From 0de2fef9c9fcf495b64f089493147d4fb1d75682 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Mon, 6 Apr 2026 11:58:00 +0300
Subject: [PATCH] misc: actualbudget, authentik, headscale, rybbit, terminal,
 dbaas updates

- actualbudget: adjust resource config
- authentik: add configuration
- headscale: minor fix
- rybbit: add resources
- terminal: add terminal stack config
- platform/dbaas: add config
- infra: update lock file
---
 stacks/actualbudget/factory/main.tf        |  4 +-
 stacks/authentik/modules/authentik/main.tf |  7 +++
 stacks/headscale/modules/headscale/main.tf |  2 +-
 stacks/infra/.terraform.lock.hcl           | 38 ----------------
 stacks/platform/modules/dbaas/main.tf      |  7 +++
 stacks/rybbit/main.tf                      | 16 +++++++
 stacks/terminal/main.tf                    | 52 ++++++++++++++++++++++
 stacks/terminal/tiers.tf                   | 10 +++++
 8 files changed, 95 insertions(+), 41 deletions(-)
 create mode 100644 stacks/terminal/tiers.tf

diff --git a/stacks/actualbudget/factory/main.tf b/stacks/actualbudget/factory/main.tf
index 6bf72ff1..330fb13a 100644
--- a/stacks/actualbudget/factory/main.tf
+++ b/stacks/actualbudget/factory/main.tf
@@ -89,10 +89,10 @@ resource "kubernetes_deployment" "actualbudget" {
           resources {
             requests = {
               cpu    = "15m"
-              memory = "160Mi"
+              memory = "320Mi"
             }
             limits = {
-              memory = "256Mi"
+              memory = "400Mi"
             }
           }
           volume_mount {
diff --git a/stacks/authentik/modules/authentik/main.tf b/stacks/authentik/modules/authentik/main.tf
index 3c5506a4..7fd9c685 100644
--- a/stacks/authentik/modules/authentik/main.tf
+++ b/stacks/authentik/modules/authentik/main.tf
@@ -16,6 +16,13 @@ module "tls_secret" {
   tls_secret_name = var.tls_secret_name
 }
 
+# The embedded outpost auto-creates an ingress expecting this secret name
+module "tls_secret_outpost" {
+  source          = "../../../../modules/kubernetes/setup_tls_secret"
+  namespace       = kubernetes_namespace.authentik.metadata[0].name
+  tls_secret_name = "authentik-outpost-tls"
+}
+
 resource "kubernetes_namespace" "authentik" {
   metadata {
     name = "authentik"
diff --git a/stacks/headscale/modules/headscale/main.tf b/stacks/headscale/modules/headscale/main.tf
index 7eab98b0..3382dbb9 100644
--- a/stacks/headscale/modules/headscale/main.tf
+++ b/stacks/headscale/modules/headscale/main.tf
@@ -349,7 +349,7 @@ module "ingress-ui" {
   name            = "headscale-ui"
   host            = "headscale"
   service_name    = "headscale"
-  port            = 8081
+  port            = 80
   ingress_path    = ["/web"]
   tls_secret_name = var.tls_secret_name
 }
diff --git a/stacks/infra/.terraform.lock.hcl b/stacks/infra/.terraform.lock.hcl
index 1bd6d53d..a8bf4c7d 100644
--- a/stacks/infra/.terraform.lock.hcl
+++ b/stacks/infra/.terraform.lock.hcl
@@ -1,44 +1,6 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
-provider "registry.terraform.io/hashicorp/helm" {
-  version = "3.1.1"
-  hashes = [
-    "h1:47CqNwkxctJtL/N/JuEj+8QMg8mRNI/NWeKO5/ydfZU=",
-    "zh:1a6d5ce931708aec29d1f3d9e360c2a0c35ba5a54d03eeaff0ce3ca597cd0275",
-    "zh:3411919ba2a5941801e677f0fea08bdd0ae22ba3c9ce3309f55554699e06524a",
-    "zh:81b36138b8f2320dc7f877b50f9e38f4bc614affe68de885d322629dd0d16a29",
-    "zh:95a2a0a497a6082ee06f95b38bd0f0d6924a65722892a856cfd914c0d117f104",
-    "zh:9d3e78c2d1bb46508b972210ad706dd8c8b106f8b206ecf096cd211c54f46990",
-    "zh:a79139abf687387a6efdbbb04289a0a8e7eaca2bd91cdc0ce68ea4f3286c2c34",
-    "zh:aaa8784be125fbd50c48d84d6e171d3fb6ef84a221dbc5165c067ce05faab4c8",
-    "zh:afecd301f469975c9d8f350cc482fe656e082b6ab0f677d1a816c3c615837cc1",
-    "zh:c54c22b18d48ff9053d899d178d9ffef7d9d19785d9bf310a07d648b7aac075b",
-    "zh:db2eefd55aea48e73384a555c72bac3f7d428e24147bedb64e1a039398e5b903",
-    "zh:ee61666a233533fd2be971091cecc01650561f1585783c381b6f6e8a390198a4",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/kubernetes" {
-  version = "3.0.1"
-  hashes = [
-    "h1:P0c8knzZnouTNFIRij8IS7+pqd0OKaFDYX0j4GRsiqo=",
-    "zh:02d55b0b2238fd17ffa12d5464593864e80f402b90b31f6e1bd02249b9727281",
-    "zh:20b93a51bfeed82682b3c12f09bac3031f5bdb4977c47c97a042e4df4fb2f9ba",
-    "zh:6e14486ecfaee38c09ccf33d4fdaf791409f90795c1b66e026c226fad8bc03c7",
-    "zh:8d0656ff422df94575668e32c310980193fccb1c28117e5c78dd2d4050a760a6",
-    "zh:9795119b30ec0c1baa99a79abace56ac850b6e6fbce60e7f6067792f6eb4b5f4",
-    "zh:b388c87acc40f6bd9620f4e23f01f3c7b41d9b88a68d5255dec0a72f0bdec249",
-    "zh:b59abd0a980649c2f97f172392f080eaeb18e486b603f83bf95f5d93aeccc090",
-    "zh:ba6e3060fddf4a022087d8f09e38aa0001c705f21170c2ded3d1c26c12f70d97",
-    "zh:c12626d044b1d5501cf95ca78cbe507c13ad1dd9f12d4736df66eb8e5f336eb8",
-    "zh:c55203240d50f4cdeb3df1e1760630d677679f5b1a6ffd9eba23662a4ad05119",
-    "zh:ea206a5a32d6e0d6e32f1849ad703da9a28355d9c516282a8458b5cf1502b2a1",
-    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
-  ]
-}
-
 provider "registry.terraform.io/hashicorp/null" {
   version = "3.2.4"
   hashes = [
diff --git a/stacks/platform/modules/dbaas/main.tf b/stacks/platform/modules/dbaas/main.tf
index 5c1317c0..2835cbc4 100644
--- a/stacks/platform/modules/dbaas/main.tf
+++ b/stacks/platform/modules/dbaas/main.tf
@@ -175,6 +175,13 @@ resource "helm_release" "mysql_cluster" {
         innodb_log_buffer_size=16777216
         # Limit connections (peak usage ~40, no need for 151)
         max_connections=80
+        # Reduce disk write amplification (defaults were SSD-tuned, we're on HDD/LVM thin)
+        innodb_io_capacity=200
+        innodb_io_capacity_max=400
+        innodb_flush_log_at_trx_commit=2
+        sync_binlog=0
+        innodb_buffer_pool_size=1073741824
+        innodb_redo_log_capacity=536870912
       EOT
     }
 
diff --git a/stacks/rybbit/main.tf b/stacks/rybbit/main.tf
index 25e622df..c0e1cc2a 100644
--- a/stacks/rybbit/main.tf
+++ b/stacks/rybbit/main.tf
@@ -101,6 +101,17 @@ resource "kubernetes_config_map" "clickhouse_memory" {
     "memory.xml" = <<-EOF
       <clickhouse>
           <max_server_memory_usage>1258291200</max_server_memory_usage>
+          <!-- Disable high-churn system logs to reduce disk writes -->
+          <trace_log remove="1"/>
+          <text_log remove="1"/>
+          <metric_log remove="1"/>
+          <asynchronous_metric_log remove="1"/>
+          <query_log remove="1"/>
+          <part_log remove="1"/>
+          <processors_profile_log remove="1"/>
+          <query_metric_log remove="1"/>
+          <error_log remove="1"/>
+          <latency_log remove="1"/>
       </clickhouse>
     EOF
   }
@@ -135,6 +146,11 @@ resource "kubernetes_deployment" "clickhouse" {
         }
       }
       spec {
+        security_context {
+          run_as_user  = 101
+          run_as_group = 101
+          fs_group     = 101
+        }
         container {
           name  = "clickhouse"
           image = "clickhouse/clickhouse-server:25.4.2"
diff --git a/stacks/terminal/main.tf b/stacks/terminal/main.tf
index c6daf858..099bb2d2 100644
--- a/stacks/terminal/main.tf
+++ b/stacks/terminal/main.tf
@@ -70,3 +70,55 @@ module "ingress" {
     "gethomepage.dev/pod-selector" = ""
   }
 }
+
+# Read-only terminal session at terminal-ro.viktorbarzin.me
+resource "kubernetes_service" "terminal_ro" {
+  metadata {
+    name      = "terminal-ro"
+    namespace = kubernetes_namespace.terminal.metadata[0].name
+    labels = {
+      app = "terminal-ro"
+    }
+  }
+
+  spec {
+    port {
+      name        = "http"
+      port        = 80
+      target_port = 7682
+    }
+  }
+}
+
+resource "kubernetes_endpoints" "terminal_ro" {
+  metadata {
+    name      = "terminal-ro"
+    namespace = kubernetes_namespace.terminal.metadata[0].name
+  }
+
+  subset {
+    address {
+      ip = "10.0.10.10"
+    }
+    port {
+      name = "http"
+      port = 7682
+    }
+  }
+}
+
+module "ingress_ro" {
+  source          = "../../modules/kubernetes/ingress_factory"
+  namespace       = kubernetes_namespace.terminal.metadata[0].name
+  name            = "terminal-ro"
+  tls_secret_name = var.tls_secret_name
+  protected       = true
+  extra_annotations = {
+    "gethomepage.dev/enabled"      = "true"
+    "gethomepage.dev/name"         = "Terminal (Read-Only)"
+    "gethomepage.dev/description"  = "Read-only web terminal (ttyd)"
+    "gethomepage.dev/icon"         = "mdi-console"
+    "gethomepage.dev/group"        = "Infrastructure"
+    "gethomepage.dev/pod-selector" = ""
+  }
+}
diff --git a/stacks/terminal/tiers.tf b/stacks/terminal/tiers.tf
new file mode 100644
index 00000000..eb0f8083
--- /dev/null
+++ b/stacks/terminal/tiers.tf
@@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}