireguard,
k8s-portal, tuya-bridge, ollama-ui, whisper, piper, immich-server,
immich-postgresql, osrm-foot
GPU containers: added CPU/mem alongside GPU limits:
- ollama: removed CPU/mem limits (models vary in size), keep GPU only
- frigate: req 500m/2Gi, lim 4/8Gi + GPU
- immich-ml: req 100m/1Gi, lim 2/4Gi + GPU
Right-sized ~25 over-provisioned containers:
- kms-web-page: 500m/512Mi → 50m/64Mi (was using 0m/10Mi)
- onlyoffice: CPU 8 → 2 (VPA upper 45m)
- realestate-crawler-api: CPU 2000m → 250m
- blog/travel-blog/webhook-handler: 500m → 100m
- coturn/health/plotting-book: reduced to match actual usage
Conservative methodology: limits = max(VPA upper * 2, live usage * 2)
2026-03-01 19:18:50 +00:00
|
|
|
resources {
|
|
|
|
|
requests = {
|
|
|
|
|
cpu = "15m"
|
|
|
|
|
memory = "256Mi"
|
|
|
|
|
}
|
|
|
|
|
limits = {
|
|
|
|
|
cpu = "250m"
|
|
|
|
|
memory = "1Gi"
|
|
|
|
|
}
|
|
|
|
|
}
|
2026-02-22 15:13:55 +00:00
|
|
|
}
|
|
|
|
|
# container {
|
|
|
|
|
# image = "freikin/dawarich:${var.image_version}"
|
|
|
|
|
# name = "dawarich-sidekiq"
|
|
|
|
|
# command = ["sidekiq-entrypoint.sh"]
|
|
|
|
|
# args = ["bundle exec sidekiq"]
|
|
|
|
|
# env {
|
|
|
|
|
# name = "REDIS_URL"
|
|
|
|
|
# value = "redis://redis.redis.svc.cluster.local:6379"
|
|
|
|
|
# }
|
|
|
|
|
# env {
|
|
|
|
|
# name = "DATABASE_HOST"
|
|
|
|
|
# value = "postgresql.dbaas"
|
|
|
|
|
# }
|
|
|
|
|
# env {
|
|
|
|
|
# name = "DATABASE_USERNAME"
|
|
|
|
|
# value = "dawarich"
|
|
|
|
|
# }
|
|
|
|
|
# env {
|
|
|
|
|
# name = "DATABASE_PASSWORD"
|
|
|
|
|
# value = var.dawarich_database_password
|
|
|
|
|
# }
|
|
|
|
|
# env {
|
|
|
|
|
# name = "DATABASE_NAME"
|
|
|
|
|
# value = "dawarich"
|
|
|
|
|
# }
|
|
|
|
|
# env {
|
|
|
|
|
# name = "MIN_MINUTES_SPENT_IN_CITY"
|
|
|
|
|
# value = "60"
|
|
|
|
|
# }
|
|
|
|
|
# env {
|
|
|
|
|
# name = "BACKGROUND_PROCESSING_CONCURRENCY"
|
|
|
|
|
# value = "10"
|
|
|
|
|
# }
|
|
|
|
|
# env {
|
|
|
|
|
# name = "ENABLE_TELEMETRY"
|
|
|
|
|
# value = "true"
|
|
|
|
|
# }
|
|
|
|
|
# env {
|
|
|
|
|
# name = "APPLICATION_HOST"
|
|
|
|
|
# value = "dawarich.viktorbarzin.me"
|
|
|
|
|
# }
|
|
|
|
|
# # env {
|
|
|
|
|
# # name = "PROMETHEUS_EXPORTER_ENABLED"
|
|
|
|
|
# # value = "false"
|
|
|
|
|
# # }
|
|
|
|
|
# # env {
|
|
|
|
|
# # name = "PROMETHEUS_EXPORTER_HOST"
|
|
|
|
|
# # value = "dawarich.dawarich"
|
|
|
|
|
# # }
|
|
|
|
|
# # env {
|
|
|
|
|
# # name = "PHOTON_API_HOST"
|
|
|
|
|
# # value = "photon.dawarich:2322"
|
|
|
|
|
# # # value = "photon.komoot.io"
|
|
|
|
|
# # }
|
|
|
|
|
# # env {
|
|
|
|
|
# # name = "PHOTON_API_USE_HTTPS"
|
|
|
|
|
# # value = "false"
|
|
|
|
|
# # }
|
|
|
|
|
# env {
|
|
|
|
|
# name = "GEOAPIFY_API_KEY"
|
|
|
|
|
# value = var.geoapify_api_key
|
|
|
|
|
# }
|
|
|
|
|
# env {
|
|
|
|
|
# name = "SELF_HOSTED"
|
|
|
|
|
# value = "true"
|
|
|
|
|
# }
|
|
|
|
|
|
|
|
|
|
# # volume_mount {
|
|
|
|
|
# # name = "watched"
|
|
|
|
|
# # mount_path = "/var/app/tmp/imports/watched"
|
|
|
|
|
# # }
|
|
|
|
|
# }
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# resource "kubernetes_deployment" "photon" {
|
|
|
|
|
# metadata {
|
|
|
|
|
# name = "photon"
|
|
|
|
|
# namespace = kubernetes_namespace.dawarich.metadata[0].name
|
|
|
|
|
# labels = {
|
|
|
|
|
# app = "photon"
|
|
|
|
|
# }
|
|
|
|
|
# }
|
|
|
|
|
# spec {
|
|
|
|
|
# replicas = 1
|
|
|
|
|
# strategy {
|
|
|
|
|
# type = "Recreate"
|
|
|
|
|
# }
|
|
|
|
|
# selector {
|
|
|
|
|
# match_labels = {
|
|
|
|
|
# app = "photon"
|
|
|
|
|
# }
|
|
|
|
|
# }
|
|
|
|
|
# template {
|
|
|
|
|
# metadata {
|
|
|
|
|
# labels = {
|
|
|
|
|
# app = "photon"
|
|
|
|
|
# }
|
|
|
|
|
# }
|
|
|
|
|
# spec {
|
|
|
|
|
|
|
|
|
|
# container {
|
|
|
|
|
# image = "rtuszik/photon-docker:latest"
|
|
|
|
|
# name = "photon"
|
|
|
|
|
# port {
|
|
|
|
|
# name = "tcp"
|
|
|
|
|
# container_port = 2322
|
|
|
|
|
# }
|
|
|
|
|
# env {
|
|
|
|
|
# name = "COUNTRY_CODE"
|
|
|
|
|
# value = "bg"
|
|
|
|
|
# }
|
|
|
|
|
|
|
|
|
|
# volume_mount {
|
|
|
|
|
# name = "data"
|
|
|
|
|
# mount_path = "/photon/photon_data"
|
|
|
|
|
# }
|
|
|
|
|
# }
|
|
|
|
|
# volume {
|
|
|
|
|
# name = "data"
|
|
|
|
|
# nfs {
|
|
|
|
|
# path = "/mnt/main/photon"
|
[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability
Phase 1 - Critical Security:
- Netbox: move hardcoded DB/superuser passwords to variables
- MeshCentral: disable public registration, add Authentik auth
- Traefik: disable insecure API dashboard (api.insecure=false)
- Traefik: configure forwarded headers with Cloudflare trusted IPs
Phase 2 - Security Hardening:
- Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
- Add Kyverno pod security policies in audit mode (privileged, host
namespaces, SYS_ADMIN, trusted registries)
- Tighten rate limiting (avg=10, burst=50)
- Add Authentik protection to grampsweb
Phase 3 - Monitoring & Alerting:
- Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale,
Authentik, Loki)
- Increase Loki retention from 7 to 30 days (720h)
- Add predictive PV filling alert (predict_linear)
- Re-enable Hackmd and Privatebin down alerts
Phase 4 - Reliability:
- Add resource requests/limits to Redis, DBaaS, Technitium, Headscale,
Vaultwarden, Uptime Kuma
- Increase Alloy DaemonSet memory to 512Mi/1Gi
Phase 6 - Maintainability:
- Extract duplicated tiers locals to terragrunt.hcl generate block
(removed from 67 stacks)
- Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114
instances across 63 files)
- Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references
with variables across ~35 stacks
- Migrate xray raw ingress resources to ingress_factory modules
2026-02-23 22:05:28 +00:00
|
|
|
# server = var.nfs_server
|
2026-02-22 15:13:55 +00:00
|
|
|
# }
|
|
|
|
|
# }
|
|
|
|
|
# }
|
|
|
|
|
|
|
|
|
|
# }
|
|
|
|
|
# }
|
|
|
|
|
# }
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
resource "kubernetes_service" "dawarich" {
|
|
|
|
|
metadata {
|
|
|
|
|
name = "dawarich"
|
|
|
|
|
namespace = kubernetes_namespace.dawarich.metadata[0].name
|
|
|
|
|
labels = {
|
|
|
|
|
"app" = "dawarich"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
spec {
|
|
|
|
|
selector = {
|
|
|
|
|
app = "dawarich"
|
|
|
|
|
}
|
|
|
|
|
port {
|
|
|
|
|
name = "http"
|
|
|
|
|
port = 80
|
|
|
|
|
target_port = 3000
|
|
|
|
|
protocol = "TCP"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# resource "kubernetes_service" "photon" {
|
|
|
|
|
# metadata {
|
|
|
|
|
# name = "photon"
|
|
|
|
|
# namespace = kubernetes_namespace.dawarich.metadata[0].name
|
|
|
|
|
# labels = {
|
|
|
|
|
# "app" = "photon"
|
|
|
|
|
# }
|
|
|
|
|
# }
|
|
|
|
|
|
|
|
|
|
# spec {
|
|
|
|
|
# selector = {
|
|
|
|
|
# app = "photon"
|
|
|
|
|
# }
|
|
|
|
|
# port {
|
|
|
|
|
# name = "http"
|
|
|
|
|
# port = 2322
|
|
|
|
|
# target_port = 2322
|
|
|
|
|
# protocol = "TCP"
|
|
|
|
|
# }
|
|
|
|
|
# }
|
|
|
|
|
# }
|
|
|
|
|
module "ingress" {
|
|
|
|
|
source = "../../modules/kubernetes/ingress_factory"
|
|
|
|
|
namespace = kubernetes_namespace.dawarich.metadata[0].name
|
|
|
|
|
name = "dawarich"
|
|
|
|
|
tls_secret_name = var.tls_secret_name
|
|
|
|
|
rybbit_site_id = "0abfd409f2fb"
|
2026-03-07 16:41:36 +00:00
|
|
|
extra_annotations = {
|
|
|
|
|
"gethomepage.dev/enabled" = "true"
|
|
|
|
|
"gethomepage.dev/name" = "Dawarich"
|
|
|
|
|
"gethomepage.dev/description" = "Location history"
|
|
|
|
|
"gethomepage.dev/icon" = "dawarich.png"
|
|
|
|
|
"gethomepage.dev/group" = "Smart Home"
|
|
|
|
|
"gethomepage.dev/pod-selector" = ""
|
|
|
|
|
}
|
2026-02-22 13:56:34 +00:00
|
|
|
}
|