misc: actualbudget, authentik, headscale, rybbit, terminal, dbaas updates

- actualbudget: adjust resource config - authentik: add configuration - headscale: minor fix - rybbit: add resources - terminal: add terminal stack config - platform/dbaas: add config - infra: update lock file
2026-04-06 11:58:00 +03:00 · 2026-04-06 11:58:00 +03:00 · 0de2fef9c9
commit 0de2fef9c9
parent c2f9ca0d13
8 changed files with 95 additions and 41 deletions
--- a/stacks/actualbudget/factory/main.tf
+++ b/stacks/actualbudget/factory/main.tf
@ -89,10 +89,10 @@ resource "kubernetes_deployment" "actualbudget" {
          resources {
            requests = {
              cpu    = "15m"
-              memory = "160Mi"
+              memory = "320Mi"
            }
            limits = {
-              memory = "256Mi"
+              memory = "400Mi"
            }
          }
          volume_mount {
--- a/stacks/authentik/modules/authentik/main.tf
+++ b/stacks/authentik/modules/authentik/main.tf
@ -16,6 +16,13 @@ module "tls_secret" {
  tls_secret_name = var.tls_secret_name
 }

+# The embedded outpost auto-creates an ingress expecting this secret name
+module "tls_secret_outpost" {
+  source          = "../../../../modules/kubernetes/setup_tls_secret"
+  namespace       = kubernetes_namespace.authentik.metadata[0].name
+  tls_secret_name = "authentik-outpost-tls"
+}
+
 resource "kubernetes_namespace" "authentik" {
  metadata {
    name = "authentik"
--- a/stacks/headscale/modules/headscale/main.tf
+++ b/stacks/headscale/modules/headscale/main.tf
@ -349,7 +349,7 @@ module "ingress-ui" {
  name            = "headscale-ui"
  host            = "headscale"
  service_name    = "headscale"
-  port            = 8081
+  port            = 80
  ingress_path    = ["/web"]
  tls_secret_name = var.tls_secret_name
 }
--- a/stacks/infra/.terraform.lock.hcl
+++ b/stacks/infra/.terraform.lock.hcl
@ -1,44 +1,6 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.

-provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
-  hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.0.1"
-  hashes = [
-    "h1:P0c8knzZnouTNFIRij8IS7+pqd0OKaFDYX0j4GRsiqo=",
-    "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281",
-    "zh:20b93a51bfeed82682b3c12f09bac3031f5bdb4977c47c97a042e4df4fb2f9ba",
-    "zh:6e14486ecfaee38c09ccf33d4fdaf791409f90795c1b66e026c226fad8bc03c7",
-    "zh:8d0656ff422df94575668e32c310980193fccb1c28117e5c78dd2d4050a760a6",
-    "zh:9795119b30ec0c1baa99a79abace56ac850b6e6fbce60e7f6067792f6eb4b5f4",
-    "zh:b388c87acc40f6bd9620f4e23f01f3c7b41d9b88a68d5255dec0a72f0bdec249",
-    "zh:b59abd0a980649c2f97f172392f080eaeb18e486b603f83bf95f5d93aeccc090",
-    "zh:ba6e3060fddf4a022087d8f09e38aa0001c705f21170c2ded3d1c26c12f70d97",
-    "zh:c12626d044b1d5501cf95ca78cbe507c13ad1dd9f12d4736df66eb8e5f336eb8",
-    "zh:c55203240d50f4cdeb3df1e1760630d677679f5b1a6ffd9eba23662a4ad05119",
-    "zh:ea206a5a32d6e0d6e32f1849ad703da9a28355d9c516282a8458b5cf1502b2a1",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-  ]
-}
-
 provider "registry.terraform.io/hashicorp/null" {
  version = "3.2.4"
  hashes = [
--- a/stacks/platform/modules/dbaas/main.tf
+++ b/stacks/platform/modules/dbaas/main.tf
@ -175,6 +175,13 @@ resource "helm_release" "mysql_cluster" {
        innodb_log_buffer_size=16777216
        # Limit connections (peak usage ~40, no need for 151)
        max_connections=80
+        # Reduce disk write amplification (defaults were SSD-tuned, we're on HDD/LVM thin)
+        innodb_io_capacity=200
+        innodb_io_capacity_max=400
+        innodb_flush_log_at_trx_commit=2
+        sync_binlog=0
+        innodb_buffer_pool_size=1073741824
+        innodb_redo_log_capacity=536870912
      EOT
    }

--- a/stacks/rybbit/main.tf
+++ b/stacks/rybbit/main.tf
@ -101,6 +101,17 @@ resource "kubernetes_config_map" "clickhouse_memory" {
    "memory.xml" = <<-EOF
      <clickhouse>
          <max_server_memory_usage>1258291200</max_server_memory_usage>
+          <!-- Disable high-churn system logs to reduce disk writes -->
+          <trace_log remove="1"/>
+          <text_log remove="1"/>
+          <metric_log remove="1"/>
+          <asynchronous_metric_log remove="1"/>
+          <query_log remove="1"/>
+          <part_log remove="1"/>
+          <processors_profile_log remove="1"/>
+          <query_metric_log remove="1"/>
+          <error_log remove="1"/>
+          <latency_log remove="1"/>
      </clickhouse>
    EOF
  }
@ -135,6 +146,11 @@ resource "kubernetes_deployment" "clickhouse" {
        }
      }
      spec {
+        security_context {
+          run_as_user  = 101
+          run_as_group = 101
+          fs_group     = 101
+        }
        container {
          name  = "clickhouse"
          image = "clickhouse/clickhouse-server:25.4.2"
--- a/stacks/terminal/main.tf
+++ b/stacks/terminal/main.tf
@ -70,3 +70,55 @@ module "ingress" {
    "gethomepage.dev/pod-selector" = ""
  }
 }
+
+# Read-only terminal session at terminal-ro.viktorbarzin.me
+resource "kubernetes_service" "terminal_ro" {
+  metadata {
+    name      = "terminal-ro"
+    namespace = kubernetes_namespace.terminal.metadata[0].name
+    labels = {
+      app = "terminal-ro"
+    }
+  }
+
+  spec {
+    port {
+      name        = "http"
+      port        = 80
+      target_port = 7682
+    }
+  }
+}
+
+resource "kubernetes_endpoints" "terminal_ro" {
+  metadata {
+    name      = "terminal-ro"
+    namespace = kubernetes_namespace.terminal.metadata[0].name
+  }
+
+  subset {
+    address {
+      ip = "10.0.10.10"
+    }
+    port {
+      name = "http"
+      port = 7682
+    }
+  }
+}
+
+module "ingress_ro" {
+  source          = "../../modules/kubernetes/ingress_factory"
+  namespace       = kubernetes_namespace.terminal.metadata[0].name
+  name            = "terminal-ro"
+  tls_secret_name = var.tls_secret_name
+  protected       = true
+  extra_annotations = {
+    "gethomepage.dev/enabled"      = "true"
+    "gethomepage.dev/name"         = "Terminal (Read-Only)"
+    "gethomepage.dev/description"  = "Read-only web terminal (ttyd)"
+    "gethomepage.dev/icon"         = "mdi-console"
+    "gethomepage.dev/group"        = "Infrastructure"
+    "gethomepage.dev/pod-selector" = ""
+  }
+}
--- a/stacks/terminal/tiers.tf
+++ b/stacks/terminal/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}