[ci skip] add auto-generated tiers.tf, planning docs, and helm chart cache

- tiers.tf: Terragrunt-generated tier locals for all standalone stacks - .planning/: resource audit research and plans - docs/plans/: cluster hardening design doc - redis-25.3.2.tgz: Bitnami Redis Helm chart cache
2026-03-06 23:55:57 +00:00 · 2026-03-06 23:55:57 +00:00 · 197cef7f3f
commit 197cef7f3f
parent 8d3db35b5e
60 changed files with 3530 additions and 0 deletions
--- a/.planning/quick/1-fix-broken-demo-streams-and-improve-heal/1-PLAN.md
+++ b/.planning/quick/1-fix-broken-demo-streams-and-improve-heal/1-PLAN.md
@ -0,0 +1,47 @@
+# Quick Task 1: Fix Broken Demo Streams and Improve Health Checking
+
+## Objective
+
+Replace the broken Akamai live test stream (whose variant playlists return 404 despite master playlist returning 200) with a working test stream, and improve the health checker to validate variant playlists so broken streams are caught before being displayed to users. Rebuild and deploy the updated image.
+
+## Context
+
+- The F1 streaming site at f1.viktorbarzin.me has 3 demo streams
+- Akamai live test stream (`cph-p2p-msl.akamaized.net/hls/live/2000341/test/master.m3u8`) has a working master playlist but all variant playlists return 404
+- Current health check only validates the master playlist URL (checks for `#EXTM3U`), missing the broken variants
+- When hls.js tries to load the variant through the proxy, it gets 502 errors
+- The other 2 streams (Big Buck Bunny, Apple Bipbop) work correctly end-to-end
+- Confirmed working replacement: Tears of Steel (`demo.unified-streaming.com/k8s/features/stable/video/tears-of-steel/tears-of-steel.ism/.m3u8`) - all variants return 200
+
+## Tasks
+
+### Task 1: Replace broken Akamai stream URL in demo extractor
+
+**files:** `stacks/f1-stream/files/backend/extractors/demo.py`
+**action:** Replace the Akamai live test stream URL with Tears of Steel. Update the title, quality, and any other metadata.
+**verify:** Run the demo extractor's URL through curl to confirm master and variant playlists both return 200.
+**done:** Demo extractor returns 3 working stream URLs, none of which have broken variants.
+
+Replace:
+- URL: `https://cph-p2p-msl.akamaized.net/hls/live/2000341/test/master.m3u8`
+- Title: "Akamai Live Test Stream"
+- Quality: "" (empty)
+
+With:
+- URL: `https://demo.unified-streaming.com/k8s/features/stable/video/tears-of-steel/tears-of-steel.ism/.m3u8`
+- Title: "Tears of Steel (Test Stream)"
+- Quality: "1080p"
+
+### Task 2: Improve health checker to validate variant playlists
+
+**files:** `stacks/f1-stream/files/backend/health.py`
+**action:** After the existing health check passes (master playlist has `#EXTM3U`), if the playlist is a master playlist (contains `#EXT-X-STREAM-INF:`), extract the first variant URI and do a HEAD/GET check on it. Mark the stream as unhealthy if the variant returns non-200.
+**verify:** A stream with a broken variant (like the old Akamai one) would be marked `is_live=False`.
+**done:** Health checker validates at least one variant playlist when the stream is a master playlist.
+
+### Task 3: Rebuild Docker image and deploy
+
+**files:** `stacks/f1-stream/main.tf`
+**action:** Build new Docker image with tag v5.1.0, push to registry, update Terraform deployment image tag, apply the stack.
+**verify:** `curl https://f1.viktorbarzin.me/streams` returns 3 streams all with `is_live: true`. Visit f1.viktorbarzin.me/watch in browser and confirm all 3 streams play.
+**done:** All 3 demo streams are playable in the browser at f1.viktorbarzin.me/watch.
--- a/.planning/quick/resource-audit-live-metrics.md
+++ b/.planning/quick/resource-audit-live-metrics.md
@ -0,0 +1,614 @@
+# Kubernetes Cluster Resource Audit - Live Metrics
+
+**Collected**: 2026-03-01
+**Cluster**: 5 nodes (k8s-master + k8s-node1-4), Kubernetes v1.34.2
+
+---
+
+## EXECUTIVE SUMMARY
+
+### Critical Issues
+
+#### OOMKilled Pods
+| Namespace | Pod | Status |
+|-----------|-----|--------|
+| dbaas | mysql-cluster-0 | OOMKilled (last state) |
+
+#### CrashLoopBackOff / ImagePullBackOff Pods
+| Namespace | Pod | Status |
+|-----------|-----|--------|
+| vpa | vpa-admission-certgen-kdvqj | ImagePullBackOff |
+
+#### Pods with NO Resource Limits (unbounded)
+These pods have `<none>` for CPU and/or memory limits -- they can consume unlimited node resources:
+
+| Namespace | Pod | Container | CPU Limit | Mem Limit |
+|-----------|-----|-----------|-----------|-----------|
+| calico-apiserver | calico-apiserver-*-bq6zp | calico-apiserver | <none> | <none> |
+| calico-apiserver | calico-apiserver-*-q794h | calico-apiserver | <none> | <none> |
+| calico-system | calico-kube-controllers-* | calico-kube-controllers | <none> | <none> |
+| calico-system | calico-node-* (5 pods) | calico-node | <none> | <none> |
+| calico-system | calico-typha-*-9wr7z | calico-typha | <none> | <none> |
+| calico-system | calico-typha-*-hw8wt | calico-typha | <none> | <none> |
+| calico-system | calico-typha-*-z69vx | calico-typha | <none> | <none> |
+| calico-system | csi-node-driver-* (5 pods) | calico-csi, csi-node-driver-registrar | <none> | <none> |
+| kube-system | etcd-k8s-master | etcd | <none> | <none> |
+| kube-system | kube-apiserver-k8s-master | kube-apiserver | <none> | <none> |
+| kube-system | kube-controller-manager-k8s-master | kube-controller-manager | <none> | <none> |
+| kube-system | kube-proxy-* (5 pods) | kube-proxy | <none> | <none> |
+| kube-system | kube-scheduler-k8s-master | kube-scheduler | <none> | <none> |
+| kyverno | kyverno-admission-controller-* (2 pods) | kyverno | <none> (CPU) | 768Mi |
+| kyverno | kyverno-background-controller-* | controller | <none> (CPU) | 128Mi |
+| kyverno | kyverno-cleanup-controller-* | controller | <none> (CPU) | 128Mi |
+| kyverno | kyverno-reports-controller-* | controller | <none> (CPU) | 128Mi |
+| metallb-system | controller-* | controller | <none> | <none> |
+| metallb-system | speaker-dn9bk | speaker | <none> | <none> |
+| metallb-system | speaker-mnpsl | speaker | <none> | <none> |
+| metallb-system | speaker-pl8dz | speaker | <none> | <none> |
+| nvidia | nvidia-driver-daemonset-x2r6b | nvidia-driver-ctr | <none> | <none> |
+
+**Note**: kube-system and calico-system pods without limits are standard for control-plane components. The NVIDIA driver daemonset is also expected. MetalLB pods without limits should be monitored.
+
+#### Pods Near or Exceeding Memory Limits (>75% utilization)
+
+| Namespace | Pod | Current Usage | Memory Limit | % Used |
+|-----------|-----|--------------|--------------|--------|
+| dbaas | mysql-cluster-0 | 1845Mi | 2Gi (sidecar:512Mi + mysql:2Gi) | ~90% of mysql container |
+| dbaas | mysql-cluster-2 | 1212Mi | 2Gi (sidecar:512Mi + mysql:2Gi) | ~59% combined |
+| dbaas | mysql-cluster-1 | 1083Mi | 2Gi (sidecar:512Mi + mysql:2Gi) | ~53% combined |
+| dashy | dashy-* | 1048Mi | 4Gi | 26% but NOTE: 490m CPU near 500m limit (98%) |
+| onlyoffice | onlyoffice-document-server-* | 1007Mi | 4Gi | 25% |
+| stirling-pdf | stirling-pdf-* | 902Mi | 4Gi | 23% |
+| trading-bot | trading-bot-workers-* | 1901Mi | 2Gi (sentiment-analyzer) | ~95% of largest container |
+| authentik | goauthentik-server-*-x68p7 | 593Mi | 1Gi | 58% |
+| authentik | goauthentik-server-*-4bjll | 583Mi | 1Gi | 57% |
+| authentik | goauthentik-server-*-z68g8 | 548Mi | 1Gi | 54% |
+| authentik | goauthentik-worker-*-klk6z | 551Mi | 1Gi | 54% |
+| servarr | flaresolverr-* | 148Mi | 256Mi | 58% |
+| speedtest | speedtest-* | 147Mi | ~1.2Gi | 12% |
+| cnpg-system | cnpg-cloudnative-pg-* | 72Mi | 256Mi | 28% |
+| mailserver | mailserver-* | 183Mi | 256Mi+256Mi | 36% per container |
+| vpa | vpa-recommender-* | 74Mi | 512Mi | 14% (but 500Mi req = nearly full request!) |
+
+#### Pods with CPU Near Limit (potential throttling)
+
+| Namespace | Pod | Current CPU | CPU Limit | % Used |
+|-----------|-----|------------|-----------|--------|
+| dashy | dashy-* | 490m | 500m | **98%** -- actively throttling |
+| stirling-pdf | stirling-pdf-* | 299m | 300m | **99.7%** -- actively throttling |
+| frigate | frigate-* | 860m | 8000m | 11% |
+| crowdsec | crowdsec-agent-rkvf2 | 13m | 500m | 3% (but req=limit=500m) |
+| redis | redis-node-0 | 44m | 500m (redis) + 200m (sentinel) | 6% |
+| redis | redis-node-1 | 43m | 1260m (redis) + 140m (sentinel) | 3% |
+
+---
+
+## NODE-LEVEL RESOURCE USAGE
+
+| Node | CPU (cores) | CPU % | Memory | Memory % |
+|------|-------------|-------|--------|----------|
+| k8s-master | 805m | 10% | 5132Mi | 65% |
+| k8s-node1 | 1002m | 6% | 9192Mi | 57% |
+| k8s-node2 | 894m | 11% | 11517Mi | 48% |
+| k8s-node3 | 781m | 9% | 13103Mi | 54% |
+| k8s-node4 | 1333m | 16% | 13122Mi | 54% |
+| **TOTAL** | **4815m** | **~10%** | **52066Mi** | **~55%** |
+
+**Observations**:
+- Memory is the tighter resource (~55% cluster-wide), CPU is abundant (~10%)
+- k8s-master at 65% memory -- highest, but still has headroom
+- k8s-node3 and k8s-node4 carry the most memory workloads (~13Gi each)
+
+---
+
+## POD RESOURCE USAGE BY NAMESPACE (sorted by total memory)
+
+### Top 20 Memory Consumers
+
+| Rank | Namespace/Pod | CPU | Memory | Mem Limit |
+|------|--------------|-----|--------|-----------|
+| 1 | frigate/frigate | 860m | 3835Mi | 16Gi |
+| 2 | kube-system/kube-apiserver | 376m | 2531Mi | <none> |
+| 3 | monitoring/prometheus-server | 36m | 1912Mi | 4Gi |
+| 4 | trading-bot/trading-bot-workers | 7m | 1901Mi | 2Gi (largest) |
+| 5 | dbaas/mysql-cluster-0 | 62m | 1845Mi | 2Gi (mysql) |
+| 6 | monitoring/loki-0 | 95m | 1335Mi | ~2.9Gi |
+| 7 | immich/immich-machine-learning | 8m | 1215Mi | 16Gi |
+| 8 | dbaas/mysql-cluster-2 | 32m | 1212Mi | 2Gi (mysql) |
+| 9 | nvidia/nvidia-driver-daemonset | 0m | 1168Mi | <none> |
+| 10 | dbaas/mysql-cluster-1 | 40m | 1083Mi | 2Gi (mysql) |
+| 11 | dashy/dashy | 490m | 1048Mi | 4Gi |
+| 12 | onlyoffice/onlyoffice-document-server | 3m | 1007Mi | 4Gi |
+| 13 | stirling-pdf/stirling-pdf | 299m | 902Mi | 4Gi |
+| 14 | tandoor/tandoor | 1m | 754Mi | ~3.1Gi |
+| 15 | paperless-ngx/paperless-ngx | 4m | 691Mi | ~3.7Gi |
+| 16 | linkwarden/linkwarden | 8m | 682Mi | ~3.3Gi |
+| 17 | ollama/ollama-ui | 2m | 658Mi | ~5.8Gi |
+| 18 | whisper/whisper | 1m | 628Mi | ~5.8Gi |
+| 19 | realestate-crawler/celery | 2m | 608Mi | 2Gi |
+| 20 | authentik/goauthentik-server (x3) | ~17m each | ~575Mi each | 1Gi |
+
+### Top 10 CPU Consumers
+
+| Rank | Namespace/Pod | CPU | CPU Limit |
+|------|--------------|-----|-----------|
+| 1 | frigate/frigate | 860m | 8000m |
+| 2 | dashy/dashy | 490m | 500m |
+| 3 | kube-system/kube-apiserver | 376m | <none> |
+| 4 | stirling-pdf/stirling-pdf | 299m | 300m |
+| 5 | kube-system/etcd | 216m | <none> |
+| 6 | monitoring/loki-0 | 95m | 504m |
+| 7 | authentik/goauthentik-worker-c5zfs | 81m | 2000m |
+| 8 | authentik/goauthentik-worker-b5wzk | 62m | 2000m |
+| 9 | dbaas/mysql-cluster-0 | 62m | 2000m |
+| 10 | calico-system/calico-node-wllsb | 49m | <none> |
+
+---
+
+## DETAILED NAMESPACE BREAKDOWN
+
+### actualbudget
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| actualbudget-anca | 1m | 42Mi | 25m/250m | 64Mi/256Mi |
+| actualbudget-emo | 1m | 40Mi | 25m/250m | 64Mi/256Mi |
+| actualbudget-http-api-anca | 1m | 26Mi | 25m/250m | 64Mi/256Mi |
+| actualbudget-http-api-emo | 0m | 26Mi | 25m/250m | 64Mi/256Mi |
+| actualbudget-http-api-viktor | 1m | 29Mi | 25m/250m | 64Mi/256Mi |
+| actualbudget-viktor | 1m | 56Mi | 25m/250m | 64Mi/256Mi |
+**Quota**: 150m/4000m CPU used, 384Mi/4Gi mem used, 6/30 pods
+
+### affine
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| affine | 4m | 174Mi | 35m/700m | ~237Mi/~1.9Gi |
+**Quota**: 35m/2000m CPU, ~237Mi/2Gi mem, 1/20 pods
+
+### aiostreams
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| aiostreams | 1m | 215Mi | 50m/500m | 256Mi/768Mi |
+
+### atuin
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| atuin | 1m | 2Mi | 50m/500m | 64Mi/256Mi |
+
+### audiobookshelf
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| audiobookshelf | 1m | 55Mi | 15m/150m | ~100Mi/400Mi |
+
+### authentik
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| ak-outpost-embedded | 6m | 18Mi | 50m/500m | 64Mi/512Mi |
+| goauthentik-server (x3) | 14-21m | 548-593Mi | 100m/2000m | 512Mi/1Gi |
+| goauthentik-worker (x3) | 40-81m | 420-551Mi | 50-100m/1-2000m | 384Mi-600Mi/1-1.6Gi |
+| pgbouncer (x3) | 1-2m | 2Mi | 15-50m/150-500m | ~100Mi/512-800Mi |
+**Quota**: 680m/16000m CPU, ~3.3Gi/16Gi mem, 10/50 pods
+
+### calibre
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| annas-archive-stacks | 1m | 60Mi | 25m/250m | 64Mi/256Mi |
+| calibre-web-automated | 1m | 196Mi | 23m/460m | ~640Mi/~2.6Gi |
+
+### changedetection
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| changedetection (2 containers) | 6m | 111Mi | 25m+25m/250m+250m | 64Mi+64Mi/256Mi+256Mi |
+
+### cloudflared
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| cloudflared (x3) | 3-9m | 31-59Mi | 50m/500m | 64Mi/512Mi |
+
+### crowdsec
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| crowdsec-agent (x3) | 3-13m | 43-48Mi | 500m/500m | 250Mi/250Mi |
+| crowdsec-lapi (x3) | 1m | 30-34Mi | 23m/23m | ~121Mi/~121Mi |
+| crowdsec-web | 2m | 46Mi | 50m/500m | 64Mi/512Mi |
+**Note**: crowdsec-agent has CPU req=limit=500m (Guaranteed QoS). Same for memory at 250Mi.
+
+### dashy
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| dashy | **490m** | 1048Mi | 15m/**500m** | 512Mi/4Gi |
+**WARNING**: CPU at 98% of limit -- actively being throttled!
+
+### dawarich
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| dawarich | 1m | 438Mi | 15m/150m | ~600Mi/~2.4Gi |
+
+### dbaas
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| mysql-cluster-0 | 62m | 1845Mi | 50m+250m/500m+2000m | 64Mi+1Gi/512Mi+2Gi |
+| mysql-cluster-1 | 40m | 1083Mi | 50m+250m/500m+2000m | 64Mi+1Gi/512Mi+2Gi |
+| mysql-cluster-2 | 32m | 1212Mi | 50m+250m/500m+2000m | 64Mi+1Gi/512Mi+2Gi |
+| pg-cluster-1 | 22m | 335Mi | 250m/2000m | 512Mi/4Gi |
+| pg-cluster-2 | 11m | 155Mi | 250m/2000m | 512Mi/4Gi |
+| pgadmin | 1m | 265Mi | 50m/500m | 64Mi/512Mi |
+| phpmyadmin | 1m | 46Mi | 50m/500m | 64Mi/512Mi |
+**WARNING**: mysql-cluster-0 was OOMKilled previously. Currently at 1845Mi with 2Gi limit on mysql container (~90%).
+**Quota**: 1500m/8000m CPU, 4416Mi/12Gi mem, 7/30 pods
+
+### echo
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| echo (x5) | 0-1m | 19-30Mi | 15-25m/150-250m | 64Mi-100Mi/256-400Mi |
+
+### forgejo
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| forgejo | 1m | 170Mi | 15m/500m | ~215Mi/~1.7Gi |
+
+### freedify
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| music-emo | 2m | 68Mi | 100m/500m | 256Mi/512Mi |
+| music-viktor | 2m | 57Mi | 100m/500m | 256Mi/512Mi |
+
+### frigate
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| frigate | 860m | 3835Mi | 800m/8000m | 2Gi/16Gi |
+**Note**: Highest memory consumer in the cluster. GPU tier (2-gpu).
+
+### headscale
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| headscale (2 containers) | 1m | 65Mi | 50m+25m/200m+100m | 64Mi+32Mi/256Mi+128Mi |
+
+### homepage
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| homepage | 1m | 86Mi | 15m/150m | ~121Mi/~484Mi |
+
+### immich
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| immich-frame | 1m | 30Mi | 15m/150m | ~105Mi/~838Mi |
+| immich-machine-learning | 8m | 1215Mi | 15m/150m | 2Gi/16Gi |
+| immich-postgresql | 1m | 268Mi | 15m/150m | ~990Mi/~7.9Gi |
+| immich-server | 3m | 404Mi | 800m/8000m | ~990Mi/~7.9Gi |
+**Quota**: 845m/8000m CPU, ~4.1Gi/8Gi mem, 4/40 pods. Note: mem at ~51% of quota.
+
+### kms
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| kms | 0m | 0Mi | 15m/15m | ~100Mi/1Gi |
+| kms-web-page | 0m | 10Mi | 500m/500m | 512Mi/512Mi |
+**Note**: kms-web-page has req=limit (Guaranteed QoS) at 500m CPU and 512Mi, but uses 0m/10Mi.
+
+### linkwarden
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| linkwarden | 8m | 682Mi | 15m/150m | ~826Mi/~3.3Gi |
+
+### mailserver
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| mailserver (2 containers) | 9m | 183Mi | 25m+25m/250m+250m | 64Mi+64Mi/256Mi+256Mi |
+| roundcubemail | 1m | 44Mi | 25m/250m | 64Mi/256Mi |
+
+### meshcentral
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| meshcentral | 1m | 127Mi | 15m/300m | ~283Mi/~850Mi |
+
+### monitoring
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| alloy (x3, DaemonSet) | 44-47m | 182-201Mi | 63m+11m/252m+550m | ~422Mi+50Mi/~845Mi+512Mi |
+| caretta (x4, DaemonSet) | 2-4m | 250-267Mi | 15m/225m | ~422Mi/~2.5Gi |
+| goflow2 | 11m | 28Mi | 15m/60m | ~100Mi/400Mi |
+| grafana (x3) | 18m | 232-235Mi | 11m+11m+35m/110m+110m+350m | multi-container |
+| idrac-redfish-exporter | 3m | 9Mi | 15m/150m | ~100Mi/800Mi |
+| loki-0 (2 containers) | 95m | 1335Mi | 126m+11m/504m+110m | ~1.9Gi+~121Mi/~2.9Gi+~968Mi |
+| node-exporter (x5) | 1m | 9-24Mi | 15m/150m | ~100Mi/800Mi |
+| prometheus-alertmanager | 2m | 24Mi | 15m/150m | ~100Mi/800Mi |
+| prometheus-kube-state-metrics | 3m | 33Mi | 15m/150m | ~100Mi/800Mi |
+| prometheus-pushgateway | 1m | 18Mi | 15m/150m | ~100Mi/800Mi |
+| prometheus-server (2 containers) | 36m | 1912Mi | 11m+93m/110m+930m | 50Mi+512Mi/400Mi+4Gi |
+| proxmox-exporter | 1m | 41Mi | 23m/230m | ~100Mi/800Mi |
+| snmp-exporter | 2m | 14Mi | 15m/150m | ~100Mi/800Mi |
+| sysctl-inotify (x5) | 0m | 0Mi | 15m/15m | ~100Mi/~100Mi |
+**Quota**: 1177m/16000m CPU, ~9Gi/16Gi mem, 32/100 pods
+
+### mysql-operator
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| mysql-operator | 4m | 254Mi | 23m/230m | ~309Mi/~1.2Gi |
+
+### n8n
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| n8n | 2m | 425Mi | 15m/150m | ~524Mi/~2.1Gi |
+
+### netbox
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| netbox | 1m | 480Mi | 50m/2000m | 512Mi/4Gi |
+
+### nextcloud
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| nextcloud (2 containers) | 9m | 234Mi | 100m+11m/16000m+110m | ~1.3Gi+~121Mi/~8Gi+~484Mi |
+| whiteboard | 1m | 62Mi | 25m/250m | 64Mi/256Mi |
+**Quota**: 136m/4000m CPU, ~1.5Gi/8Gi mem, 2/10 pods
+
+### nvidia
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| gpu-feature-discovery | 1m | 76Mi | 100m+100m/1+1 | 256Mi+256Mi/2Gi+2Gi |
+| gpu-operator | 14m | 63Mi | 200m/500m | 100Mi/350Mi |
+| gpu-pod-exporter | 2m | 50Mi | 50m/200m | 128Mi/256Mi |
+| nvidia-container-toolkit | 1m | 27Mi | 100m/1000m | 256Mi/2Gi |
+| nvidia-dcgm-exporter | 17m | 538Mi | 100m/1000m | 256Mi/2Gi |
+| nvidia-device-plugin | 1m | 47Mi | 100m+100m/1+1 | 256Mi+256Mi/2Gi+2Gi |
+| nvidia-driver-daemonset | 0m | 1168Mi | <none> | <none> |
+| nvidia-exporter | 1m | 138Mi | 15m/150m | ~121Mi/~968Mi |
+| nfd-gc | 1m | 9Mi | 15m/1500m | ~100Mi/800Mi |
+| nfd-master | 1m | 27Mi | 100m/4000m | 128Mi/4Gi |
+| nfd-worker (x5) | 1m | 14-18Mi | 15m/3000m | ~100Mi/800Mi |
+| nvidia-operator-validator | 0m | 1Mi | 100m/1000m | 256Mi/2Gi |
+
+### ollama
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| ollama | 1m | 11Mi | 500m/4000m | 4Gi/12Gi |
+| ollama-ui | 2m | 658Mi | 15m/150m | ~729Mi/~5.8Gi |
+**Note**: ollama pod at only 11Mi but reserves 4Gi -- GPU workload likely using VRAM instead.
+
+### onlyoffice
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| onlyoffice-document-server | 3m | 1007Mi | 250m/8000m | 512Mi/4Gi |
+**Quota**: 250m/4000m CPU, 512Mi/4Gi mem, 1/10 pods
+
+### openclaw
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| openclaw (2 containers) | 2m | 447Mi | 100m+25m/2000m+500m | 512Mi+64Mi/2Gi+256Mi |
+
+### osm-routing
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| osrm-bicycle | 0m | 366Mi | 15m/250m | ~454Mi/~909Mi |
+| osrm-foot | 0m | 359Mi | 15m/150m | ~454Mi/~1.8Gi |
+
+### paperless-ngx
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| paperless-ngx | 4m | 691Mi | 49m/980m | ~933Mi/~3.7Gi |
+
+### realestate-crawler
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| realestate-crawler-api (x2) | 2m | 133-134Mi | 15m/600m | ~194Mi/~1.6Gi |
+| realestate-crawler-celery | 2m | 608Mi | 100m/2000m | 512Mi/2Gi |
+| realestate-crawler-celery-beat | 0m | 107Mi | 15m/300m | ~175Mi/~699Mi |
+| realestate-crawler-ui (x2) | 0m | 7-8Mi | 15-25m/150-250m | 64-100Mi/256-400Mi |
+
+### redis
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| redis-node-0 (redis+sentinel) | 44m | 47Mi | 50m+50m/500m+200m | 64Mi+64Mi/256Mi+128Mi |
+| redis-node-1 (redis+sentinel) | 43m | 25Mi | 126m+35m/1260m+140m | ~50Mi+~50Mi/200Mi+100Mi |
+
+### resume
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| printer | 3m | 109Mi | 15m/300m | 1Gi/4Gi |
+| resume | 1m | 116Mi | 15m/300m | ~215Mi/~645Mi |
+
+### rybbit
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| rybbit | 2m | 185Mi | 15m/150m | ~215Mi/~860Mi |
+| rybbit-client | 1m | 89Mi | 25m/250m | 64Mi/256Mi |
+**Note**: rybbit-client at 89Mi with 256Mi limit (35%).
+
+### servarr
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| flaresolverr | 1m | 148Mi | 25m/250m | 64Mi/256Mi |
+| listenarr | 2m | 383Mi | 15m/600m | ~640Mi/~2.6Gi |
+| prowlarr | 1m | 149Mi | 15m/150m | ~260Mi/~1Gi |
+| qbittorrent | 1m | 29Mi | 25m/250m | 64Mi/256Mi |
+**WARNING**: flaresolverr at 148Mi / 256Mi = 58% of mem limit.
+
+### speedtest
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| speedtest | 1m | 147Mi | 200m/2000m | ~309Mi/~1.2Gi |
+
+### stirling-pdf
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| stirling-pdf | **299m** | 902Mi | 15m/**300m** | 1Gi/4Gi |
+**WARNING**: CPU at 99.7% of limit -- actively being throttled!
+
+### tandoor
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| tandoor | 1m | 754Mi | 15m/150m | ~776Mi/~3.1Gi |
+
+### technitium
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| technitium | 1m | 184Mi | 100m/500m | 128Mi/512Mi |
+| technitium-secondary | 9m | 123Mi | 100m/500m | 128Mi/512Mi |
+
+### trading-bot
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| trading-bot-frontend (2 containers) | 2m | 174Mi | 10m+50m/200m+1000m | 32Mi+128Mi/128Mi+512Mi |
+| trading-bot-workers (6 containers) | 7m | 1901Mi | 10m+100m+10m+10m+10m+10m/500m+2000m+500m+500m+500m+500m | 64Mi*5+512Mi/256Mi*5+2Gi |
+**WARNING**: trading-bot-workers at 1901Mi. The sentiment-analyzer container has 2Gi limit, possibly near OOM.
+
+### traefik
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| auth-proxy (x2) | 1m | 7Mi | 5m/50m | 16Mi/32Mi |
+| bot-block-proxy (x2) | 1m | 7Mi | 5m/50m | 16Mi/32Mi |
+| traefik (x3) | 4-14m | 81-120Mi | 100m/500m | 128Mi/512Mi |
+
+### uptime-kuma
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| uptime-kuma | 23m | 163Mi | 49m/196m | ~237Mi/~947Mi |
+
+### vpa
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| goldilocks-controller | 7m | 30Mi | 49m/980m | ~105Mi/~209Mi |
+| goldilocks-dashboard | 1m | 8Mi | 15m/300m | ~105Mi/~209Mi |
+| vpa-admission-certgen | N/A | N/A | 50m/500m | 64Mi/512Mi |
+| vpa-admission-controller | 3m | 48Mi | 50m/500m | 200Mi/512Mi |
+| vpa-recommender | 13m | 74Mi | 50m/500m | 500Mi/512Mi |
+| vpa-updater | 2m | 68Mi | 50m/500m | 500Mi/512Mi |
+**WARNING**: vpa-admission-certgen in ImagePullBackOff.
+
+### whisper
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| piper | 0m | 32Mi | 100m/1000m | 256Mi/2Gi |
+| whisper | 1m | 628Mi | 15m/150m | ~729Mi/~5.8Gi |
+
+### wireguard
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| wireguard (2 containers) | 1m | 2Mi | 50m+50m/500m+500m | 64Mi+64Mi/512Mi+512Mi |
+
+### woodpecker
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| woodpecker-agent-0 | 1m | 17Mi | 15m/150m | ~100Mi/400Mi |
+| woodpecker-agent-1 | 1m | 28Mi | 25m/250m | 64Mi/256Mi |
+| woodpecker-server-0 | 4m | 32Mi | 25m/250m | 64Mi/256Mi |
+
+### website
+| Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----|----------|----------|-------------|-------------|
+| blog (x3, 2 containers each) | 0-1m | 17-19Mi | 11m+11m/22m+110m | ~50Mi+~50Mi/512Mi+200Mi |
+
+### Other Small Namespaces
+| Namespace | Pod | CPU Used | Mem Used | CPU Req/Lim | Mem Req/Lim |
+|-----------|-----|----------|----------|-------------|-------------|
+| city-guesser | city-guesser | 1m | 23Mi | 250m/500m | 50Mi/512Mi |
+| coturn | coturn | 1m | 7Mi | 15m/150m | ~100Mi/400Mi |
+| cyberchef | cyberchef | 0m | 8Mi | 15m/150m | ~100Mi/400Mi |
+| diun | diun | 1m | 24Mi | 15m/150m | ~100Mi/400Mi |
+| excalidraw | excalidraw | 0m | 2Mi | 15m/150m | ~100Mi/400Mi |
+| f1-stream | f1-stream | 7m | 53Mi | 50m/500m | 64Mi/256Mi |
+| freshrss | freshrss | 1m | 56Mi | 25m/250m | 64Mi/256Mi |
+| hackmd | hackmd | 2m | 82Mi | 15m/150m | ~138Mi/~552Mi |
+| health | health | 2m | 101Mi | 100m/1000m | 256Mi/1Gi |
+| isponsorblocktv | isponsorblocktv-vermont | 1m | 42Mi | 15m/150m | ~100Mi/400Mi |
+| jsoncrack | jsoncrack | 0m | 7Mi | 15m/150m | ~100Mi/400Mi |
+| k8s-portal | k8s-portal | 0m | 14Mi | 25m/250m | 64Mi/256Mi |
+| navidrome | navidrome | 1m | 62Mi | 15m/150m | ~156Mi/~623Mi |
+| ntfy | ntfy | 1m | 20Mi | 25m/250m | 64Mi/256Mi |
+| owntracks | owntracks | 1m | 1Mi | 15m/150m | ~100Mi/400Mi |
+| plotting-book | plotting-book | 0m | 22Mi | 50m/500m | 128Mi/512Mi |
+| privatebin | privatebin | 1m | 46Mi | 15m/150m | ~100Mi/400Mi |
+| send | send | 0m | 53Mi | 15m/150m | ~100Mi/400Mi |
+| shadowsocks | shadowsocks | 1m | 0Mi | 15m/150m | ~100Mi/400Mi |
+| tor-proxy | tor-proxy | 1m | 61Mi | 15m/150m | ~105Mi/~419Mi |
+| vaultwarden | vaultwarden | 1m | 49Mi | 50m/200m | 64Mi/256Mi |
+| wealthfolio | wealthfolio | 0m | 8Mi | 15m/150m | ~100Mi/400Mi |
+| webhook-handler | webhook-handler | 1m | 8Mi | 15m/30m | ~100Mi/1Gi |
+| xray | xray | 0m | 11Mi | 50m/500m | 64Mi/512Mi |
+
+---
+
+## LIMITRANGE DEFAULTS BY NAMESPACE
+
+| Namespace | Default CPU | Default Mem | Max CPU | Max Mem | Tier |
+|-----------|-------------|-------------|---------|---------|------|
+| **GPU tier (2-gpu)** | | | | | |
+| ebook2audiobook | 1 | 2Gi | 8 | 16Gi | 2-gpu |
+| frigate | 1 | 2Gi | 8 | 16Gi | 2-gpu |
+| immich | 1 | 2Gi | 8 | 16Gi | 2-gpu |
+| nvidia | 1 | 2Gi | 8 | 16Gi | 2-gpu |
+| ollama | 1 | 2Gi | 8 | 16Gi | 2-gpu |
+| whisper | 1 | 2Gi | 8 | 16Gi | 2-gpu |
+| **Core tier (0-core)** | | | | | |
+| cloudflared | 500m | 512Mi | 4 | 8Gi | 0-core |
+| headscale | 500m | 512Mi | 4 | 8Gi | 0-core |
+| technitium | 500m | 512Mi | 4 | 8Gi | 0-core |
+| traefik | 500m | 512Mi | 4 | 8Gi | 0-core |
+| wireguard | 500m | 512Mi | 4 | 8Gi | 0-core |
+| xray | 500m | 512Mi | 4 | 8Gi | 0-core |
+| **Cluster tier (1-cluster)** | | | | | |
+| authentik | 500m | 512Mi | 2 | 4Gi | 1-cluster |
+| cnpg-system | 500m | 512Mi | 2 | 4Gi | 1-cluster |
+| crowdsec | 500m | 512Mi | 2 | 4Gi | 1-cluster |
+| dbaas | 500m | 512Mi | 2 | 4Gi | 1-cluster |
+| metrics-server | 500m | 512Mi | 2 | 4Gi | 1-cluster |
+| monitoring | 500m | 512Mi | 2 | 4Gi | 1-cluster |
+| poison-fountain | 500m | 512Mi | 2 | 4Gi | 1-cluster |
+| redis | 500m | 512Mi | 2 | 4Gi | 1-cluster |
+| tuya-bridge | 500m | 512Mi | 2 | 4Gi | 1-cluster |
+| uptime-kuma | 500m | 512Mi | 2 | 4Gi | 1-cluster |
+| vpa | 500m | 512Mi | 2 | 4Gi | 1-cluster |
+| **Edge tier (3-edge)** | | | | | |
+| Most app namespaces | 250m | 256Mi | 2 | 4Gi | 3-edge |
+| **Aux tier (4-aux)** | | | | | |
+| Some app namespaces | 250m | 256Mi | 2 | 4Gi | 4-aux |
+| **Custom LimitRanges** | | | | | |
+| nextcloud | 250m | 256Mi | 16 | 8Gi | Custom |
+| onlyoffice | 250m | 256Mi | 8 | 8Gi | Custom |
+| **No tier** | | | | | |
+| aiostreams | 250m | 256Mi | 1 | 2Gi | None |
+| default | 250m | 256Mi | 1 | 2Gi | None |
+| descheduler | 250m | 256Mi | 1 | 2Gi | None |
+| gadget | 250m | 256Mi | 1 | 2Gi | None |
+| kured | 250m | 256Mi | 1 | 2Gi | None |
+| local-path-storage | 250m | 256Mi | 1 | 2Gi | None |
+| mysql-operator | 250m | 256Mi | 1 | 2Gi | None |
+| reverse-proxy | 250m | 256Mi | 1 | 2Gi | None |
+| tigera-operator | 250m | 256Mi | 1 | 2Gi | None |
+
+---
+
+## RESOURCEQUOTA UTILIZATION (top consumers)
+
+| Namespace | CPU Req Used/Hard | Mem Req Used/Hard | Pods Used/Hard | % Mem Req |
+|-----------|-------------------|-------------------|----------------|-----------|
+| monitoring | 1177m/16000m | ~9Gi/16Gi | 32/100 | ~56% |
+| authentik | 680m/16000m | ~3.3Gi/16Gi | 10/50 | ~21% |
+| crowdsec | 1619m/8000m | ~1.1Gi/8Gi | 7/30 | ~14% |
+| dbaas | 1500m/8000m | 4416Mi/12Gi | 7/30 | ~36% |
+| immich | 845m/8000m | ~4.1Gi/8Gi | 4/40 | ~51% |
+| ollama | 515m/8000m | ~4.7Gi/8Gi | 2/40 | ~59% |
+| nextcloud | 136m/4000m | ~1.5Gi/8Gi | 2/10 | ~19% |
+| rybbit | 140m/2000m | ~791Mi/2Gi | 3/20 | ~39% |
+
+---
+
+## ACTION ITEMS
+
+### Immediate (potential service impact)
+1. **dashy** -- CPU throttled at 98% (490m/500m). Increase CPU limit or investigate high CPU usage.
+2. **stirling-pdf** -- CPU throttled at 99.7% (299m/300m). Increase CPU limit.
+3. **dbaas/mysql-cluster-0** -- Previously OOMKilled. Currently at ~1845Mi with 2Gi limit on mysql container (~90%). Monitor closely or increase limit.
+4. **vpa/vpa-admission-certgen** -- ImagePullBackOff. Fix image reference.
+5. **trading-bot-workers** -- 1901Mi across 6 containers, sentiment-analyzer at 2Gi limit. Verify not OOMing.
+
+### Medium Priority (resource waste or risk)
+6. **kms/kms-web-page** -- Guaranteed QoS at 500m CPU / 512Mi, but only uses 0m/10Mi. Massive overprovisioning.
+7. **ollama/ollama** -- Requests 4Gi memory but uses 11Mi (GPU model in VRAM). If not using CPU memory, reduce request.
+8. **resume/printer** -- Requests 1Gi memory but uses 109Mi. Consider reducing.
+9. **nvidia-driver-daemonset** -- No limits set, using 1168Mi. Standard for driver but worth noting.
+10. **servarr/flaresolverr** -- At 58% memory (148Mi/256Mi). Trending toward limit.
+
+### Low Priority (optimization opportunities)
+11. Multiple pods in the monitoring namespace have generous limits but low actual usage (node-exporters at 9-24Mi with 800Mi limits).
+12. crowdsec-agent pods have Guaranteed QoS (req=limit) at 500m/250Mi but use only 3-13m CPU and 43-48Mi memory.
+13. Many edge-tier pods using <10% of their memory limits -- VPA recommendations could help right-size.
--- a/.planning/quick/resource-audit-terraform-definitions.md
+++ b/.planning/quick/resource-audit-terraform-definitions.md
@ -0,0 +1,273 @@
+# Terraform Container Resource Audit
+
+Generated: 2026-03-01
+
+## Tier Defaults (Kyverno LimitRange)
+
+For reference, containers WITHOUT explicit `resources {}` blocks receive these defaults from Kyverno-generated LimitRanges:
+
+| Tier | Default CPU | Default Mem | Request CPU | Request Mem | Max CPU | Max Mem |
+|------|-------------|-------------|-------------|-------------|---------|---------|
+| 0-core | 500m | 512Mi | 50m | 64Mi | 4 | 8Gi |
+| 1-cluster | 500m | 512Mi | 50m | 64Mi | 2 | 4Gi |
+| 2-gpu | 1 | 2Gi | 100m | 256Mi | 8 | 16Gi |
+| 3-edge | 250m | 256Mi | 25m | 64Mi | 2 | 4Gi |
+| 4-aux | 250m | 256Mi | 25m | 64Mi | 2 | 4Gi |
+
+Namespaces with custom LimitRange (opt-out): `nextcloud`, `onlyoffice`
+
+---
+
+## Section 1: Containers WITHOUT Explicit Resources (Relying on LimitRange Defaults)
+
+These are the highest-risk containers -- they receive LimitRange defaults which may be too low or too high.
+
+| Stack | Namespace | Deployment/Resource | Container | Tier | Default CPU Lim | Default Mem Lim | Risk Notes |
+|-------|-----------|-------------------|-----------|------|-----------------|-----------------|------------|
+| blog | website | blog | nginx-exporter | 4-aux | 250m | 256Mi | Sidecar; likely fine |
+| cyberchef | cyberchef | cyberchef | cyberchef | 4-aux | 250m | 256Mi | |
+| echo | echo | echo | echo | 3-edge | 250m | 256Mi | 5 replicas, no resources |
+| networking-toolbox | networking-toolbox | networking-toolbox | networking-toolbox | 4-aux | 250m | 256Mi | 3 replicas |
+| shadowsocks | shadowsocks | shadowsocks | shadowsocks | 3-edge | 250m | 256Mi | |
+| tor-proxy | tor-proxy | tor-proxy | tor-proxy | 4-aux | 250m | 256Mi | |
+| tuya-bridge | tuya-bridge | tuya-bridge | tuya-bridge | 1-cluster | 500m | 512Mi | 3 replicas in cluster tier |
+| audiobookshelf | audiobookshelf | audiobookshelf | audiobookshelf | 4-aux | 250m | 256Mi | May need more for transcoding |
+| changedetection | changedetection | changedetection | sockpuppetbrowser | 4-aux | 250m | 256Mi | Chromium browser; likely needs more |
+| changedetection | changedetection | changedetection | changedetection | 4-aux | 250m | 256Mi | |
+| diun | diun | diun | diun | 4-aux | 250m | 256Mi | |
+| excalidraw | excalidraw | excalidraw | excalidraw | 4-aux | 250m | 256Mi | |
+| freshrss | freshrss | freshrss | freshrss | 4-aux | 250m | 256Mi | |
+| isponsorblocktv | isponsorblocktv | isponsorblocktv-vermont | isponsorblocktv-vermont | 3-edge | 250m | 256Mi | |
+| matrix | matrix | matrix | matrix | 4-aux | 250m | 256Mi | 0 replicas (disabled) |
+| navidrome | navidrome | navidrome | navidrome | 4-aux | 250m | 256Mi | Music streaming |
+| ntfy | ntfy | ntfy | ntfy | 4-aux | 250m | 256Mi | |
+| owntracks | owntracks | owntracks | owntracks | 4-aux | 250m | 256Mi | |
+| privatebin | privatebin | privatebin | privatebin | 3-edge | 250m | 256Mi | |
+| wealthfolio | wealthfolio | wealthfolio | wealthfolio | 4-aux | 250m | 256Mi | |
+| whisper | whisper | whisper | whisper | 2-gpu | 1 | 2Gi | No GPU resource claim; GPU tier |
+| whisper | whisper | piper | piper | 2-gpu | 1 | 2Gi | No GPU resource claim; GPU tier |
+| send | send | send | send | 4-aux | 250m | 256Mi | |
+| n8n | n8n | n8n | n8n | 4-aux | 250m | 256Mi | Workflow automation; may need more |
+| linkwarden | linkwarden | linkwarden | linkwarden | 4-aux | 250m | 256Mi | Next.js app; may OOM |
+| dawarich | dawarich | dawarich | dawarich | 3-edge | 250m | 256Mi | Rails app; may OOM |
+| hackmd | hackmd | hackmd | codimd | 3-edge | 250m | 256Mi | Node.js; may need more |
+| tandoor | tandoor | tandoor | recipes | 4-aux | 250m | 256Mi | Django app |
+| grampsweb | grampsweb | grampsweb | grampsweb | 4-aux | 250m | 256Mi | Flask app |
+| grampsweb | grampsweb | grampsweb | grampsweb-celery | 4-aux | 250m | 256Mi | Celery worker |
+| affine | affine | affine | migration (init) | 4-aux | 250m | 256Mi | Init container; runs prisma migrate |
+| actualbudget (factory) | actualbudget | actualbudget-{name} | actualbudget | 3-edge | 250m | 256Mi | 3 instances (viktor, anca, emo) |
+| actualbudget (factory) | actualbudget | actualbudget-http-api-{name} | actualbudget | 3-edge | 250m | 256Mi | Conditional (budget_encryption_password) |
+| actualbudget (factory) | actualbudget | bank-sync-{name} (CronJob) | bank-sync | 3-edge | 250m | 256Mi | Curl container |
+| osm_routing | osm-routing | osrm-foot | osrm-foot | 4-aux | 250m | 256Mi | OSRM needs ~1GB RAM for routing data |
+| osm_routing | osm-routing | otp | otp | 4-aux | 250m | 256Mi | 0 replicas (disabled); OTP needs 2Gi+ |
+| servarr/prowlarr | servarr | prowlarr | prowlarr | 4-aux | 250m | 256Mi | |
+| servarr/qbittorrent | servarr | qbittorrent | qbittorrent | 4-aux | 250m | 256Mi | |
+| servarr/flaresolverr | servarr | flaresolverr | flaresolverr | 4-aux | 250m | 256Mi | Chromium-based; likely needs more |
+| real-estate-crawler | realestate-crawler | realestate-crawler-ui | realestate-crawler-ui | 4-aux | 250m | 256Mi | 2 replicas |
+| real-estate-crawler | realestate-crawler | realestate-crawler-celery | celery-worker | 4-aux | 250m | 256Mi | |
+| nextcloud | nextcloud | whiteboard | whiteboard | custom (3-edge) | 250m | 256Mi | Custom LimitRange: max 16 CPU/8Gi |
+| nextcloud | nextcloud | nextcloud-backup (CronJob) | backup | custom (3-edge) | 250m | 256Mi | rsync container |
+| calibre | calibre | annas-archive-stacks | annas-archive-stacks | 3-edge | 250m | 256Mi | |
+| ollama | ollama | ollama-ui | ollama-ui | 2-gpu | 1 | 2Gi | Open WebUI; needs significant mem |
+| immich | immich | immich-server | immich-server | 2-gpu | 1 | 2Gi | Photo server; needs resources |
+| immich | immich | immich-postgresql | immich-postgresql | 2-gpu | 1 | 2Gi | PostgreSQL; needs resources |
+| immich | immich | postgresql-backup (CronJob) | postgresql-backup | 2-gpu | 1 | 2Gi | |
+| rybbit | rybbit | rybbit | rybbit | 4-aux | 250m | 256Mi | Node.js backend |
+| rybbit | rybbit | rybbit-client | rybbit-client | 4-aux | 250m | 256Mi | |
+| poison-fountain | poison-fountain | poison-fetcher (CronJob) | fetcher | 1-cluster | 500m | 512Mi | curl container |
+| platform/dbaas | dbaas | mysql-backup (CronJob) | mysql-backup | 1-cluster | 500m | 512Mi | |
+| platform/dbaas | dbaas | phpmyadmin | phpmyadmin | 1-cluster | 500m | 512Mi | |
+| platform/dbaas | dbaas | pgadmin | pgadmin | 1-cluster | 500m | 512Mi | |
+| platform/dbaas | dbaas | postgresql-backup (CronJob) | postgresql-backup | 1-cluster | 500m | 512Mi | |
+| platform/xray | xray | xray | xray | 0-core | 500m | 512Mi | |
+| platform/wireguard | wireguard | wireguard | sysctl-setup (init) | 0-core | 500m | 512Mi | |
+| platform/wireguard | wireguard | wireguard | wireguard | 0-core | 500m | 512Mi | |
+| platform/wireguard | wireguard | wireguard | prometheus-exporter | 0-core | 500m | 512Mi | |
+| platform/cloudflared | cloudflared | cloudflared | cloudflared | 0-core | 500m | 512Mi | |
+| platform/mailserver | mailserver | mailserver | docker-mailserver | 0-core | 500m | 512Mi | Mail server needs more RAM |
+| platform/mailserver | mailserver | dovecot-exporter | dovecot-exporter | 0-core | 500m | 512Mi | |
+| platform/crowdsec | crowdsec | crowdsec-web | crowdsec-web | 1-cluster | 500m | 512Mi | |
+| platform/crowdsec | crowdsec | blocklist-import (CronJob) | blocklist-import | 1-cluster | 500m | 512Mi | |
+| platform/k8s-portal | k8s-portal | k8s-portal | portal | 0-core | 500m | 512Mi | |
+| platform/monitoring | monitoring | monitor-prometheus (CronJob) | monitor-prometheus | opted-out | N/A | N/A | No LimitRange in monitoring ns |
+| platform/redis | redis | redis-backup (CronJob) | redis-backup | 1-cluster | 500m | 512Mi | |
+| platform/infra-maint | kube-system | backup-etcd (CronJob) | backup-etcd | N/A | N/A | N/A | kube-system; no Kyverno LimitRange |
+| platform/infra-maint | kube-system | backup-purge (CronJob) | backup-purge | N/A | N/A | N/A | |
+| platform/infra-maint | kube-system | cleanup-failed (CronJob) | cleanup | N/A | N/A | N/A | |
+
+---
+
+## Section 2: Containers WITH Explicit Resources
+
+| Stack | Namespace | Deployment/Resource | Container | CPU Req | CPU Lim | Mem Req | Mem Lim | Tier | Notes |
+|-------|-----------|-------------------|-----------|---------|---------|---------|---------|------|-------|
+| blog | website | blog | blog | 250m | 500m | 50Mi | 512Mi | 4-aux | |
+| city-guesser | city-guesser | city-guesser | city-guesser | 250m | 500m | 50Mi | 512Mi | 4-aux | |
+| coturn | coturn | coturn | coturn | 100m | 1 | 128Mi | 512Mi | 3-edge | |
+| kms | kms | kms-web-page | kms-web-page | 500m | 500m | 512Mi | 512Mi | 4-aux | Req==Lim, high for nginx |
+| kms | kms | kms (windows) | windows-kms | 1 | 1 | 50Mi | 512Mi | 4-aux | 1 CPU req seems high |
+| travel_blog | travel-blog | travel-blog | travel-blog | 250m | 500m | 50Mi | 512Mi | 4-aux | |
+| webhook_handler | webhook-handler | webhook-handler | webhook-handler | 250m | 500m | 50Mi | 512Mi | 4-aux | |
+| freedify (factory) | freedify | music-{name} | freedify | 100m | 500m | 256Mi | 512Mi | 4-aux | Parameterized; 2 instances |
+| health | health | health | health | 100m | 1 | 256Mi | 1Gi | 4-aux | |
+| plotting-book | plotting-book | plotting-book | plotting-book | 50m | 500m | 128Mi | 512Mi | 4-aux | |
+| frigate | frigate | frigate | frigate | -- | GPU:1 | -- | -- | 2-gpu | Only nvidia.com/gpu limit |
+| ebook2audiobook | ebook2audiobook | ebook2audiobook | ebook2audiobook | -- | GPU:1 | -- | -- | 2-gpu | Only nvidia.com/gpu limit |
+| ebook2audiobook | ebook2audiobook | audiblez | audiblez | -- | GPU:1 | -- | -- | 2-gpu | Only nvidia.com/gpu; 0 replicas |
+| ebook2audiobook | ebook2audiobook | audiblez-web | audiblez-web | -- | GPU:1 | -- | -- | 2-gpu | Only nvidia.com/gpu limit |
+| ytdlp | ytdlp | ytdlp | ytdlp | 25m | 500m | 128Mi | 512Mi | 4-aux | |
+| ytdlp | ytdlp | yt-highlights | yt-highlights | -- | GPU:1 | -- | -- | 4-aux | GPU workload in aux-tier ns |
+| real-estate-crawler | realestate-crawler | realestate-crawler-api | realestate-crawler-api | 50m | 2000m | 128Mi | 1Gi | 4-aux | |
+| real-estate-crawler | realestate-crawler | realestate-crawler-celery-beat | celery-beat | 10m | 200m | 64Mi | 256Mi | 4-aux | |
+| affine | affine | affine | affine | 100m | 2 | 512Mi | 4Gi | 4-aux | |
+| atuin | atuin | atuin | atuin | 50m | 500m | 64Mi | 256Mi | 4-aux | |
+| osm_routing | osm-routing | osrm-bicycle | osrm-bicycle | 15m | 250m | 512Mi | 1Gi | 4-aux | |
+| paperless-ngx | paperless-ngx | paperless-ngx | paperless-ngx | 100m | 2 | 256Mi | 1Gi | 3-edge | |
+| stirling-pdf | stirling-pdf | stirling-pdf | stirling-pdf | 100m | 2 | 256Mi | 1Gi | 4-aux | |
+| netbox | netbox | netbox | netbox | 25m | 1 | 64Mi | 512Mi | 4-aux | |
+| speedtest | speedtest | speedtest | speedtest | 25m | 500m | 64Mi | 512Mi | 4-aux | |
+| meshcentral | meshcentral | meshcentral | meshcentral | 15m | 500m | 64Mi | 384Mi | 4-aux | |
+| forgejo | forgejo | forgejo | forgejo | 15m | 500m | 64Mi | 512Mi | 3-edge | |
+| dashy | dashy | dashy | dashy | 15m | 500m | 64Mi | 512Mi | 4-aux | |
+| url | url | shlink | shlink | 25m | -- | 128Mi | 512Mi | 4-aux | No CPU limit |
+| url | url | shlink-web | shlink-web | 250m | 500m | 50Mi | 512Mi | 4-aux | |
+| f1-stream | f1-stream | f1-stream | f1-stream | 50m | 500m | 64Mi | 256Mi | 4-aux | |
+| calibre | calibre | calibre-web-automated | calibre-web-automated | 50m | 1 | 256Mi | 1Gi | 3-edge | |
+| poison-fountain | poison-fountain | poison-fountain | poison-fountain | 10m | 100m | 32Mi | 128Mi | 1-cluster | |
+| ollama | ollama | ollama | ollama | 500m | 4 | 4Gi | 12Gi + GPU:1 | 2-gpu | |
+| onlyoffice | onlyoffice | onlyoffice-document-server | onlyoffice-document-server | 250m | 8 | 512Mi | 4Gi | 3-edge | Custom LimitRange |
+| openclaw | openclaw | openclaw | openclaw | 100m | 2 | 512Mi | 2Gi | 4-aux | |
+| openclaw | openclaw | openclaw | modelrelay (sidecar) | 25m | 500m | 64Mi | 256Mi | 4-aux | |
+| openclaw | openclaw | cluster-healthcheck (CronJob) | healthcheck | 50m | -- | 64Mi | 128Mi | 4-aux | No CPU limit |
+| resume | resume | printer | printer | 50m | 1 | 128Mi | 512Mi | 4-aux | Chromium |
+| resume | resume | resume | resume | 25m | 500m | 128Mi | 384Mi | 4-aux | |
+| rybbit | rybbit | clickhouse | clickhouse | 100m | 2 | 512Mi | 4Gi | 4-aux | |
+| immich | immich | immich-machine-learning | immich-machine-learning | -- | GPU:1 | -- | -- | 2-gpu | Only nvidia.com/gpu limit |
+| trading-bot | trading-bot | trading-bot-frontend | dashboard | 10m | 200m | 32Mi | 128Mi | 3-edge | |
+| trading-bot | trading-bot | trading-bot-frontend | api-gateway | 50m | 1000m | 128Mi | 512Mi | 3-edge | |
+| trading-bot | trading-bot | trading-bot-workers | news-fetcher | 10m | 500m | 64Mi | 256Mi | 3-edge | |
+| trading-bot | trading-bot | trading-bot-workers | sentiment-analyzer | 100m | 2000m | 512Mi | 2Gi | 3-edge | |
+| trading-bot | trading-bot | trading-bot-workers | signal-generator | 10m | 500m | 64Mi | 256Mi | 3-edge | |
+| trading-bot | trading-bot | trading-bot-workers | trade-executor | 10m | 500m | 64Mi | 256Mi | 3-edge | |
+| trading-bot | trading-bot | trading-bot-workers | learning-engine | 10m | 500m | 64Mi | 256Mi | 3-edge | |
+| trading-bot | trading-bot | trading-bot-workers | market-data | 10m | 500m | 64Mi | 256Mi | 3-edge | |
+| platform/technitium | technitium | technitium | technitium | YES | YES | YES | YES | 0-core | Has resources block |
+| platform/vaultwarden | vaultwarden | vaultwarden | vaultwarden | YES | YES | YES | YES | 0-core | Has resources block |
+| platform/uptime-kuma | uptime-kuma | uptime-kuma | uptime-kuma | YES | YES | YES | YES | 0-core | Has resources block |
+| platform/headscale | headscale | headscale | headscale | YES | YES | YES | YES | 0-core | Has resources block |
+| platform/headscale | headscale | headscale | headscale-ui | YES | YES | YES | YES | 0-core | Has resources block |
+| platform/traefik | traefik | traefik-default-backend | nginx | YES | YES | YES | YES | 0-core | Has resources block |
+| platform/traefik | traefik | traefik-local-backend | nginx | YES | YES | YES | YES | 0-core | Has resources block |
+| platform/nvidia | nvidia | nvidia-exporter | nvidia-exporter | YES | YES | YES | YES | 2-gpu | Has resources block |
+| platform/nvidia | nvidia | nvidia-power-exporter | exporter | YES | YES | YES | YES | 2-gpu | Has resources block |
+| platform/monitoring | monitoring | goflow2 | goflow2 | YES | YES | YES | YES | 1-cluster | Has resources block |
+
+---
+
+## Section 3: Helm Chart Deployments (Resources via values.yaml)
+
+These services are deployed via Helm charts. Resource configuration is in the chart's values files, not directly visible in main.tf.
+
+| Stack | Namespace | Chart | Values File | Tier | Notes |
+|-------|-----------|-------|-------------|------|-------|
+| homepage | homepage | jameswynn/homepage | values.yaml | 4-aux | Check values for resources |
+| k8s-dashboard | kubernetes-dashboard | kubernetes-dashboard v7.12.0 | -- | 1-cluster | No custom values for resources |
+| reloader | reloader | stakater/reloader | -- | 4-aux | No custom values |
+| descheduler | descheduler | descheduler | values.yaml | -- | No tier label |
+| woodpecker | woodpecker | woodpecker v3.5.1 | values.yaml | 3-edge | Custom quota; check values |
+| nextcloud | nextcloud | nextcloud/nextcloud v8.8.1 | chart_values.yaml | 3-edge | Custom LimitRange/Quota |
+| platform/traefik | traefik | traefik | chart values | 0-core | |
+| platform/metallb | metallb | metallb | -- | 0-core | |
+| platform/redis | redis | bitnami/redis | chart values | 1-cluster | |
+| platform/monitoring | monitoring | prometheus, grafana, loki | various | 1-cluster | Opted out of Kyverno quota |
+| platform/kyverno | kyverno | kyverno | chart values | 1-cluster | |
+| platform/cnpg | cnpg | cnpg-operator | -- | 1-cluster | |
+| platform/metrics-server | metrics-server | metrics-server | -- | 1-cluster | |
+| platform/vpa | vpa | fairwinds/vpa | -- | 1-cluster | |
+| platform/crowdsec | crowdsec | crowdsec | chart values | 1-cluster | |
+| platform/nvidia | nvidia | nvidia gpu-operator | chart values | 2-gpu | Opted out of Kyverno quota |
+| platform/authentik | authentik | authentik | chart values | 0-core | Custom quota |
+| platform/dbaas | dbaas | mysql-operator/innodbcluster | chart values | 1-cluster | Custom quota |
+
+---
+
+## Section 4: High-Risk Findings Summary
+
+### OOM-Kill Risk (containers likely needing more than 256Mi default)
+
+| Container | Namespace | Tier Default Mem | Why It's Risky |
+|-----------|-----------|-----------------|----------------|
+| sockpuppetbrowser | changedetection | 256Mi | Headless Chromium browser |
+| flaresolverr | servarr | 256Mi | Chromium-based solver |
+| osrm-foot | osm-routing | 256Mi | OSRM loads routing graph into memory (~500MB+) |
+| navidrome | navidrome | 256Mi | Music library indexing |
+| linkwarden | linkwarden | 256Mi | Next.js app with screenshot capture |
+| n8n | n8n | 256Mi | Workflow automation with many nodes |
+| dawarich | dawarich | 256Mi | Rails app |
+| hackmd (codimd) | hackmd | 256Mi | Node.js collaborative editor |
+| ollama-ui | ollama | 2Gi | Open WebUI; may be fine in GPU tier |
+| immich-server | immich | 2Gi | Photo processing server |
+| immich-postgresql | immich | 2Gi | PostgreSQL with pgvector |
+| docker-mailserver | mailserver | 512Mi | ClamAV, SpamAssassin, etc. |
+| audiobookshelf | audiobookshelf | 256Mi | Media server with transcoding |
+
+### GPU Containers with Only nvidia.com/gpu Limit (no CPU/Mem specified)
+
+These get LimitRange defaults for CPU/Mem but only have GPU limits set:
+
+| Container | Namespace | Tier | Gets Default |
+|-----------|-----------|------|-------------|
+| frigate | frigate | 2-gpu | 1 CPU / 2Gi |
+| ebook2audiobook | ebook2audiobook | 2-gpu | 1 CPU / 2Gi |
+| audiblez | ebook2audiobook | 2-gpu | 1 CPU / 2Gi |
+| audiblez-web | ebook2audiobook | 2-gpu | 1 CPU / 2Gi |
+| yt-highlights | ytdlp | 4-aux | 250m / 256Mi (!) |
+| immich-machine-learning | immich | 2-gpu | 1 CPU / 2Gi |
+
+**Note**: `yt-highlights` is in the `ytdlp` namespace (4-aux tier) but runs on GPU node. Its default of 256Mi is very low for a Whisper ASR model.
+
+### Containers with No Resources in Core/Cluster Tier (higher defaults but still worth checking)
+
+| Container | Namespace | Tier | Default |
+|-----------|-----------|------|---------|
+| xray | xray | 0-core | 500m / 512Mi |
+| wireguard | wireguard | 0-core | 500m / 512Mi |
+| wireguard prometheus-exporter | wireguard | 0-core | 500m / 512Mi |
+| cloudflared | cloudflared | 0-core | 500m / 512Mi |
+| docker-mailserver | mailserver | 0-core | 500m / 512Mi |
+| dovecot-exporter | mailserver | 0-core | 500m / 512Mi |
+| k8s-portal | k8s-portal | 0-core | 500m / 512Mi |
+| tuya-bridge | tuya-bridge | 1-cluster | 500m / 512Mi |
+| phpmyadmin | dbaas | 1-cluster | 500m / 512Mi |
+| pgadmin | dbaas | 1-cluster | 500m / 512Mi |
+| crowdsec-web | crowdsec | 1-cluster | 500m / 512Mi |
+
+---
+
+## Section 5: Statistics
+
+### Totals
+
+- **Total unique containers audited**: ~120+
+- **Containers WITH explicit resources**: ~55
+- **Containers WITHOUT explicit resources**: ~65
+- **Helm-managed (resources in values)**: ~18 charts
+
+### By Tier (containers without resources)
+
+| Tier | Count | Risk Level |
+|------|-------|------------|
+| 0-core | 7 | Medium (512Mi default is usually OK) |
+| 1-cluster | 7 | Medium |
+| 2-gpu | 5 | Low (2Gi default is generous) |
+| 3-edge | 8 | High (256Mi can OOM Node/Rails/Java apps) |
+| 4-aux | 25+ | High (256Mi is tight for many services) |
+| monitoring (opted-out) | 1 | Low (no LimitRange at all) |
+| kube-system | 3 | Low (no Kyverno) |
+
+### Recommendations
+
+1. **Immediate action**: Add explicit resources to `sockpuppetbrowser`, `flaresolverr`, `osrm-foot`, `docker-mailserver`, `immich-server`, `immich-postgresql`, `linkwarden`, `n8n`
+2. **GPU containers**: Add explicit CPU/Mem alongside nvidia.com/gpu for `frigate`, `ebook2audiobook`, `audiblez-web`, `immich-machine-learning`, `yt-highlights`
+3. **Review**: `kms-web-page` has 500m/512Mi request==limit for nginx (wasteful)
+4. **CronJobs**: Most CronJob containers lack resources -- acceptable for short-lived jobs but adds to ResourceQuota consumption
--- a/.planning/quick/resource-audit-vpa-recommendations.md
+++ b/.planning/quick/resource-audit-vpa-recommendations.md
--- a/.planning/quick/resource-plan.md
+++ b/.planning/quick/resource-plan.md
@ -0,0 +1,285 @@
+# Resource Right-Sizing Plan
+
+## Methodology
+- **Conservative**: limits = max(VPA upper bound * 2, current live usage * 2, minimum sane value)
+- **Requests**: VPA target or current usage, whichever is higher
+- **Floor values**: 10m CPU req, 25m CPU lim, 32Mi mem req, 64Mi mem lim (nothing goes below these)
+- **GPU containers**: keep nvidia.com/gpu, add CPU/mem based on VPA data
+- **Ollama special case**: remove CPU/mem limits entirely (keep only GPU + minimal requests)
+
+## Wave 1: CRITICAL FIXES (actively broken)
+
+### dashy — CPU throttled at 98% (490m/500m), mem needs 2.36Gi
+- File: stacks/dashy/main.tf
+- VPA target: 15m CPU, 2.36Gi mem | Upper: 15m CPU, 3.23Gi mem
+- Live: 490m CPU, 1048Mi mem
+- **New**: req 50m/512Mi, lim 2/4Gi
+
+### stirling-pdf — CPU throttled at 99.7% (299m/300m)
+- File: stacks/stirling-pdf/main.tf
+- VPA target: 29m CPU, 1.41Gi mem | Upper: 29m CPU, 1.41Gi mem
+- Live: 299m CPU, 902Mi mem
+- **New**: req 100m/512Mi, lim 2/2Gi
+
+### MySQL cluster — OOMKilled, 1845Mi with 2Gi limit
+- File: stacks/platform/modules/dbaas/main.tf
+- Already bumped to 3Gi in previous session, but pods show 512Mi (VPA override legacy)
+- VPA target: 2.77Gi | Upper: 6.90Gi
+- **New**: top-level resources: req 250m/2Gi, lim 2/4Gi; podSpec.containers mysql: same
+
+### traefik auth-proxy & bot-block-proxy — VPA says need 100Mi, limit is 32Mi
+- File: stacks/platform/modules/traefik/main.tf
+- **New**: req 5m/32Mi, lim 50m/128Mi
+
+## Wave 2: STANDALONE STACKS — containers without explicit resources
+
+### affine — over-provisioned (2 CPU / 4Gi, uses 4m/174Mi)
+- VPA upper: 63m/307Mi
+- **New**: req 25m/128Mi, lim 250m/512Mi
+
+### aiostreams — mem at 215Mi with 768Mi limit, VPA says 641Mi target
+- **New**: req 25m/256Mi, lim 500m/1Gi
+
+### audiobookshelf — no resources, 55Mi usage
+- VPA upper: 15m/170Mi
+- **New**: req 15m/64Mi, lim 250m/512Mi
+
+### changedetection — sockpuppetbrowser (Chromium) + changedetection
+- changedetection: VPA 15m/100Mi | **New**: req 15m/64Mi, lim 250m/256Mi
+- sockpuppetbrowser: Chromium needs more | **New**: req 25m/128Mi, lim 500m/512Mi
+
+### cyberchef — tiny (8Mi), no resources
+- **New**: req 10m/32Mi, lim 100m/128Mi
+
+### dawarich — Rails app at 438Mi
+- VPA upper: 15m/838Mi
+- **New**: req 15m/256Mi, lim 250m/1Gi
+
+### diun — tiny (24Mi)
+- **New**: req 10m/32Mi, lim 100m/128Mi
+
+### echo — 5 replicas, tiny (19-30Mi each)
+- **New**: req 10m/32Mi, lim 100m/128Mi
+
+### excalidraw — tiny (2Mi)
+- **New**: req 10m/16Mi, lim 100m/64Mi
+
+### flaresolverr — Chromium at 148Mi/256Mi (58%)
+- VPA upper: 15m/348Mi
+- **New**: req 25m/128Mi, lim 500m/512Mi
+
+### freshrss — 56Mi
+- VPA upper: 15m/167Mi
+- **New**: req 15m/64Mi, lim 250m/256Mi
+
+### hackmd — Node.js at 82Mi
+- VPA upper: 15m/256Mi
+- **New**: req 15m/64Mi, lim 250m/512Mi
+
+### isponsorblocktv — 42Mi
+- **New**: req 10m/32Mi, lim 150m/256Mi
+
+### linkwarden — Next.js at 682Mi
+- VPA upper: 15m/1.04Gi
+- **New**: req 25m/256Mi, lim 500m/1.5Gi
+
+### n8n — workflow automation at 425Mi
+- VPA upper: 15m/766Mi
+- **New**: req 25m/256Mi, lim 500m/1Gi
+
+### navidrome — music at 62Mi
+- VPA upper: 15m/179Mi
+- **New**: req 15m/64Mi, lim 250m/384Mi
+
+### ntfy — 20Mi
+- **New**: req 10m/32Mi, lim 100m/128Mi
+
+### owntracks — tiny (1Mi)
+- **New**: req 10m/16Mi, lim 100m/64Mi
+
+### privatebin — 46Mi
+- **New**: req 10m/32Mi, lim 150m/256Mi
+
+### send — 53Mi
+- **New**: req 10m/32Mi, lim 150m/256Mi
+
+### shadowsocks — tiny (0Mi)
+- **New**: req 10m/16Mi, lim 100m/64Mi
+
+### tandoor — Django at 754Mi
+- VPA upper: 15m/1.14Gi
+- **New**: req 25m/256Mi, lim 250m/1.5Gi
+
+### tor-proxy — 61Mi
+- VPA upper: 15m/167Mi
+- **New**: req 10m/64Mi, lim 150m/256Mi
+
+### wealthfolio — tiny (8Mi)
+- **New**: req 10m/32Mi, lim 100m/128Mi
+
+### networking-toolbox — tiny, 3 replicas
+- **New**: req 10m/32Mi, lim 100m/128Mi
+
+### tuya-bridge — IoT bridge, 3 replicas
+- VPA upper: 15m/100Mi
+- **New**: req 10m/32Mi, lim 150m/256Mi
+
+### rybbit — Node.js backend at 185Mi
+- **New**: req 25m/128Mi, lim 250m/512Mi
+### rybbit-client — 89Mi
+- **New**: req 10m/64Mi, lim 150m/256Mi
+
+## Wave 3: PLATFORM MODULES — containers without explicit resources
+
+### mailserver — docker-mailserver at 183Mi (needs more for ClamAV)
+- VPA upper: 15m/317Mi
+- **New**: req 25m/128Mi, lim 500m/512Mi
+### dovecot-exporter
+- **New**: req 10m/16Mi, lim 100m/64Mi
+
+### cloudflared — 31-59Mi each, 3 replicas
+- VPA upper: 15m/110Mi
+- **New**: req 15m/32Mi, lim 200m/256Mi
+
+### pgadmin — 265Mi
+- VPA upper: 15m/413Mi
+- **New**: req 25m/128Mi, lim 500m/512Mi
+
+### phpmyadmin — 46Mi
+- VPA upper: 15m/100Mi
+- **New**: req 15m/32Mi, lim 250m/256Mi
+
+### crowdsec-web — 46Mi
+- **New**: req 15m/32Mi, lim 250m/256Mi
+
+### xray — 11Mi
+- **New**: req 10m/32Mi, lim 100m/128Mi
+
+### wireguard — tiny (2Mi)
+- **New**: req 10m/16Mi, lim 100m/128Mi
+### wireguard prometheus-exporter
+- **New**: req 10m/16Mi, lim 50m/64Mi
+
+### k8s-portal — 14Mi
+- **New**: req 10m/32Mi, lim 100m/128Mi
+
+## Wave 4: GPU CONTAINERS — add CPU/mem to GPU-only containers
+
+### ollama — SPECIAL: remove limits, keep minimal requests + GPU
+- **New**: req 100m/256Mi, lim nvidia.com/gpu=1 ONLY (no CPU/mem limits)
+
+### frigate — highest mem (3835Mi), CPU (860m)
+- VPA upper: 1.8 CPU, 6.65Gi mem
+- **New**: req 500m/2Gi, lim 4/8Gi + GPU:1
+
+### immich-machine-learning — 1215Mi
+- VPA upper: 15m/2.90Gi
+- **New**: req 100m/1Gi, lim 2/4Gi + GPU:1
+
+### immich-server — no resources, 404Mi, VPA 920m CPU
+- **New**: req 100m/256Mi, lim 2/2Gi
+
+### immich-postgresql — no resources, 268Mi
+- **New**: req 50m/256Mi, lim 1/1Gi
+
+### ollama-ui — 658Mi, no resources
+- VPA upper: 15m/969Mi
+- **New**: req 25m/256Mi, lim 500m/1.5Gi
+
+### whisper — 628Mi, no resources
+- VPA upper: 15m/969Mi
+- **New**: req 25m/256Mi, lim 500m/1.5Gi
+
+### piper — 32Mi
+- **New**: req 25m/64Mi, lim 250m/512Mi
+
+## Wave 5: RIGHT-SIZE OVER-PROVISIONED
+
+### kms-web-page — uses 0m/10Mi but has 500m/512Mi Guaranteed QoS
+- **New**: req 10m/16Mi, lim 50m/64Mi
+
+### kms (windows) — uses 0m/0Mi but has 1/512Mi
+- **New**: req 10m/32Mi, lim 100m/128Mi
+
+### city-guesser — uses 1m/23Mi but has 250m/500m CPU req
+- **New**: req 10m/32Mi, lim 100m/256Mi
+
+### blog — uses 0m/17Mi but has 250m/500m
+- **New**: req 10m/32Mi, lim 100m/256Mi
+
+### travel-blog — uses 0m/9Mi, has 250m/500m
+- **New**: req 10m/32Mi, lim 100m/256Mi
+
+### webhook-handler — uses 1m/8Mi, has 250m/500m
+- **New**: req 10m/32Mi, lim 100m/256Mi
+
+### coturn — uses 1m/7Mi, has 100m/1 CPU
+- **New**: req 10m/32Mi, lim 100m/128Mi
+
+### health — uses 2m/101Mi, has 100m/1
+- **New**: req 15m/64Mi, lim 250m/256Mi
+
+### plotting-book — uses 0m/22Mi, has 50m/500m
+- **New**: req 10m/32Mi, lim 100m/256Mi
+
+### resume/printer — uses 3m/109Mi, VPA says 1.29Gi mem (Chromium!)
+- **New**: req 25m/128Mi, lim 500m/1.5Gi (Chromium headless)
+
+### resume — uses 1m/116Mi, has 25m/500m
+- **New**: req 15m/64Mi, lim 250m/384Mi
+
+### openclaw/modelrelay — uses low, VPA upper 1.22Gi mem
+- **New**: req 25m/64Mi, lim 500m/512Mi
+
+### atuin — uses 1m/2Mi
+- **New**: req 10m/16Mi, lim 100m/128Mi
+
+### vaultwarden — uses 1m/49Mi
+- **New**: req 10m/32Mi, lim 100m/256Mi
+
+### f1-stream — uses 7m/53Mi
+- **New**: req 25m/64Mi, lim 250m/256Mi
+
+### speedtest — uses 1m/147Mi, has 25m/500m
+- VPA upper: 418m CPU (spikes during tests!)
+- **New**: req 25m/128Mi, lim 1/512Mi
+
+### netbox — uses 1m/480Mi
+- VPA upper: 383m CPU, 605Mi mem
+- **New**: req 25m/256Mi, lim 500m/1Gi
+
+### meshcentral — uses 1m/127Mi
+- VPA upper: 15m/367Mi
+- **New**: req 15m/64Mi, lim 250m/512Mi
+
+### forgejo — uses 1m/170Mi
+- VPA upper: 15m/284Mi
+- **New**: req 15m/64Mi, lim 250m/512Mi
+
+### calibre-web-automated — uses 1m/196Mi
+- VPA upper: 63m/829Mi
+- **New**: req 25m/256Mi, lim 500m/1Gi
+
+### paperless-ngx — uses 4m/691Mi, VPA upper 1.70Gi
+- **New**: req 50m/512Mi, lim 1/2Gi
+
+### realestate-crawler-api — uses 2m/133Mi, has 50m/2000m CPU lim
+- **New**: req 15m/64Mi, lim 250m/512Mi
+
+### realestate-crawler-celery-beat — uses 0m/107Mi
+- **New**: req 10m/64Mi, lim 100m/256Mi
+
+### osrm-bicycle — uses 0m/366Mi
+- VPA upper: 15m/679Mi
+- **New**: req 15m/256Mi, lim 100m/1Gi
+
+### osrm-foot — no resources, uses 0m/359Mi
+- VPA upper similar to bicycle
+- **New**: req 15m/256Mi, lim 100m/1Gi
+
+### freedify — uses 2m/57-68Mi, has 100m/500m
+- **New**: req 15m/64Mi, lim 250m/256Mi
+
+### onlyoffice — uses 3m/1007Mi, has 250m/8 CPU (177x waste on CPU)
+- Keep memory at 4Gi (needs it), reduce CPU
+- **New**: req 100m/512Mi, lim 2/4Gi
--- a/docs/plans/2026-03-03-cluster-hardening-design.md
+++ b/docs/plans/2026-03-03-cluster-hardening-design.md
@ -0,0 +1,73 @@
+# Cluster Hardening Design
+
+**Date**: 2026-03-03
+**Status**: Approved
+**Scope**: Service availability, failure detection, DNS HA
+
+## Context
+
+Reliability audit identified gaps in failure detection (most services lack health probes), NFS monitoring (backbone for 70+ services has no dedicated alerting), and DNS high availability (AXFR-based secondary doesn't sync settings/blocklists).
+
+## Decisions
+
+- No PDBs for now — revisit when adding more replicas
+- No NetworkPolicies in this phase — covered by security observability design
+- Replicate only critical infra (DNS); apps stay at 1 replica
+- Keep databases on NFS; harden via monitoring, not migration
+- Backup/DR items (MinIO, rsync, PBS, runbooks) deferred to a separate effort
+
+## Items
+
+### 1. etcd Backup Alerts — DONE
+
+- `EtcdBackupStale`: fires critical if last successful backup > 36h
+- `EtcdBackupNeverSucceeded`: fires critical if backup has never completed
+- etcd backup image updated to `registry.k8s.io/etcd:3.6.5-0` (matches cluster)
+- Applied 2026-03-03
+
+### 2. Liveness & Readiness Probes
+
+Add HTTP probes to Terraform-managed deployments. Conservative timing to avoid spamming:
+- `periodSeconds: 30`
+- `failureThreshold: 5` (150s before restart)
+- `initialDelaySeconds: 15`
+- `timeoutSeconds: 5`
+
+Use known health endpoints where available, fall back to `GET /` on container port.
+Start with tier-0/tier-1 services, then extend to tier-3/tier-4.
+
+### 3. NFS Health Monitoring
+
+- **Prometheus alert**: `NFSServerDown` via blackbox exporter TCP probe on `10.0.10.15:2049`, fires critical after 2 minutes
+- **Uptime Kuma**: TCP monitor on `10.0.10.15:2049`
+
+### 4. Technitium DNS Clustering
+
+Migrate from AXFR zone transfers to Technitium's built-in clustering:
+
+**Architecture change**:
+- Convert primary + secondary Deployments → single StatefulSet with 2 replicas
+- Add headless Service for stable pod DNS names
+- Separate NFS volumes per replica (existing pattern preserved)
+
+**Clustering setup**:
+- Cluster domain: `dns.viktorbarzin.lan` (permanent)
+- Pod-0: primary (`/api/admin/cluster/init`)
+- Pod-1: secondary (`/api/admin/cluster/initJoin`)
+- HTTPS auto-enabled with self-signed certs (internal only)
+- One-shot setup Job after StatefulSet is running
+
+**What clustering syncs** (vs AXFR which only syncs zone records):
+- Zones (via catalog zone — auto-syncs new zones)
+- Blocklists and allowed lists
+- DNS applications and their configs
+- Users, groups, permissions, API tokens
+- Settings
+
+**Requires maintenance window**: brief DNS outage during StatefulSet migration.
+
+## Implementation Order
+
+1. NFS health monitoring (low effort, no disruption)
+2. Health probes (medium effort, rolling restarts)
+3. Technitium clustering (high effort, requires maintenance window)
--- a/stacks/affine/tiers.tf
+++ b/stacks/affine/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/audiobookshelf/tiers.tf
+++ b/stacks/audiobookshelf/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/blog/tiers.tf
+++ b/stacks/blog/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/calibre/tiers.tf
+++ b/stacks/calibre/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/changedetection/tiers.tf
+++ b/stacks/changedetection/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/city-guesser/tiers.tf
+++ b/stacks/city-guesser/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/coturn/tiers.tf
+++ b/stacks/coturn/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/cyberchef/tiers.tf
+++ b/stacks/cyberchef/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/dashy/tiers.tf
+++ b/stacks/dashy/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/dawarich/tiers.tf
+++ b/stacks/dawarich/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/descheduler/tiers.tf
+++ b/stacks/descheduler/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/diun/tiers.tf
+++ b/stacks/diun/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/echo/tiers.tf
+++ b/stacks/echo/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/excalidraw/tiers.tf
+++ b/stacks/excalidraw/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/forgejo/tiers.tf
+++ b/stacks/forgejo/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/freedify/tiers.tf
+++ b/stacks/freedify/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/freshrss/tiers.tf
+++ b/stacks/freshrss/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/frigate/tiers.tf
+++ b/stacks/frigate/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/grampsweb/tiers.tf
+++ b/stacks/grampsweb/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/hackmd/tiers.tf
+++ b/stacks/hackmd/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/health/tiers.tf
+++ b/stacks/health/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/homepage/tiers.tf
+++ b/stacks/homepage/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/immich/tiers.tf
+++ b/stacks/immich/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/isponsorblocktv/tiers.tf
+++ b/stacks/isponsorblocktv/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/jsoncrack/tiers.tf
+++ b/stacks/jsoncrack/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/k8s-dashboard/tiers.tf
+++ b/stacks/k8s-dashboard/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/kms/tiers.tf
+++ b/stacks/kms/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/linkwarden/tiers.tf
+++ b/stacks/linkwarden/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/matrix/tiers.tf
+++ b/stacks/matrix/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/meshcentral/tiers.tf
+++ b/stacks/meshcentral/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/n8n/tiers.tf
+++ b/stacks/n8n/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/navidrome/tiers.tf
+++ b/stacks/navidrome/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/netbox/tiers.tf
+++ b/stacks/netbox/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/networking-toolbox/tiers.tf
+++ b/stacks/networking-toolbox/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/ntfy/tiers.tf
+++ b/stacks/ntfy/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/onlyoffice/tiers.tf
+++ b/stacks/onlyoffice/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/openclaw/tiers.tf
+++ b/stacks/openclaw/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/owntracks/tiers.tf
+++ b/stacks/owntracks/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/platform/redis-25.3.2.tgz
+++ b/stacks/platform/redis-25.3.2.tgz
--- a/stacks/privatebin/tiers.tf
+++ b/stacks/privatebin/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/real-estate-crawler/tiers.tf
+++ b/stacks/real-estate-crawler/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/reloader/tiers.tf
+++ b/stacks/reloader/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/resume/tiers.tf
+++ b/stacks/resume/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/send/tiers.tf
+++ b/stacks/send/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/shadowsocks/tiers.tf
+++ b/stacks/shadowsocks/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/speedtest/tiers.tf
+++ b/stacks/speedtest/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/tandoor/tiers.tf
+++ b/stacks/tandoor/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/tor-proxy/tiers.tf
+++ b/stacks/tor-proxy/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/travel_blog/tiers.tf
+++ b/stacks/travel_blog/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/tuya-bridge/tiers.tf
+++ b/stacks/tuya-bridge/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/url/tiers.tf
+++ b/stacks/url/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/wealthfolio/tiers.tf
+++ b/stacks/wealthfolio/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/webhook_handler/tiers.tf
+++ b/stacks/webhook_handler/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
--- a/stacks/whisper/tiers.tf
+++ b/stacks/whisper/tiers.tf
@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}