viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove all CPU limits cluster-wide to eliminate CFS throttling

Browse source 
CPU limits cause CFS throttling even when nodes have idle capacity.
Move to a request-only CPU model: keep CPU requests for scheduling
fairness but remove all CPU limits. Memory limits stay (incompressible).

Changes across 108 files:
- Kyverno LimitRange policy: remove cpu from default/max in all 6 tiers
- Kyverno ResourceQuota policy: remove limits.cpu from all 5 tiers
- Custom ResourceQuotas: remove limits.cpu from 8 namespace quotas
- Custom LimitRanges: remove cpu from default/max (nextcloud, onlyoffice)
- RBAC module: remove cpu_limits variable and quota reference
- Freedify factory: remove cpu_limit variable and limits reference
- 86 deployment files: remove cpu from all limits blocks
- 6 Helm values files: remove cpu under limits sections
This commit is contained in:
Viktor Barzin 2026-03-14 08:51:45 +00:00 committed by Viktor Barzin
parent 1eccf0363e
commit 28ac1382d1
108 changed files with 602 additions and 428 deletions
Download patch file Download diff file Expand all files Collapse all files

1
stacks/actualbudget/factory/main.tf
View file

@ -152,7 +152,6 @@ resource "kubernetes_deployment" "actualbudget-http-api" {
memory = "128Mi"
}
limits = {
cpu = "500m"
memory = "512Mi"
}
}

5
stacks/affine/main.tf
View file

@ -1,9 +1,9 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "affine_postgresql_password" {
type = string
type = string
sensitive = true
}
variable "mailserver_accounts" { type = map(any) }
@ -170,7 +170,6 @@ resource "kubernetes_deployment" "affine" {
}
limits = {
memory = "512Mi"
cpu = "1"
}
}

3
stacks/audiobookshelf/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -135,7 +135,6 @@ resource "kubernetes_deployment" "audiobookshelf" {
memory = "64Mi"
}
limits = {
cpu = "250m"
memory = "512Mi"
}
}

3
stacks/blog/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
@ -48,7 +48,6 @@ resource "kubernetes_deployment" "blog" {
name = "blog"
resources {
limits = {
cpu = "100m"
memory = "256Mi"
}
requests = {

6
stacks/calibre/main.tf
View file

@ -1,9 +1,9 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "homepage_credentials" {
type = map(any)
type = map(any)
sensitive = true
}
variable "nfs_server" { type = string }
@ -200,7 +200,6 @@ resource "kubernetes_deployment" "calibre-web-automated" {
memory = "256Mi"
}
limits = {
cpu = "2"
memory = "1536Mi"
}
}
@ -319,7 +318,6 @@ resource "kubernetes_deployment" "annas-archive-stacks" {
memory = "192Mi"
}
limits = {
cpu = "500m"
memory = "384Mi"
}
}

4
stacks/changedetection/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -79,7 +79,6 @@ resource "kubernetes_deployment" "changedetection" {
memory = "128Mi"
}
limits = {
cpu = "500m"
memory = "512Mi"
}
}
@ -119,7 +118,6 @@ resource "kubernetes_deployment" "changedetection" {
memory = "64Mi"
}
limits = {
cpu = "250m"
memory = "256Mi"
}
}

3
stacks/city-guesser/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
@ -48,7 +48,6 @@ resource "kubernetes_deployment" "city-guesser" {
name = "city-guesser"
resources {
limits = {
cpu = "100m"
memory = "256Mi"
}
requests = {

5
stacks/coturn/main.tf
View file

@ -1,9 +1,9 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "coturn_turn_secret" {
type = string
type = string
sensitive = true
}
variable "public_ip" { type = string }
@ -138,7 +138,6 @@ resource "kubernetes_deployment" "coturn" {
memory = "32Mi"
}
limits = {
cpu = "100m"
memory = "128Mi"
}
}

3
stacks/cyberchef/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
@ -61,7 +61,6 @@ resource "kubernetes_deployment" "cyberchef" {
memory = "32Mi"
}
limits = {
cpu = "100m"
memory = "128Mi"
}
}

3
stacks/dashy/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
@ -74,7 +74,6 @@ resource "kubernetes_deployment" "dashy" {
memory = "512Mi"
}
limits = {
cpu = "500m"
memory = "1Gi"
}
}

7
stacks/dawarich/main.tf
View file

@ -1,13 +1,13 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "dawarich_database_password" {
type = string
type = string
sensitive = true
}
variable "geoapify_api_key" {
type = string
type = string
sensitive = true
}
@ -155,7 +155,6 @@ resource "kubernetes_deployment" "dawarich" {
memory = "256Mi"
}
limits = {
cpu = "250m"
memory = "1Gi"
}
}

1
stacks/descheduler/values.yaml
View file

@ -21,7 +21,6 @@ resources:
cpu: 500m
memory: 256Mi
limits:
cpu: 500m
memory: 256Mi
ports:

5
stacks/diun/main.tf
View file

@ -1,9 +1,9 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "diun_nfty_token" {
type = string
type = string
sensitive = true
}
variable "diun_slack_url" { type = string }
@ -183,7 +183,6 @@ resource "kubernetes_deployment" "diun" {
memory = "32Mi"
}
limits = {
cpu = "100m"
memory = "128Mi"
}
}

2
stacks/ebook2audiobook/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }

3
stacks/echo/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
@ -58,7 +58,6 @@ resource "kubernetes_deployment" "echo" {
memory = "32Mi"
}
limits = {
cpu = "100m"
memory = "128Mi"
}
}

3
stacks/excalidraw/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -82,7 +82,6 @@ resource "kubernetes_deployment" "excalidraw" {
memory = "16Mi"
}
limits = {
cpu = "100m"
memory = "64Mi"
}
}

5
stacks/f1-stream/main.tf
View file

@ -1,10 +1,10 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
variable "discord_user_token" {
type = string
type = string
sensitive = true
}
variable "discord_f1_guild_id" { type = string }
@ -58,7 +58,6 @@ resource "kubernetes_deployment" "f1-stream" {
name = "f1-stream"
resources {
limits = {
cpu = "250m"
memory = "256Mi"
}
requests = {

3
stacks/forgejo/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -104,7 +104,6 @@ resource "kubernetes_deployment" "forgejo" {
memory = "64Mi"
}
limits = {
cpu = "250m"
memory = "512Mi"
}
}

17
stacks/freedify/factory/main.tf
View file

@ -9,13 +9,13 @@ variable "protected" {
default = false
}
variable "listenbrainz_token" {
type = string
default = null
type = string
default = null
sensitive = true
}
variable "genius_token" {
type = string
default = null
type = string
default = null
sensitive = true
}
variable "dab_visitor_id" {
@ -27,14 +27,10 @@ variable "dab_session" {
default = null
}
variable "gemini_api_key" {
type = string
default = null
type = string
default = null
sensitive = true
}
variable "cpu_limit" {
type = string
default = "250m"
}
variable "memory_limit" {
type = string
default = "256Mi"
@ -112,7 +108,6 @@ resource "kubernetes_deployment" "freedify" {
}
resources {
limits = {
cpu = var.cpu_limit
memory = var.memory_limit
}
requests = {

4
stacks/freedify/main.tf
View file

@ -1,9 +1,9 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "freedify_credentials" {
type = map(any)
type = map(any)
sensitive = true
}

3
stacks/freshrss/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -104,7 +104,6 @@ resource "kubernetes_deployment" "freshrss" {
memory = "64Mi"
}
limits = {
cpu = "250m"
memory = "256Mi"
}
}

3
stacks/frigate/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -89,7 +89,6 @@ resource "kubernetes_deployment" "frigate" {
memory = "2Gi"
}
limits = {
cpu = "4"
memory = "8Gi"
"nvidia.com/gpu" = "1"
}

2
stacks/grampsweb/main.tf
View file

@ -192,7 +192,6 @@ resource "kubernetes_deployment" "grampsweb" {
memory = "512Mi"
}
limits = {
cpu = "1"
memory = "2Gi"
}
}
@ -258,7 +257,6 @@ resource "kubernetes_deployment" "grampsweb" {
memory = "256Mi"
}
limits = {
cpu = "500m"
memory = "1Gi"
}
}

3
stacks/hackmd/main.tf
View file

@ -1,5 +1,5 @@
variable "hackmd_db_password" {
type = string
type = string
sensitive = true
}
variable "tls_secret_name" {
@ -125,7 +125,6 @@ resource "kubernetes_deployment" "hackmd" {
memory = "64Mi"
}
limits = {
cpu = "250m"
memory = "512Mi"
}
}

7
stacks/health/main.tf
View file

@ -1,13 +1,13 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "health_postgresql_password" {
type = string
type = string
sensitive = true
}
variable "health_secret_key" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -105,7 +105,6 @@ resource "kubernetes_deployment" "health" {
}
limits = {
memory = "256Mi"
cpu = "250m"
}
}
}

2
stacks/homepage/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}

29
stacks/immich/main.tf
View file

@ -1,17 +1,17 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "immich_postgresql_password" {
type = string
type = string
sensitive = true
}
variable "immich_frame_api_key" {
type = string
type = string
sensitive = true
}
variable "homepage_credentials" {
type = map(any)
type = map(any)
sensitive = true
}
@ -249,7 +249,6 @@ resource "kubernetes_deployment" "immich_server" {
memory = "256Mi"
}
limits = {
cpu = "2"
memory = "2Gi"
}
}
@ -382,7 +381,6 @@ resource "kubernetes_deployment" "immich-postgres" {
memory = "256Mi"
}
limits = {
cpu = "1"
memory = "1Gi"
}
}
@ -522,7 +520,6 @@ resource "kubernetes_deployment" "immich-machine-learning" {
memory = "1Gi"
}
limits = {
cpu = "2"
memory = "4Gi"
"nvidia.com/gpu" = "1"
}
@ -589,16 +586,16 @@ module "ingress-immich" {
skip_default_rate_limit = true
extra_middlewares = ["traefik-immich-rate-limit@kubernetescrd"]
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/description" = "Photos library"
"gethomepage.dev/icon" = "immich.png"
"gethomepage.dev/name" = "Immich"
"gethomepage.dev/group" = "Media & Entertainment"
"gethomepage.dev/widget.type" = "immich"
"gethomepage.dev/widget.url" = "http://immich-server.immich.svc.cluster.local:2283"
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/description" = "Photos library"
"gethomepage.dev/icon" = "immich.png"
"gethomepage.dev/name" = "Immich"
"gethomepage.dev/group" = "Media & Entertainment"
"gethomepage.dev/widget.type" = "immich"
"gethomepage.dev/widget.url" = "http://immich-server.immich.svc.cluster.local:2283"
"gethomepage.dev/widget.version" = "2"
"gethomepage.dev/pod-selector" = ""
"gethomepage.dev/widget.key" = var.homepage_credentials["immich"]["token"]
"gethomepage.dev/pod-selector" = ""
"gethomepage.dev/widget.key" = var.homepage_credentials["immich"]["token"]
}
}

6
stacks/infra/main.tf
View file

@ -10,8 +10,8 @@
variable "proxmox_host" { type = string }
variable "ssh_private_key" {
type = string
default = ""
type = string
default = ""
sensitive = true
}
@ -21,7 +21,7 @@ variable "ssh_public_key" {
}
variable "vm_wizard_password" {
type = string
type = string
sensitive = true
}

1
stacks/isponsorblocktv/main.tf
View file

@ -57,7 +57,6 @@ resource "kubernetes_deployment" "isponsorblocktv-vermont" {
memory = "32Mi"
}
limits = {
cpu = "150m"
memory = "256Mi"
}
}

2
stacks/jsoncrack/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}

2
stacks/k8s-dashboard/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "client_certificate_secret_name" {

4
stacks/kms/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
@ -61,7 +61,6 @@ resource "kubernetes_deployment" "kms-web-page" {
image_pull_policy = "IfNotPresent"
resources {
limits = {
cpu = "50m"
memory = "64Mi"
}
requests = {
@ -158,7 +157,6 @@ resource "kubernetes_deployment" "windows_kms" {
name = "windows-kms"
resources {
limits = {
cpu = "100m"
memory = "128Mi"
}
requests = {

7
stacks/linkwarden/main.tf
View file

@ -1,14 +1,14 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "linkwarden_postgresql_password" {
type = string
type = string
sensitive = true
}
variable "linkwarden_authentik_client_id" { type = string }
variable "linkwarden_authentik_client_secret" {
type = string
type = string
sensitive = true
}
variable "postgresql_host" { type = string }
@ -110,7 +110,6 @@ resource "kubernetes_deployment" "linkwarden" {
memory = "256Mi"
}
limits = {
cpu = "500m"
memory = "1536Mi"
}
}

3
stacks/meshcentral/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -122,7 +122,6 @@ resource "kubernetes_deployment" "meshcentral" {
memory = "64Mi"
}
limits = {
cpu = "250m"
memory = "512Mi"
}
}

5
stacks/n8n/main.tf
View file

@ -1,9 +1,9 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "n8n_postgresql_password" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -166,7 +166,6 @@ resource "kubernetes_deployment" "n8n" {
memory = "256Mi"
}
limits = {
cpu = "500m"
memory = "1Gi"
}
}

3
stacks/navidrome/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -103,7 +103,6 @@ resource "kubernetes_deployment" "navidrome" {
memory = "64Mi"
}
limits = {
cpu = "250m"
memory = "384Mi"
}
}

7
stacks/netbox/main.tf
View file

@ -1,13 +1,13 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "netbox_db_password" {
type = string
type = string
sensitive = true
}
variable "netbox_superuser_password" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -146,7 +146,6 @@ resource "kubernetes_deployment" "netbox" {
memory = "256Mi"
}
limits = {
cpu = "500m"
memory = "1Gi"
}
}

3
stacks/networking-toolbox/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
@ -55,7 +55,6 @@ resource "kubernetes_deployment" "networking-toolbox" {
memory = "32Mi"
}
limits = {
cpu = "100m"
memory = "128Mi"
}
}

1
stacks/nextcloud/chart_values.yaml
View file

@ -104,7 +104,6 @@ collabora:
resources:
limits:
cpu: "2"
memory: 1Gi
requests:
cpu: 50m

3
stacks/nextcloud/main.tf
View file

@ -42,7 +42,6 @@ resource "kubernetes_resource_quota" "nextcloud" {
hard = {
"requests.cpu" = "4"
"requests.memory" = "8Gi"
"limits.cpu" = "32"
"limits.memory" = "16Gi"
pods = "10"
}
@ -58,7 +57,6 @@ resource "kubernetes_limit_range" "nextcloud" {
limit {
type = "Container"
default = {
cpu = "250m"
memory = "256Mi"
}
default_request = {
@ -66,7 +64,6 @@ resource "kubernetes_limit_range" "nextcloud" {
memory = "64Mi"
}
max = {
cpu = "16"
memory = "8Gi"
}
}

9
stacks/ntfy/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -96,11 +96,11 @@ resource "kubernetes_deployment" "ntfy" {
}
env {
name = "NTFY_BEHIND_PROXY"
value = true
value = "true"
}
env {
name = "NTFY_ENABLE_LOGIN"
value = true
value = "true"
}
env {
name = "NTFY_AUTH_FILE"
@ -112,7 +112,7 @@ resource "kubernetes_deployment" "ntfy" {
}
env {
name = "NTFY_ENABLE_METRICS"
value = true
value = "true"
}
volume_mount {
name = "data"
@ -124,7 +124,6 @@ resource "kubernetes_deployment" "ntfy" {
memory = "32Mi"
}
limits = {
cpu = "100m"
memory = "128Mi"
}
}

5
stacks/ollama/main.tf
View file

@ -1,9 +1,9 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "ollama_api_credentials" {
type = map(string)
type = map(string)
sensitive = true
}
variable "nfs_server" { type = string }
@ -265,7 +265,6 @@ resource "kubernetes_deployment" "ollama-ui" {
memory = "256Mi"
}
limits = {
cpu = "500m"
memory = "1536Mi"
}
}

10
stacks/onlyoffice/main.tf
View file

@ -1,13 +1,13 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "onlyoffice_db_password" {
type = string
type = string
sensitive = true
}
variable "onlyoffice_jwt_token" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -36,7 +36,6 @@ resource "kubernetes_limit_range" "onlyoffice" {
limit {
type = "Container"
default = {
cpu = "250m"
memory = "256Mi"
}
default_request = {
@ -44,7 +43,6 @@ resource "kubernetes_limit_range" "onlyoffice" {
memory = "64Mi"
}
max = {
cpu = "8"
memory = "8Gi"
}
}
@ -60,7 +58,6 @@ resource "kubernetes_resource_quota" "onlyoffice" {
hard = {
"requests.cpu" = "4"
"requests.memory" = "4Gi"
"limits.cpu" = "16"
"limits.memory" = "16Gi"
pods = "10"
}
@ -113,7 +110,6 @@ resource "kubernetes_deployment" "onlyoffice-document-server" {
memory = "512Mi"
}
limits = {
cpu = "2"
memory = "4Gi"
}
}

98
stacks/openclaw/main.tf
View file

@ -1,33 +1,37 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "openclaw_ssh_key" {
type = string
type = string
sensitive = true
}
variable "openclaw_skill_secrets" {
type = map(string)
type = map(string)
sensitive = true
}
variable "llama_api_key" {
type = string
type = string
sensitive = true
}
variable "brave_api_key" {
type = string
type = string
sensitive = true
}
variable "openrouter_api_key" {
type = string
type = string
sensitive = true
}
variable "nvidia_api_key" {
type = string
type = string
sensitive = true
}
variable "anthropic_api_key" {
type = string
sensitive = true
}
variable "openclaw_telegram_bot_token" {
type = string
type = string
sensitive = true
}
variable "forgejo_api_token" {
@ -121,10 +125,13 @@ resource "kubernetes_config_map" "openclaw_config" {
mode = "off"
}
model = {
primary = "nim/mistralai/mistral-large-3-675b-instruct-2512"
fallbacks = ["nim/nvidia/llama-3.1-nemotron-ultra-253b-v1", "modelrelay/auto-fastest"]
primary = "anthropic/claude-sonnet-4-20250514"
fallbacks = ["nim/mistralai/mistral-large-3-675b-instruct-2512", "nim/nvidia/llama-3.1-nemotron-ultra-253b-v1", "modelrelay/auto-fastest"]
}
models = {
"anthropic/claude-sonnet-4-20250514" = {}
"anthropic/claude-opus-4-20250514" = {}
"anthropic/claude-haiku-4-20250506" = {}
"modelrelay/auto-fastest" = {}
"nim/deepseek-ai/deepseek-v3.2" = {}
"nim/qwen/qwen3.5-397b-a17b" = {}
@ -190,6 +197,16 @@ resource "kubernetes_config_map" "openclaw_config" {
{ id = "auto-fastest", name = "Auto (Fastest)", reasoning = false, input = ["text"], contextWindow = 200000, maxTokens = 16384, cost = { input = 0, output = 0, cacheRead = 0, cacheWrite = 0 } },
]
}
anthropic = {
baseUrl = "https://api.anthropic.com/v1"
api = "anthropic-messages"
apiKey = var.anthropic_api_key
models = [
{ id = "claude-sonnet-4-20250514", name = "Claude Sonnet 4", reasoning = true, input = ["text", "image"], contextWindow = 200000, maxTokens = 16384, cost = { input = 0.003, output = 0.015, cacheRead = 0.0003, cacheWrite = 0.00375 } },
{ id = "claude-opus-4-20250514", name = "Claude Opus 4", reasoning = true, input = ["text", "image"], contextWindow = 200000, maxTokens = 16384, cost = { input = 0.015, output = 0.075, cacheRead = 0.0015, cacheWrite = 0.01875 } },
{ id = "claude-haiku-4-20250506", name = "Claude Haiku 4", reasoning = false, input = ["text", "image"], contextWindow = 200000, maxTokens = 16384, cost = { input = 0.0008, output = 0.004, cacheRead = 0.00008, cacheWrite = 0.001 } },
]
}
nim = {
baseUrl = "https://integrate.api.nvidia.com/v1"
api = "openai-completions"
@ -270,6 +287,14 @@ module "nfs_data" {
nfs_path = "/mnt/main/openclaw/data"
}
module "nfs_cc_config" {
source = "../../modules/kubernetes/nfs_volume"
name = "cc-config"
namespace = kubernetes_namespace.openclaw.metadata[0].name
nfs_server = var.nfs_server
nfs_path = "/mnt/main/openclaw/cc-config"
}
resource "kubernetes_deployment" "openclaw" {
metadata {
name = "openclaw"
@ -383,8 +408,42 @@ resource "kubernetes_deployment" "openclaw" {
# Symlink Claude skills into OpenClaw skills directory
ln -sfn /workspace/infra/.claude/skills /openclaw-home/skills
# Pull shared CC config from NFS bare repo
if [ ! -d /openclaw-home/cc-config/.git ]; then
git clone /cc-config/cc-config.git /openclaw-home/cc-config 2>/dev/null || true
else
(cd /openclaw-home/cc-config && git pull --ff-only) || true
fi
# Apply shared config to OpenClaw
if [ -d /openclaw-home/cc-config ]; then
# Copy shared CLAUDE.md (global knowledge)
[ -f /openclaw-home/cc-config/CLAUDE.md ] && \
cp /openclaw-home/cc-config/CLAUDE.md /openclaw-home/CLAUDE.md
# Copy shared skills (separate dir from infra skills)
if [ -d /openclaw-home/cc-config/skills ]; then
mkdir -p /openclaw-home/cc-skills
cp -r /openclaw-home/cc-config/skills/* /openclaw-home/cc-skills/ 2>/dev/null || true
fi
# Copy shared memory
if [ -d /openclaw-home/cc-config/memory ]; then
mkdir -p /openclaw-home/memory
cp -r /openclaw-home/cc-config/memory/* /openclaw-home/memory/ 2>/dev/null || true
fi
# Copy commands, hooks, agents
for d in commands hooks agents; do
if [ -d /openclaw-home/cc-config/$d ]; then
mkdir -p /openclaw-home/$d
cp -r /openclaw-home/cc-config/$d/* /openclaw-home/$d/ 2>/dev/null || true
fi
done
fi
# Create required directories (owned by node user, UID 1000)
mkdir -p /openclaw-home/agents/main/sessions /openclaw-home/credentials /openclaw-home/canvas /openclaw-home/devices /openclaw-home/cron
mkdir -p /openclaw-home/agents/main/sessions /openclaw-home/credentials /openclaw-home/canvas /openclaw-home/devices /openclaw-home/cron /openclaw-home/cc-skills /openclaw-home/memory
chown -R 1000:1000 /openclaw-home
chmod 700 /openclaw-home
@ -443,6 +502,10 @@ resource "kubernetes_deployment" "openclaw" {
name = "openclaw-config"
mount_path = "/openclaw-config-src"
}
volume_mount {
name = "cc-config"
mount_path = "/cc-config"
}
}
# Main container: OpenClaw
@ -534,7 +597,6 @@ resource "kubernetes_deployment" "openclaw" {
}
resources {
limits = {
cpu = "2"
memory = "2Gi"
}
requests = {
@ -576,7 +638,6 @@ resource "kubernetes_deployment" "openclaw" {
}
resources {
limits = {
cpu = "500m"
memory = "512Mi"
}
requests = {
@ -617,6 +678,12 @@ resource "kubernetes_deployment" "openclaw" {
default_mode = "0600"
}
}
volume {
name = "cc-config"
persistent_volume_claim {
claim_name = module.nfs_cc_config.claim_name
}
}
volume {
name = "openclaw-config"
config_map {
@ -797,8 +864,8 @@ resource "kubernetes_deployment" "task_webhook" {
spec {
service_account_name = kubernetes_service_account.task_webhook.metadata[0].name
container {
name = "webhook"
image = "python:3-alpine"
name = "webhook"
image = "python:3-alpine"
command = ["sh", "-c", "apk add --no-cache curl > /dev/null 2>&1 && curl -sfL https://dl.k8s.io/release/v1.34.2/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && exec python3 -u /app/server.py"]
port {
container_port = 8080
@ -813,7 +880,6 @@ resource "kubernetes_deployment" "task_webhook" {
memory = "32Mi"
}
limits = {
cpu = "100m"
memory = "64Mi"
}
}

28
stacks/osm_routing/main.tf
View file

@ -10,7 +10,24 @@ resource "kubernetes_namespace" "osm-routing" {
name = "osm-routing"
labels = {
"istio-injection" : "disabled"
tier = local.tiers.aux
tier = local.tiers.aux
"resource-governance/custom-quota" = "true"
}
}
}
resource "kubernetes_resource_quota_v1" "osm_routing" {
metadata {
name = "tier-quota"
namespace = kubernetes_namespace.osm-routing.metadata[0].name
}
spec {
hard = {
"requests.cpu" = "4"
"requests.memory" = "6Gi"
"limits.cpu" = "16"
"limits.memory" = "16Gi"
pods = "20"
}
}
}
@ -77,7 +94,6 @@ resource "kubernetes_deployment" "osrm-foot" {
memory = "256Mi"
}
limits = {
cpu = "100m"
memory = "1Gi"
}
}
@ -158,7 +174,6 @@ resource "kubernetes_deployment" "osrm-bicycle" {
memory = "256Mi"
}
limits = {
cpu = "100m"
memory = "1Gi"
}
}
@ -235,16 +250,15 @@ resource "kubernetes_deployment" "otp" {
}
env {
name = "JAVA_TOOL_OPTIONS"
value = "-Xmx1536m"
value = "-Xmx3g"
}
resources {
requests = {
cpu = "100m"
memory = "1Gi"
memory = "2Gi"
}
limits = {
cpu = "2"
memory = "2Gi"
memory = "4Gi"
}
}
}

1
stacks/osm_routing/providers.tf
View file

@ -2,7 +2,6 @@
variable "kube_config_path" {
type = string
default = "~/.kube/config"
sensitive = true
}
provider "kubernetes" {

5
stacks/owntracks/main.tf
View file

@ -1,9 +1,9 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "owntracks_credentials" {
type = map(string)
type = map(string)
sensitive = true
}
variable "nfs_server" { type = string }
@ -114,7 +114,6 @@ resource "kubernetes_deployment" "owntracks" {
memory = "16Mi"
}
limits = {
cpu = "100m"
memory = "64Mi"
}
}

7
stacks/paperless-ngx/main.tf
View file

@ -1,13 +1,13 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "paperless_db_password" {
type = string
type = string
sensitive = true
}
variable "homepage_credentials" {
type = map(any)
type = map(any)
sensitive = true
}
variable "nfs_server" { type = string }
@ -133,7 +133,6 @@ resource "kubernetes_deployment" "paperless-ngx" {
memory = "512Mi"
}
limits = {
cpu = "1"
memory = "2Gi"
}
}

58
stacks/platform/main.tf
View file

@ -38,21 +38,21 @@ variable "prod" {
# --- dbaas ---
variable "dbaas_root_password" {
type = string
type = string
sensitive = true
}
variable "dbaas_postgresql_root_password" {
type = string
type = string
sensitive = true
}
variable "dbaas_pgadmin_password" {
type = string
type = string
sensitive = true
}
# --- traefik ---
variable "ingress_crowdsec_api_key" {
type = string
type = string
sensitive = true
}
variable "auth_fallback_htpasswd" {
@ -63,11 +63,11 @@ variable "auth_fallback_htpasswd" {
# --- technitium ---
variable "technitium_db_password" {
type = string
type = string
sensitive = true
}
variable "homepage_credentials" {
type = map(any)
type = map(any)
sensitive = true
}
@ -81,11 +81,11 @@ variable "k8s_ca_cert" {
# --- authentik / rbac / k8s-portal ---
variable "authentik_secret_key" {
type = string
type = string
sensitive = true
}
variable "authentik_postgres_password" {
type = string
type = string
sensitive = true
}
variable "k8s_users" {
@ -101,23 +101,23 @@ variable "ssh_private_key" {
# --- crowdsec ---
variable "crowdsec_enroll_key" { type = string }
variable "crowdsec_db_password" {
type = string
type = string
sensitive = true
}
variable "crowdsec_dash_api_key" {
type = string
type = string
sensitive = true
}
variable "crowdsec_dash_machine_id" { type = string }
variable "crowdsec_dash_machine_password" {
type = string
type = string
sensitive = true
}
variable "alertmanager_slack_api_url" { type = string }
# --- cloudflared ---
variable "cloudflare_api_key" {
type = string
type = string
sensitive = true
}
variable "cloudflare_email" { type = string }
@ -128,44 +128,44 @@ variable "public_ip" { type = string }
variable "cloudflare_proxied_names" {}
variable "cloudflare_non_proxied_names" {}
variable "cloudflare_tunnel_token" {
type = string
type = string
sensitive = true
}
# --- monitoring ---
variable "alertmanager_account_password" {
type = string
type = string
sensitive = true
}
variable "monitoring_idrac_username" { type = string }
variable "monitoring_idrac_password" {
type = string
type = string
sensitive = true
}
variable "tiny_tuya_service_secret" {
type = string
type = string
sensitive = true
}
variable "haos_api_token" {
type = string
type = string
sensitive = true
}
variable "pve_password" {
type = string
type = string
sensitive = true
}
variable "grafana_db_password" {
type = string
type = string
sensitive = true
}
variable "grafana_admin_password" {
type = string
type = string
sensitive = true
}
# --- vaultwarden ---
variable "vaultwarden_smtp_password" {
type = string
type = string
sensitive = true
}
@ -177,7 +177,7 @@ variable "wireguard_firewall_sh" { type = string }
# --- xray ---
variable "xray_reality_clients" { type = list(map(string)) }
variable "xray_reality_private_key" {
type = string
type = string
sensitive = true
}
variable "xray_reality_short_ids" { type = list(string) }
@ -188,19 +188,19 @@ variable "mailserver_aliases" {}
variable "mailserver_opendkim_key" {}
variable "mailserver_sasl_passwd" {}
variable "mailserver_roundcubemail_db_password" {
type = string
type = string
sensitive = true
}
# --- infra-maintenance ---
variable "webhook_handler_git_user" { type = string }
variable "webhook_handler_git_token" {
type = string
type = string
sensitive = true
}
variable "technitium_username" { type = string }
variable "technitium_password" {
type = string
type = string
sensitive = true
}
@ -417,10 +417,10 @@ module "nfs-csi" {
# iSCSI CSI democratic-csi for TrueNAS iSCSI (database storage)
# -----------------------------------------------------------------------------
module "iscsi-csi" {
source = "./modules/iscsi-csi"
tier = local.tiers.cluster
truenas_host = var.nfs_server # Same TrueNAS host
truenas_api_key = var.truenas_api_key
source = "./modules/iscsi-csi"
tier = local.tiers.cluster
truenas_host = var.nfs_server # Same TrueNAS host
truenas_api_key = var.truenas_api_key
truenas_ssh_private_key = var.truenas_ssh_private_key
}

1
stacks/platform/modules/authentik/main.tf
View file

@ -35,7 +35,6 @@ resource "kubernetes_resource_quota" "authentik" {
hard = {
"requests.cpu" = "16"
"requests.memory" = "16Gi"
"limits.cpu" = "48"
"limits.memory" = "96Gi"
pods = "50"
}

2
stacks/platform/modules/authentik/values.yaml
View file

@ -22,7 +22,6 @@ server:
cpu: 100m
memory: 512Mi
limits:
cpu: "2"
memory: 1Gi
topologySpreadConstraints:
- maxSkew: 1
@ -51,7 +50,6 @@ worker:
cpu: 50m
memory: 384Mi
limits:
cpu: "1"
memory: 1Gi
topologySpreadConstraints:
- maxSkew: 1

1
stacks/platform/modules/cloudflared/main.tf
View file

@ -76,7 +76,6 @@ resource "kubernetes_deployment" "cloudflared" {
memory = "32Mi"
}
limits = {
cpu = "200m"
memory = "256Mi"
}
}

1
stacks/platform/modules/cnpg/main.tf
View file

@ -40,7 +40,6 @@ resource "helm_release" "cnpg" {
memory = "128Mi"
}
limits = {
cpu = "500m"
memory = "256Mi"
}
}

8
stacks/platform/modules/crowdsec/main.tf
View file

@ -4,12 +4,12 @@ variable "homepage_password" {}
variable "db_password" {}
variable "enroll_key" {}
variable "crowdsec_dash_api_key" {
type = string
type = string
sensitive = true
}
variable "crowdsec_dash_machine_id" { type = string } # used for web dash
variable "crowdsec_dash_machine_id" { type = string } # used for web dash
variable "crowdsec_dash_machine_password" {
type = string
type = string
sensitive = true
}
variable "tier" { type = string }
@ -171,7 +171,6 @@ resource "kubernetes_deployment" "crowdsec-web" {
memory = "32Mi"
}
limits = {
cpu = "250m"
memory = "256Mi"
}
}
@ -368,7 +367,6 @@ resource "kubernetes_resource_quota" "crowdsec" {
hard = {
"requests.cpu" = "8"
"requests.memory" = "8Gi"
"limits.cpu" = "16"
"limits.memory" = "16Gi"
pods = "30"
}

15
stacks/platform/modules/dbaas/main.tf
View file

@ -36,7 +36,6 @@ resource "kubernetes_resource_quota" "dbaas" {
hard = {
"requests.cpu" = "8"
"requests.memory" = "12Gi"
"limits.cpu" = "32"
"limits.memory" = "64Gi"
pods = "30"
}
@ -82,7 +81,6 @@ resource "helm_release" "mysql_operator" {
memory = "256Mi"
}
limits = {
cpu = "500m"
memory = "512Mi"
}
}
@ -186,7 +184,6 @@ resource "helm_release" "mysql_cluster" {
memory = "1Gi"
}
limits = {
cpu = "2"
memory = "4Gi"
}
}
@ -224,7 +221,6 @@ resource "helm_release" "mysql_cluster" {
}
limits = {
memory = "3Gi"
cpu = "2"
}
}
}]
@ -233,21 +229,21 @@ resource "helm_release" "mysql_cluster" {
name = "fixdatadir"
resources = {
requests = { memory = "64Mi", cpu = "25m" }
limits = { memory = "256Mi", cpu = "500m" }
limits = { memory = "256Mi" }
}
},
{
name = "initconf"
resources = {
requests = { memory = "256Mi", cpu = "50m" }
limits = { memory = "1Gi", cpu = "1" }
limits = { memory = "1Gi" }
}
},
{
name = "initmysql"
resources = {
requests = { memory = "512Mi", cpu = "250m" }
limits = { memory = "2Gi", cpu = "2" }
limits = { memory = "2Gi" }
}
}
]
@ -553,7 +549,6 @@ resource "kubernetes_deployment" "phpmyadmin" {
memory = "32Mi"
}
limits = {
cpu = "250m"
memory = "256Mi"
}
}
@ -848,7 +843,7 @@ resource "null_resource" "pg_cluster" {
storage_size = "20Gi"
storage_class = "iscsi-truenas"
memory_limit = "4Gi"
cpu_limit = "2"
}
provisioner "local-exec" {
@ -875,7 +870,6 @@ resource "null_resource" "pg_cluster" {
cpu: "250m"
memory: "512Mi"
limits:
cpu: "2"
memory: "4Gi"
EOF
EOT
@ -986,7 +980,6 @@ resource "kubernetes_deployment" "pgadmin" {
memory = "128Mi"
}
limits = {
cpu = "500m"
memory = "512Mi"
}
}

2
stacks/platform/modules/headscale/main.tf
View file

@ -82,7 +82,6 @@ resource "kubernetes_deployment" "headscale" {
memory = "64Mi"
}
limits = {
cpu = "200m"
memory = "256Mi"
}
}
@ -167,7 +166,6 @@ resource "kubernetes_deployment" "headscale" {
memory = "32Mi"
}
limits = {
cpu = "100m"
memory = "128Mi"
}
}

5
stacks/platform/modules/iscsi-csi/main.tf
View file

@ -35,10 +35,11 @@ resource "helm_release" "democratic_csi" {
}]
controller = {
replicas = 2
driver = {
resources = {
requests = { cpu = "25m", memory = "64Mi" }
limits = { cpu = "250m", memory = "256Mi" }
limits = { memory = "256Mi" }
}
}
}
@ -47,7 +48,7 @@ resource "helm_release" "democratic_csi" {
driver = {
resources = {
requests = { cpu = "25m", memory = "64Mi" }
limits = { cpu = "250m", memory = "256Mi" }
limits = { memory = "256Mi" }
}
}

5
stacks/platform/modules/k8s-portal/main.tf
View file

@ -75,7 +75,6 @@ resource "kubernetes_deployment" "k8s_portal" {
memory = "32Mi"
}
limits = {
cpu = "100m"
memory = "128Mi"
}
}
@ -131,14 +130,14 @@ module "ingress" {
}
}
# Unprotected ingress for the setup script (needs to be curl-able without auth)
# Unprotected ingress for the setup script and agent endpoint (needs to be curl-able without auth)
module "ingress_setup_script" {
source = "../../../../modules/kubernetes/ingress_factory"
namespace = kubernetes_namespace.k8s_portal.metadata[0].name
name = "k8s-portal-setup"
host = "k8s-portal"
service_name = "k8s-portal"
ingress_path = ["/setup/script"]
ingress_path = ["/setup/script", "/agent"]
tls_secret_name = var.tls_secret_name
protected = false
}

105
stacks/platform/modules/kyverno/resource-governance.tf
View file

@ -130,7 +130,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
{
type = "Container"
default = {
cpu = "500m"
memory = "512Mi"
}
defaultRequest = {
@ -138,7 +137,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
memory = "256Mi"
}
max = {
cpu = "4"
memory = "8Gi"
}
}
@ -189,7 +187,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
{
type = "Container"
default = {
cpu = "500m"
memory = "512Mi"
}
defaultRequest = {
@ -197,7 +194,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
memory = "256Mi"
}
max = {
cpu = "2"
memory = "4Gi"
}
}
@ -248,7 +244,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
{
type = "Container"
default = {
cpu = "1"
memory = "2Gi"
}
defaultRequest = {
@ -256,7 +251,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
memory = "1Gi"
}
max = {
cpu = "8"
memory = "16Gi"
}
}
@ -307,7 +301,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
{
type = "Container"
default = {
cpu = "250m"
memory = "256Mi"
}
defaultRequest = {
@ -315,7 +308,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
memory = "128Mi"
}
max = {
cpu = "2"
memory = "4Gi"
}
}
@ -366,7 +358,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
{
type = "Container"
default = {
cpu = "250m"
memory = "256Mi"
}
defaultRequest = {
@ -374,7 +365,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
memory = "128Mi"
}
max = {
cpu = "2"
memory = "4Gi"
}
}
@ -428,7 +418,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
{
type = "Container"
default = {
cpu = "250m"
memory = "256Mi"
}
defaultRequest = {
@ -436,7 +425,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" {
memory = "128Mi"
}
max = {
cpu = "1"
memory = "2Gi"
}
}
@ -517,7 +505,6 @@ resource "kubernetes_manifest" "generate_resourcequota_by_tier" {
hard = {
"requests.cpu" = "8"
"requests.memory" = "8Gi"
"limits.cpu" = "32"
"limits.memory" = "64Gi"
pods = "100"
}
@ -566,7 +553,6 @@ resource "kubernetes_manifest" "generate_resourcequota_by_tier" {
hard = {
"requests.cpu" = "4"
"requests.memory" = "4Gi"
"limits.cpu" = "16"
"limits.memory" = "32Gi"
pods = "30"
}
@ -615,7 +601,6 @@ resource "kubernetes_manifest" "generate_resourcequota_by_tier" {
hard = {
"requests.cpu" = "8"
"requests.memory" = "8Gi"
"limits.cpu" = "16"
"limits.memory" = "32Gi"
pods = "40"
}
@ -664,7 +649,6 @@ resource "kubernetes_manifest" "generate_resourcequota_by_tier" {
hard = {
"requests.cpu" = "4"
"requests.memory" = "4Gi"
"limits.cpu" = "16"
"limits.memory" = "32Gi"
pods = "30"
}
@ -713,7 +697,6 @@ resource "kubernetes_manifest" "generate_resourcequota_by_tier" {
hard = {
"requests.cpu" = "2"
"requests.memory" = "2Gi"
"limits.cpu" = "8"
"limits.memory" = "16Gi"
pods = "20"
}
@ -920,3 +903,91 @@ resource "kubernetes_manifest" "mutate_ndots" {
}
}
}
# -----------------------------------------------------------------------------
# Layer 5: GPU Node Toleration for Critical Services (Kyverno Mutate)
# -----------------------------------------------------------------------------
# Adds nvidia.com/gpu toleration to pods in tier-0 and tier-1 namespaces.
# This allows critical infrastructure to overflow onto the GPU node (k8s-node1)
# during N-1 scenarios, giving the scheduler ~14 GiB extra capacity.
# GPU workloads won't be preempted this just makes the node eligible.
resource "kubernetes_manifest" "mutate_gpu_toleration_critical" {
manifest = {
apiVersion = "kyverno.io/v1"
kind = "ClusterPolicy"
metadata = {
name = "gpu-toleration-critical-tiers"
annotations = {
"policies.kyverno.io/title" = "GPU Toleration for Critical Tiers"
"policies.kyverno.io/description" = "Adds nvidia.com/gpu toleration to pods in tier-0-core and tier-1-cluster namespaces so they can overflow onto the GPU node during N-1 failures."
}
}
spec = {
rules = [
{
name = "add-gpu-toleration-tier-0"
match = {
any = [
{
resources = {
kinds = ["Pod"]
operations = ["CREATE"]
namespaceSelector = {
matchLabels = {
tier = "0-core"
}
}
}
}
]
}
mutate = {
patchStrategicMerge = {
spec = {
tolerations = [
{
key = "nvidia.com/gpu"
operator = "Exists"
effect = "NoSchedule"
}
]
}
}
}
},
{
name = "add-gpu-toleration-tier-1"
match = {
any = [
{
resources = {
kinds = ["Pod"]
operations = ["CREATE"]
namespaceSelector = {
matchLabels = {
tier = "1-cluster"
}
}
}
}
]
}
mutate = {
patchStrategicMerge = {
spec = {
tolerations = [
{
key = "nvidia.com/gpu"
operator = "Exists"
effect = "NoSchedule"
}
]
}
}
}
},
]
}
}
}

2
stacks/platform/modules/mailserver/main.tf
View file

@ -365,7 +365,6 @@ resource "kubernetes_deployment" "mailserver" {
memory = "128Mi"
}
limits = {
cpu = "500m"
memory = "512Mi"
}
}
@ -395,7 +394,6 @@ resource "kubernetes_deployment" "mailserver" {
memory = "16Mi"
}
limits = {
cpu = "100m"
memory = "64Mi"
}
}

2
stacks/platform/modules/mailserver/roundcubemail.tf
View file

@ -1,5 +1,5 @@
variable "roundcube_db_password" {
type = string
type = string
sensitive = true
}
variable "mysql_host" { type = string }

1
stacks/platform/modules/monitoring/alloy.yaml
View file

@ -204,5 +204,4 @@ controller:
cpu: 50m
memory: 512Mi
limits:
cpu: 200m
memory: 1Gi

1
stacks/platform/modules/monitoring/caretta.tf
View file

@ -32,7 +32,6 @@ resource "helm_release" "caretta" {
memory = "300Mi"
}
limits = {
cpu = "200m"
memory = "512Mi"
}
}

1
stacks/platform/modules/monitoring/goflow2.tf
View file

@ -43,7 +43,6 @@ resource "kubernetes_deployment" "goflow2" {
memory = "64Mi"
}
limits = {
cpu = "200m"
memory = "256Mi"
}
}

1
stacks/platform/modules/monitoring/grafana_chart_values.yaml
View file

@ -7,7 +7,6 @@ resources:
cpu: 50m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
topologySpreadConstraints:
- maxSkew: 1

1
stacks/platform/modules/monitoring/loki.yaml
View file

@ -72,7 +72,6 @@ singleBinary:
cpu: 250m
memory: 2Gi
limits:
cpu: "1"
memory: 4Gi
# Zero out replica counts of other deployment modes

13
stacks/platform/modules/monitoring/main.tf
View file

@ -7,28 +7,28 @@ variable "idrac_username" {
default = "root"
}
variable "idrac_password" {
default = "calvin"
default = "calvin"
sensitive = true
}
variable "alertmanager_slack_api_url" {}
variable "tiny_tuya_service_secret" {
type = string
type = string
sensitive = true
}
variable "haos_api_token" {
type = string
type = string
sensitive = true
}
variable "pve_password" {
type = string
type = string
sensitive = true
}
variable "grafana_db_password" {
type = string
type = string
sensitive = true
}
variable "grafana_admin_password" {
type = string
type = string
sensitive = true
}
variable "tier" { type = string }
@ -211,7 +211,6 @@ resource "kubernetes_resource_quota" "monitoring" {
hard = {
"requests.cpu" = "16"
"requests.memory" = "16Gi"
"limits.cpu" = "64"
"limits.memory" = "64Gi"
pods = "100"
}

6
stacks/platform/modules/nfs-csi/main.tf
View file

@ -22,16 +22,16 @@ resource "helm_release" "nfs_csi_driver" {
values = [yamlencode({
controller = {
replicas = 1
replicas = 2
resources = {
requests = { cpu = "10m", memory = "32Mi" }
limits = { cpu = "100m", memory = "128Mi" }
limits = { memory = "128Mi" }
}
}
node = {
resources = {
requests = { cpu = "10m", memory = "32Mi" }
limits = { cpu = "100m", memory = "128Mi" }
limits = { memory = "128Mi" }
}
}
storageClass = {

2
stacks/platform/modules/nvidia/main.tf
View file

@ -25,7 +25,6 @@ resource "kubernetes_resource_quota" "nvidia_quota" {
}
spec {
hard = {
"limits.cpu" = "32"
"limits.memory" = "48Gi"
"requests.cpu" = "8"
"requests.memory" = "8Gi"
@ -618,7 +617,6 @@ resource "kubernetes_daemonset" "gpu_pod_exporter" {
memory = "128Mi"
}
limits = {
cpu = "200m"
memory = "256Mi"
"nvidia.com/gpu" = "1"
}

2
stacks/platform/modules/rbac/main.tf
View file

@ -9,7 +9,6 @@ variable "k8s_users" {
quota = optional(object({
cpu_requests = optional(string, "2")
memory_requests = optional(string, "4Gi")
cpu_limits = optional(string, "4")
memory_limits = optional(string, "8Gi")
pods = optional(string, "20")
}), {})
@ -225,7 +224,6 @@ resource "kubernetes_resource_quota" "user_namespace_quota" {
hard = {
"requests.cpu" = each.value.quota.cpu_requests
"requests.memory" = each.value.quota.memory_requests
"limits.cpu" = each.value.quota.cpu_limits
"limits.memory" = each.value.quota.memory_limits
"pods" = each.value.quota.pods
}

4
stacks/platform/modules/redis/main.tf
View file

@ -51,7 +51,6 @@ resource "helm_release" "redis" {
memory = "64Mi"
}
limits = {
cpu = "200m"
memory = "128Mi"
}
}
@ -70,7 +69,6 @@ resource "helm_release" "redis" {
memory = "64Mi"
}
limits = {
cpu = "500m"
memory = "256Mi"
}
}
@ -91,7 +89,6 @@ resource "helm_release" "redis" {
memory = "64Mi"
}
limits = {
cpu = "500m"
memory = "256Mi"
}
}
@ -205,7 +202,6 @@ resource "kubernetes_deployment" "haproxy" {
memory = "16Mi"
}
limits = {
cpu = "100m"
memory = "32Mi"
}
}

88
stacks/platform/modules/reverse_proxy/main.tf
View file

@ -73,16 +73,16 @@ module "nas" {
# https://files.viktorbarzin.me/
module "nas-files" {
source = "./factory"
name = "files"
external_name = "nas.viktorbarzin.lan"
port = 5001
tls_secret_name = var.tls_secret_name
backend_protocol = "HTTPS"
protected = false # allow anyone to download files
ingress_path = ["/sharing", "/scripts", "/webman", "/wfmlogindialog.js", "/fsdownload"]
max_body_size = "0m"
depends_on = [kubernetes_namespace.reverse-proxy]
source = "./factory"
name = "files"
external_name = "nas.viktorbarzin.lan"
port = 5001
tls_secret_name = var.tls_secret_name
backend_protocol = "HTTPS"
protected = false # allow anyone to download files
ingress_path = ["/sharing", "/scripts", "/webman", "/wfmlogindialog.js", "/fsdownload"]
max_body_size = "0m"
depends_on = [kubernetes_namespace.reverse-proxy]
extra_annotations = { "gethomepage.dev/enabled" = "false" }
}
@ -103,7 +103,7 @@ module "idrac" {
"gethomepage.dev/group" = "Infrastructure"
"gethomepage.dev/pod-selector" = ""
}
depends_on = [kubernetes_namespace.reverse-proxy]
depends_on = [kubernetes_namespace.reverse-proxy]
}
# Can either listen on https or http; can't do both :/
@ -197,24 +197,24 @@ module "docker-registry-ui" {
extra_annotations = {
# Override middleware chain to remove rate-limit; the UI fires many API calls to list repos/tags
"traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Docker Registry"
"gethomepage.dev/description" = "Container registry"
"gethomepage.dev/icon" = "docker.png"
"gethomepage.dev/group" = "Infrastructure"
"gethomepage.dev/pod-selector" = ""
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Docker Registry"
"gethomepage.dev/description" = "Container registry"
"gethomepage.dev/icon" = "docker.png"
"gethomepage.dev/group" = "Infrastructure"
"gethomepage.dev/pod-selector" = ""
}
}
# https://valchedrym.viktorbarzin.me/
module "valchedrym" {
source = "./factory"
name = "valchedrym"
external_name = "valchedrym.viktorbarzin.lan"
tls_secret_name = var.tls_secret_name
port = 80
backend_protocol = "HTTP"
depends_on = [kubernetes_namespace.reverse-proxy]
source = "./factory"
name = "valchedrym"
external_name = "valchedrym.viktorbarzin.lan"
tls_secret_name = var.tls_secret_name
port = 80
backend_protocol = "HTTP"
depends_on = [kubernetes_namespace.reverse-proxy]
extra_annotations = { "gethomepage.dev/enabled" = "false" }
}
@ -235,12 +235,12 @@ module "valchedrym" {
# https://mladost3.viktorbarzin.me/
module "mladost3" {
source = "./factory"
name = "mladost3"
external_name = "mladost3.ddns.net"
port = 8080
tls_secret_name = var.tls_secret_name
depends_on = [kubernetes_namespace.reverse-proxy]
source = "./factory"
name = "mladost3"
external_name = "mladost3.ddns.net"
port = 8080
tls_secret_name = var.tls_secret_name
depends_on = [kubernetes_namespace.reverse-proxy]
extra_annotations = { "gethomepage.dev/enabled" = "false" }
}
@ -318,13 +318,13 @@ module "london" {
}
}
module "pi-lights" {
source = "./factory"
name = "pi"
external_name = "ha-london.viktorbarzin.lan"
port = 5000
tls_secret_name = var.tls_secret_name
protected = true
depends_on = [kubernetes_namespace.reverse-proxy]
source = "./factory"
name = "pi"
external_name = "ha-london.viktorbarzin.lan"
port = 5000
tls_secret_name = var.tls_secret_name
protected = true
depends_on = [kubernetes_namespace.reverse-proxy]
extra_annotations = { "gethomepage.dev/enabled" = "false" }
}
@ -345,12 +345,12 @@ module "pi-lights" {
# }
module "mbp14" {
source = "./factory"
name = "mbp14"
external_name = "mbp14.viktorbarzin.lan"
port = 4020
tls_secret_name = var.tls_secret_name
protected = true
depends_on = [kubernetes_namespace.reverse-proxy]
source = "./factory"
name = "mbp14"
external_name = "mbp14.viktorbarzin.lan"
port = 4020
tls_secret_name = var.tls_secret_name
protected = true
depends_on = [kubernetes_namespace.reverse-proxy]
extra_annotations = { "gethomepage.dev/enabled" = "false" }
}

1
stacks/platform/modules/sealed-secrets/main.tf
View file

@ -38,7 +38,6 @@ resource "helm_release" "sealed_secrets" {
memory = "64Mi"
}
limits = {
cpu = "250m"
memory = "256Mi"
}
}

1
stacks/platform/modules/technitium/ha.tf
View file

@ -109,7 +109,6 @@ resource "kubernetes_deployment" "technitium_secondary" {
memory = "128Mi"
}
limits = {
cpu = "500m"
memory = "512Mi"
}
}

3
stacks/platform/modules/technitium/main.tf
View file

@ -6,7 +6,7 @@ variable "nfs_server" { type = string }
variable "mysql_host" { type = string }
variable "technitium_username" { type = string }
variable "technitium_password" {
type = string
type = string
sensitive = true
}
@ -169,7 +169,6 @@ resource "kubernetes_deployment" "technitium" {
memory = "128Mi"
}
limits = {
cpu = "500m"
memory = "512Mi"
}
}

4
stacks/platform/modules/traefik/main.tf
View file

@ -1,6 +1,6 @@
variable "tier" { type = string }
variable "crowdsec_api_key" {
type = string
type = string
sensitive = true
}
variable "redis_host" { type = string }
@ -394,7 +394,6 @@ resource "kubernetes_deployment" "bot_block_proxy" {
memory = "32Mi"
}
limits = {
cpu = "50m"
memory = "128Mi"
}
}
@ -583,7 +582,6 @@ resource "kubernetes_deployment" "auth_proxy" {
memory = "32Mi"
}
limits = {
cpu = "50m"
memory = "128Mi"
}
}

1
stacks/platform/modules/uptime-kuma/main.tf
View file

@ -71,7 +71,6 @@ resource "kubernetes_deployment" "uptime-kuma" {
memory = "64Mi"
}
limits = {
cpu = "500m"
memory = "512Mi"
}
}

1
stacks/platform/modules/vaultwarden/main.tf
View file

@ -68,7 +68,6 @@ resource "kubernetes_deployment" "vaultwarden" {
memory = "32Mi"
}
limits = {
cpu = "100m"
memory = "256Mi"
}
}

2
stacks/platform/modules/vpa/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "tier" { type = string }

2
stacks/platform/modules/wireguard/main.tf
View file

@ -147,7 +147,6 @@ resource "kubernetes_deployment" "wireguard" {
memory = "16Mi"
}
limits = {
cpu = "100m"
memory = "128Mi"
}
}
@ -178,7 +177,6 @@ resource "kubernetes_deployment" "wireguard" {
memory = "16Mi"
}
limits = {
cpu = "50m"
memory = "64Mi"
}
}

3
stacks/platform/modules/xray/main.tf
View file

@ -2,7 +2,7 @@ variable "tls_secret_name" {}
variable "tier" { type = string }
variable "xray_reality_clients" { type = list(map(string)) }
variable "xray_reality_private_key" {
type = string
type = string
sensitive = true
}
variable "xray_reality_short_ids" { type = list(string) }
@ -123,7 +123,6 @@ resource "kubernetes_deployment" "xray" {
memory = "32Mi"
}
limits = {
cpu = "100m"
memory = "128Mi"
}
}

3
stacks/plotting-book/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "plotting_book_session_secret" {
@ -124,7 +124,6 @@ resource "kubernetes_deployment" "plotting-book" {
}
limits = {
memory = "256Mi"
cpu = "100m"
}
}
}

3
stacks/poison-fountain/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -154,7 +154,6 @@ resource "kubernetes_deployment" "poison_fountain" {
memory = "32Mi"
}
limits = {
cpu = "100m"
memory = "128Mi"
}
}

3
stacks/privatebin/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -73,7 +73,6 @@ resource "kubernetes_deployment" "privatebin" {
memory = "32Mi"
}
limits = {
cpu = "150m"
memory = "256Mi"
}
}

9
stacks/real-estate-crawler/main.tf
View file

@ -1,9 +1,9 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "realestate_crawler_db_password" {
type = string
type = string
sensitive = true
}
variable "realestate_crawler_notification_settings" { type = map(string) }
@ -17,7 +17,7 @@ resource "kubernetes_namespace" "realestate-crawler" {
name = "realestate-crawler"
labels = {
"istio-injection" : "disabled"
tier = local.tiers.aux
tier = local.tiers.aux
}
}
}
@ -209,7 +209,6 @@ resource "kubernetes_deployment" "realestate-crawler-api" {
memory = "64Mi"
}
limits = {
cpu = "250m"
memory = "512Mi"
}
}
@ -326,7 +325,6 @@ resource "kubernetes_deployment" "realestate-crawler-celery" {
memory = "512Mi"
}
limits = {
cpu = "1"
memory = "3Gi"
}
}
@ -440,7 +438,6 @@ resource "kubernetes_deployment" "realestate-crawler-celery-beat" {
memory = "64Mi"
}
limits = {
cpu = "100m"
memory = "256Mi"
}
}

6
stacks/resume/main.tf
View file

@ -1,10 +1,10 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "resume_database_url" { type = string }
variable "resume_auth_secret" {
type = string
type = string
sensitive = true
}
variable "mailserver_accounts" { type = map(any) }
@ -84,7 +84,6 @@ resource "kubernetes_deployment" "printer" {
}
limits = {
memory = "1536Mi"
cpu = "500m"
}
}
@ -240,7 +239,6 @@ resource "kubernetes_deployment" "resume" {
}
limits = {
memory = "384Mi"
cpu = "250m"
}
}

15
stacks/rybbit/main.tf
View file

@ -1,13 +1,13 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "clickhouse_password" {
type = string
type = string
sensitive = true
}
variable "clickhouse_postgres_password" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -119,7 +119,6 @@ resource "kubernetes_deployment" "clickhouse" {
memory = "512Mi"
}
limits = {
cpu = "1"
memory = "2Gi"
}
}
@ -271,7 +270,7 @@ resource "kubernetes_deployment" "rybbit" {
}
env {
name = "DISABLE_SIGNUP"
value = true
value = "true"
}
env {
name = "BETTER_AUTH_SECRET"
@ -279,7 +278,7 @@ resource "kubernetes_deployment" "rybbit" {
}
env {
name = "AUTH_ENABLED"
value = true
value = "true"
}
port {
container_port = 3001
@ -310,7 +309,6 @@ resource "kubernetes_deployment" "rybbit" {
memory = "128Mi"
}
limits = {
cpu = "250m"
memory = "512Mi"
}
}
@ -373,7 +371,7 @@ resource "kubernetes_deployment" "rybbit-client" {
}
env {
name = "DISABLE_SIGNUP"
value = true
value = "true"
}
port {
name = "rybbit-client"
@ -406,7 +404,6 @@ resource "kubernetes_deployment" "rybbit-client" {
memory = "64Mi"
}
limits = {
cpu = "150m"
memory = "256Mi"
}
}

3
stacks/send/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -106,7 +106,6 @@ resource "kubernetes_deployment" "send" {
memory = "32Mi"
}
limits = {
cpu = "150m"
memory = "256Mi"
}
}

1
stacks/servarr/aiostreams/main.tf
View file

@ -75,7 +75,6 @@ resource "kubernetes_deployment" "aiostreams" {
memory = "256Mi"
}
limits = {
cpu = "500m"
memory = "1Gi"
}
}

1
stacks/servarr/flaresolverr/main.tf
View file

@ -37,7 +37,6 @@ resource "kubernetes_deployment" "flaresolverr" {
memory = "150Mi"
}
limits = {
cpu = "500m"
memory = "384Mi"
}
}

1
stacks/servarr/listenarr/main.tf
View file

@ -62,7 +62,6 @@ resource "kubernetes_deployment" "listenarr" {
memory = "256Mi"
}
limits = {
cpu = "1"
memory = "1Gi"
}
}

2
stacks/servarr/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "aiostreams_database_connection_string" { type = string }

1
stacks/servarr/prowlarr/main.tf
View file

@ -59,7 +59,6 @@ resource "kubernetes_deployment" "prowlarr" {
memory = "192Mi"
}
limits = {
cpu = "500m"
memory = "384Mi"
}
}

20
stacks/servarr/qbittorrent/main.tf
View file

@ -160,15 +160,15 @@ module "ingress" {
tls_secret_name = var.tls_secret_name
protected = true
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "qBittorrent"
"gethomepage.dev/description" = "BitTorrent client"
"gethomepage.dev/icon" = "qbittorrent.png"
"gethomepage.dev/group" = "Media & Entertainment"
"gethomepage.dev/pod-selector" = ""
"gethomepage.dev/widget.type" = "qbittorrent"
"gethomepage.dev/widget.url" = "http://qbittorrent.servarr.svc.cluster.local"
"gethomepage.dev/widget.username" = var.homepage_credentials["qbittorrent"]["username"]
"gethomepage.dev/widget.password" = var.homepage_credentials["qbittorrent"]["password"]
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "qBittorrent"
"gethomepage.dev/description" = "BitTorrent client"
"gethomepage.dev/icon" = "qbittorrent.png"
"gethomepage.dev/group" = "Media & Entertainment"
"gethomepage.dev/pod-selector" = ""
"gethomepage.dev/widget.type" = "qbittorrent"
"gethomepage.dev/widget.url" = "http://qbittorrent.servarr.svc.cluster.local"
"gethomepage.dev/widget.username" = var.homepage_credentials["qbittorrent"]["username"]
"gethomepage.dev/widget.password" = var.homepage_credentials["qbittorrent"]["password"]
}
}

3
stacks/shadowsocks/main.tf
View file

@ -1,5 +1,5 @@
variable "shadowsocks_password" {
type = string
type = string
sensitive = true
}
@ -73,7 +73,6 @@ resource "kubernetes_deployment" "shadowsocks" {
memory = "16Mi"
}
limits = {
cpu = "100m"
memory = "64Mi"
}
}

5
stacks/speedtest/main.tf
View file

@ -1,9 +1,9 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "speedtest_db_password" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -121,7 +121,6 @@ resource "kubernetes_deployment" "speedtest" {
memory = "128Mi"
}
limits = {
cpu = "1"
memory = "512Mi"
}
}

3
stacks/stirling-pdf/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -61,7 +61,6 @@ resource "kubernetes_deployment" "stirling-pdf" {
memory = "512Mi"
}
limits = {
cpu = "2"
memory = "2Gi"
}
}

9
stacks/tandoor/main.tf
View file

@ -1,14 +1,14 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "tandoor_database_password" {
type = string
type = string
sensitive = true
}
variable "tandoor_email_password" {
type = string
default = ""
type = string
default = ""
sensitive = true
}
variable "nfs_server" { type = string }
@ -157,7 +157,6 @@ resource "kubernetes_deployment" "tandoor" {
memory = "256Mi"
}
limits = {
cpu = "250m"
memory = "1536Mi"
}
}

161
stacks/tor-proxy/main.tf
View file

@ -1,7 +1,8 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
resource "kubernetes_namespace" "tor-proxy" {
@ -82,7 +83,6 @@ resource "kubernetes_deployment" "tor-proxy" {
memory = "64Mi"
}
limits = {
cpu = "150m"
memory = "256Mi"
}
}
@ -126,3 +126,160 @@ resource "kubernetes_service" "tor-proxy" {
}
}
}
# --- TorrServer ---
module "nfs_torrserver_data" {
source = "../../modules/kubernetes/nfs_volume"
name = "tor-proxy-torrserver-data"
namespace = kubernetes_namespace.tor-proxy.metadata[0].name
nfs_server = var.nfs_server
nfs_path = "/mnt/main/tor-proxy/torrserver"
}
resource "kubernetes_deployment" "torrserver" {
metadata {
name = "torrserver"
namespace = kubernetes_namespace.tor-proxy.metadata[0].name
labels = {
app = "torrserver"
tier = local.tiers.aux
}
}
spec {
replicas = 1
strategy {
type = "Recreate"
}
selector {
match_labels = {
app = "torrserver"
}
}
template {
metadata {
labels = {
app = "torrserver"
}
}
spec {
container {
name = "torrserver"
image = "ghcr.io/yourok/torrserver:MatriX.141"
port {
name = "http"
container_port = 8090
protocol = "TCP"
}
resources {
requests = {
cpu = "100m"
memory = "256Mi"
}
limits = {
memory = "1Gi"
}
}
readiness_probe {
http_get {
path = "/echo"
port = 8090
}
initial_delay_seconds = 5
period_seconds = 10
}
liveness_probe {
http_get {
path = "/echo"
port = 8090
}
initial_delay_seconds = 15
period_seconds = 30
}
volume_mount {
name = "torrserver-data"
mount_path = "/opt/ts"
}
}
volume {
name = "torrserver-data"
persistent_volume_claim {
claim_name = module.nfs_torrserver_data.claim_name
}
}
}
}
}
}
resource "kubernetes_service" "torrserver" {
metadata {
name = "torrserver"
namespace = kubernetes_namespace.tor-proxy.metadata[0].name
labels = {
"app" = "torrserver"
}
}
spec {
selector = {
app = "torrserver"
}
port {
name = "http"
port = 8090
target_port = 8090
}
}
}
# Expose BT peer port for better torrent connectivity
resource "kubernetes_service" "torrserver-bt" {
metadata {
name = "torrserver-bt"
namespace = kubernetes_namespace.tor-proxy.metadata[0].name
labels = {
app = "torrserver-bt"
}
annotations = {
"metallb.universe.tf/allow-shared-ip" = "shared"
}
}
spec {
type = "LoadBalancer"
external_traffic_policy = "Cluster"
selector = {
app = "torrserver"
}
port {
name = "bt-tcp"
port = 5665
target_port = 5665
protocol = "TCP"
}
port {
name = "bt-udp"
port = 5665
target_port = 5665
protocol = "UDP"
}
}
}
module "torrserver_ingress" {
source = "../../modules/kubernetes/ingress_factory"
namespace = kubernetes_namespace.tor-proxy.metadata[0].name
name = "torrserver"
tls_secret_name = var.tls_secret_name
port = "8090"
protected = true
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "TorrServer"
"gethomepage.dev/description" = "Torrent streaming server"
"gethomepage.dev/icon" = "torrserver.png"
"gethomepage.dev/group" = "Media & Entertainment"
"gethomepage.dev/pod-selector" = ""
}
}

28
stacks/trading-bot/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {
type = string
type = string
sensitive = true
}
variable "nfs_server" { type = string }
@ -7,36 +7,36 @@ variable "postgresql_host" { type = string }
variable "redis_host" { type = string }
variable "ollama_host" { type = string }
variable "dbaas_postgresql_root_password" {
type = string
type = string
sensitive = true
}
variable "trading_bot_db_password" {
type = string
type = string
sensitive = true
}
variable "trading_bot_alpaca_api_key" {
type = string
type = string
sensitive = true
}
variable "trading_bot_alpaca_secret_key" {
type = string
type = string
sensitive = true
}
variable "trading_bot_jwt_secret" {
type = string
type = string
sensitive = true
}
variable "trading_bot_reddit_client_id" { type = string }
variable "trading_bot_reddit_client_secret" {
type = string
type = string
sensitive = true
}
variable "trading_bot_alpha_vantage_api_key" {
type = string
type = string
sensitive = true
}
variable "trading_bot_fmp_api_key" {
type = string
type = string
sensitive = true
}
@ -74,7 +74,7 @@ resource "kubernetes_namespace" "trading-bot" {
metadata {
name = "trading-bot"
labels = {
tier = local.tiers.edge
tier = local.tiers.edge
}
}
}
@ -208,7 +208,6 @@ resource "kubernetes_deployment" "trading-bot-frontend" {
memory = "32Mi"
}
limits = {
cpu = "200m"
memory = "128Mi"
}
}
@ -235,7 +234,6 @@ resource "kubernetes_deployment" "trading-bot-frontend" {
memory = "128Mi"
}
limits = {
cpu = "1000m"
memory = "512Mi"
}
}
@ -301,7 +299,6 @@ resource "kubernetes_deployment" "trading-bot-workers" {
memory = "64Mi"
}
limits = {
cpu = "500m"
memory = "256Mi"
}
}
@ -328,7 +325,6 @@ resource "kubernetes_deployment" "trading-bot-workers" {
memory = "512Mi"
}
limits = {
cpu = "2000m"
memory = "2Gi"
}
}
@ -355,7 +351,6 @@ resource "kubernetes_deployment" "trading-bot-workers" {
memory = "64Mi"
}
limits = {
cpu = "500m"
memory = "256Mi"
}
}
@ -382,7 +377,6 @@ resource "kubernetes_deployment" "trading-bot-workers" {
memory = "64Mi"
}
limits = {
cpu = "500m"
memory = "256Mi"
}
}
@ -409,7 +403,6 @@ resource "kubernetes_deployment" "trading-bot-workers" {
memory = "64Mi"
}
limits = {
cpu = "500m"
memory = "256Mi"
}
}
@ -436,7 +429,6 @@ resource "kubernetes_deployment" "trading-bot-workers" {
memory = "64Mi"
}
limits = {
cpu = "500m"
memory = "256Mi"
}
}

Some files were not shown because too many files have changed in this diff Show more