From 28ac1382d1045c07c8606537775b980cd45579fe Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 14 Mar 2026 08:51:45 +0000 Subject: [PATCH] Remove all CPU limits cluster-wide to eliminate CFS throttling CPU limits cause CFS throttling even when nodes have idle capacity. Move to a request-only CPU model: keep CPU requests for scheduling fairness but remove all CPU limits. Memory limits stay (incompressible). Changes across 108 files: - Kyverno LimitRange policy: remove cpu from default/max in all 6 tiers - Kyverno ResourceQuota policy: remove limits.cpu from all 5 tiers - Custom ResourceQuotas: remove limits.cpu from 8 namespace quotas - Custom LimitRanges: remove cpu from default/max (nextcloud, onlyoffice) - RBAC module: remove cpu_limits variable and quota reference - Freedify factory: remove cpu_limit variable and limits reference - 86 deployment files: remove cpu from all limits blocks - 6 Helm values files: remove cpu under limits sections --- stacks/actualbudget/factory/main.tf | 1 - stacks/affine/main.tf | 5 +- stacks/audiobookshelf/main.tf | 3 +- stacks/blog/main.tf | 3 +- stacks/calibre/main.tf | 6 +- stacks/changedetection/main.tf | 4 +- stacks/city-guesser/main.tf | 3 +- stacks/coturn/main.tf | 5 +- stacks/cyberchef/main.tf | 3 +- stacks/dashy/main.tf | 3 +- stacks/dawarich/main.tf | 7 +- stacks/descheduler/values.yaml | 1 - stacks/diun/main.tf | 5 +- stacks/ebook2audiobook/main.tf | 2 +- stacks/echo/main.tf | 3 +- stacks/excalidraw/main.tf | 3 +- stacks/f1-stream/main.tf | 5 +- stacks/forgejo/main.tf | 3 +- stacks/freedify/factory/main.tf | 17 +- stacks/freedify/main.tf | 4 +- stacks/freshrss/main.tf | 3 +- stacks/frigate/main.tf | 3 +- stacks/grampsweb/main.tf | 2 - stacks/hackmd/main.tf | 3 +- stacks/health/main.tf | 7 +- stacks/homepage/main.tf | 2 +- stacks/immich/main.tf | 29 ++-- stacks/infra/main.tf | 6 +- stacks/isponsorblocktv/main.tf | 1 - stacks/jsoncrack/main.tf | 2 +- stacks/k8s-dashboard/main.tf | 2 +- stacks/kms/main.tf | 4 +- stacks/linkwarden/main.tf | 7 +- stacks/meshcentral/main.tf | 3 +- stacks/n8n/main.tf | 5 +- stacks/navidrome/main.tf | 3 +- stacks/netbox/main.tf | 7 +- stacks/networking-toolbox/main.tf | 3 +- stacks/nextcloud/chart_values.yaml | 1 - stacks/nextcloud/main.tf | 3 - stacks/ntfy/main.tf | 9 +- stacks/ollama/main.tf | 5 +- stacks/onlyoffice/main.tf | 10 +- stacks/openclaw/main.tf | 98 +++++++++-- stacks/osm_routing/main.tf | 28 ++- stacks/osm_routing/providers.tf | 1 - stacks/owntracks/main.tf | 5 +- stacks/paperless-ngx/main.tf | 7 +- stacks/platform/main.tf | 58 +++---- stacks/platform/modules/authentik/main.tf | 1 - stacks/platform/modules/authentik/values.yaml | 2 - stacks/platform/modules/cloudflared/main.tf | 1 - stacks/platform/modules/cnpg/main.tf | 1 - stacks/platform/modules/crowdsec/main.tf | 8 +- stacks/platform/modules/dbaas/main.tf | 15 +- stacks/platform/modules/headscale/main.tf | 2 - stacks/platform/modules/iscsi-csi/main.tf | 5 +- stacks/platform/modules/k8s-portal/main.tf | 5 +- .../modules/kyverno/resource-governance.tf | 105 ++++++++++-- stacks/platform/modules/mailserver/main.tf | 2 - .../modules/mailserver/roundcubemail.tf | 2 +- stacks/platform/modules/monitoring/alloy.yaml | 1 - stacks/platform/modules/monitoring/caretta.tf | 1 - stacks/platform/modules/monitoring/goflow2.tf | 1 - .../monitoring/grafana_chart_values.yaml | 1 - stacks/platform/modules/monitoring/loki.yaml | 1 - stacks/platform/modules/monitoring/main.tf | 13 +- stacks/platform/modules/nfs-csi/main.tf | 6 +- stacks/platform/modules/nvidia/main.tf | 2 - stacks/platform/modules/rbac/main.tf | 2 - stacks/platform/modules/redis/main.tf | 4 - stacks/platform/modules/reverse_proxy/main.tf | 88 +++++----- .../platform/modules/sealed-secrets/main.tf | 1 - stacks/platform/modules/technitium/ha.tf | 1 - stacks/platform/modules/technitium/main.tf | 3 +- stacks/platform/modules/traefik/main.tf | 4 +- stacks/platform/modules/uptime-kuma/main.tf | 1 - stacks/platform/modules/vaultwarden/main.tf | 1 - stacks/platform/modules/vpa/main.tf | 2 +- stacks/platform/modules/wireguard/main.tf | 2 - stacks/platform/modules/xray/main.tf | 3 +- stacks/plotting-book/main.tf | 3 +- stacks/poison-fountain/main.tf | 3 +- stacks/privatebin/main.tf | 3 +- stacks/real-estate-crawler/main.tf | 9 +- stacks/resume/main.tf | 6 +- stacks/rybbit/main.tf | 15 +- stacks/send/main.tf | 3 +- stacks/servarr/aiostreams/main.tf | 1 - stacks/servarr/flaresolverr/main.tf | 1 - stacks/servarr/listenarr/main.tf | 1 - stacks/servarr/main.tf | 2 +- stacks/servarr/prowlarr/main.tf | 1 - stacks/servarr/qbittorrent/main.tf | 20 +-- stacks/shadowsocks/main.tf | 3 +- stacks/speedtest/main.tf | 5 +- stacks/stirling-pdf/main.tf | 3 +- stacks/tandoor/main.tf | 9 +- stacks/tor-proxy/main.tf | 161 +++++++++++++++++- stacks/trading-bot/main.tf | 28 ++- stacks/travel_blog/main.tf | 3 +- stacks/tuya-bridge/main.tf | 9 +- stacks/url/main.tf | 7 +- stacks/wealthfolio/main.tf | 5 +- stacks/webhook_handler/main.tf | 15 +- stacks/whisper/main.tf | 4 +- stacks/woodpecker/main.tf | 13 +- stacks/ytdlp/main.tf | 7 +- 108 files changed, 602 insertions(+), 428 deletions(-) diff --git a/stacks/actualbudget/factory/main.tf b/stacks/actualbudget/factory/main.tf index 1693ba5c..2e649cc5 100644 --- a/stacks/actualbudget/factory/main.tf +++ b/stacks/actualbudget/factory/main.tf @@ -152,7 +152,6 @@ resource "kubernetes_deployment" "actualbudget-http-api" { memory = "128Mi" } limits = { - cpu = "500m" memory = "512Mi" } } diff --git a/stacks/affine/main.tf b/stacks/affine/main.tf index 1d488557..c8753e80 100644 --- a/stacks/affine/main.tf +++ b/stacks/affine/main.tf @@ -1,9 +1,9 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "affine_postgresql_password" { - type = string + type = string sensitive = true } variable "mailserver_accounts" { type = map(any) } @@ -170,7 +170,6 @@ resource "kubernetes_deployment" "affine" { } limits = { memory = "512Mi" - cpu = "1" } } diff --git a/stacks/audiobookshelf/main.tf b/stacks/audiobookshelf/main.tf index 7a4765b8..fc2c0435 100644 --- a/stacks/audiobookshelf/main.tf +++ b/stacks/audiobookshelf/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -135,7 +135,6 @@ resource "kubernetes_deployment" "audiobookshelf" { memory = "64Mi" } limits = { - cpu = "250m" memory = "512Mi" } } diff --git a/stacks/blog/main.tf b/stacks/blog/main.tf index 8f4c6e55..00f95469 100644 --- a/stacks/blog/main.tf +++ b/stacks/blog/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } @@ -48,7 +48,6 @@ resource "kubernetes_deployment" "blog" { name = "blog" resources { limits = { - cpu = "100m" memory = "256Mi" } requests = { diff --git a/stacks/calibre/main.tf b/stacks/calibre/main.tf index 5cd1635c..f70acdab 100644 --- a/stacks/calibre/main.tf +++ b/stacks/calibre/main.tf @@ -1,9 +1,9 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "homepage_credentials" { - type = map(any) + type = map(any) sensitive = true } variable "nfs_server" { type = string } @@ -200,7 +200,6 @@ resource "kubernetes_deployment" "calibre-web-automated" { memory = "256Mi" } limits = { - cpu = "2" memory = "1536Mi" } } @@ -319,7 +318,6 @@ resource "kubernetes_deployment" "annas-archive-stacks" { memory = "192Mi" } limits = { - cpu = "500m" memory = "384Mi" } } diff --git a/stacks/changedetection/main.tf b/stacks/changedetection/main.tf index 47f76c0c..a93b2caf 100644 --- a/stacks/changedetection/main.tf +++ b/stacks/changedetection/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -79,7 +79,6 @@ resource "kubernetes_deployment" "changedetection" { memory = "128Mi" } limits = { - cpu = "500m" memory = "512Mi" } } @@ -119,7 +118,6 @@ resource "kubernetes_deployment" "changedetection" { memory = "64Mi" } limits = { - cpu = "250m" memory = "256Mi" } } diff --git a/stacks/city-guesser/main.tf b/stacks/city-guesser/main.tf index 95006a48..052916ea 100644 --- a/stacks/city-guesser/main.tf +++ b/stacks/city-guesser/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } @@ -48,7 +48,6 @@ resource "kubernetes_deployment" "city-guesser" { name = "city-guesser" resources { limits = { - cpu = "100m" memory = "256Mi" } requests = { diff --git a/stacks/coturn/main.tf b/stacks/coturn/main.tf index dd256632..09d88d7d 100644 --- a/stacks/coturn/main.tf +++ b/stacks/coturn/main.tf @@ -1,9 +1,9 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "coturn_turn_secret" { - type = string + type = string sensitive = true } variable "public_ip" { type = string } @@ -138,7 +138,6 @@ resource "kubernetes_deployment" "coturn" { memory = "32Mi" } limits = { - cpu = "100m" memory = "128Mi" } } diff --git a/stacks/cyberchef/main.tf b/stacks/cyberchef/main.tf index a77a04c2..32aabd1f 100644 --- a/stacks/cyberchef/main.tf +++ b/stacks/cyberchef/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } @@ -61,7 +61,6 @@ resource "kubernetes_deployment" "cyberchef" { memory = "32Mi" } limits = { - cpu = "100m" memory = "128Mi" } } diff --git a/stacks/dashy/main.tf b/stacks/dashy/main.tf index 00649a83..2dbc570b 100644 --- a/stacks/dashy/main.tf +++ b/stacks/dashy/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } @@ -74,7 +74,6 @@ resource "kubernetes_deployment" "dashy" { memory = "512Mi" } limits = { - cpu = "500m" memory = "1Gi" } } diff --git a/stacks/dawarich/main.tf b/stacks/dawarich/main.tf index 53fef277..12011d15 100644 --- a/stacks/dawarich/main.tf +++ b/stacks/dawarich/main.tf @@ -1,13 +1,13 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "dawarich_database_password" { - type = string + type = string sensitive = true } variable "geoapify_api_key" { - type = string + type = string sensitive = true } @@ -155,7 +155,6 @@ resource "kubernetes_deployment" "dawarich" { memory = "256Mi" } limits = { - cpu = "250m" memory = "1Gi" } } diff --git a/stacks/descheduler/values.yaml b/stacks/descheduler/values.yaml index 362e6396..771bf649 100644 --- a/stacks/descheduler/values.yaml +++ b/stacks/descheduler/values.yaml @@ -21,7 +21,6 @@ resources: cpu: 500m memory: 256Mi limits: - cpu: 500m memory: 256Mi ports: diff --git a/stacks/diun/main.tf b/stacks/diun/main.tf index c979953b..8a6ff4b1 100644 --- a/stacks/diun/main.tf +++ b/stacks/diun/main.tf @@ -1,9 +1,9 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "diun_nfty_token" { - type = string + type = string sensitive = true } variable "diun_slack_url" { type = string } @@ -183,7 +183,6 @@ resource "kubernetes_deployment" "diun" { memory = "32Mi" } limits = { - cpu = "100m" memory = "128Mi" } } diff --git a/stacks/ebook2audiobook/main.tf b/stacks/ebook2audiobook/main.tf index d3aa7937..1cd38f73 100644 --- a/stacks/ebook2audiobook/main.tf +++ b/stacks/ebook2audiobook/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } diff --git a/stacks/echo/main.tf b/stacks/echo/main.tf index be1fcab0..a7b05a0c 100644 --- a/stacks/echo/main.tf +++ b/stacks/echo/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } @@ -58,7 +58,6 @@ resource "kubernetes_deployment" "echo" { memory = "32Mi" } limits = { - cpu = "100m" memory = "128Mi" } } diff --git a/stacks/excalidraw/main.tf b/stacks/excalidraw/main.tf index 825371f1..d57c5377 100644 --- a/stacks/excalidraw/main.tf +++ b/stacks/excalidraw/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -82,7 +82,6 @@ resource "kubernetes_deployment" "excalidraw" { memory = "16Mi" } limits = { - cpu = "100m" memory = "64Mi" } } diff --git a/stacks/f1-stream/main.tf b/stacks/f1-stream/main.tf index 33c86ddc..67176d4f 100644 --- a/stacks/f1-stream/main.tf +++ b/stacks/f1-stream/main.tf @@ -1,10 +1,10 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } variable "discord_user_token" { - type = string + type = string sensitive = true } variable "discord_f1_guild_id" { type = string } @@ -58,7 +58,6 @@ resource "kubernetes_deployment" "f1-stream" { name = "f1-stream" resources { limits = { - cpu = "250m" memory = "256Mi" } requests = { diff --git a/stacks/forgejo/main.tf b/stacks/forgejo/main.tf index bc47b9c0..21caedfb 100644 --- a/stacks/forgejo/main.tf +++ b/stacks/forgejo/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -104,7 +104,6 @@ resource "kubernetes_deployment" "forgejo" { memory = "64Mi" } limits = { - cpu = "250m" memory = "512Mi" } } diff --git a/stacks/freedify/factory/main.tf b/stacks/freedify/factory/main.tf index 10e6f0c7..69e85531 100755 --- a/stacks/freedify/factory/main.tf +++ b/stacks/freedify/factory/main.tf @@ -9,13 +9,13 @@ variable "protected" { default = false } variable "listenbrainz_token" { - type = string - default = null + type = string + default = null sensitive = true } variable "genius_token" { - type = string - default = null + type = string + default = null sensitive = true } variable "dab_visitor_id" { @@ -27,14 +27,10 @@ variable "dab_session" { default = null } variable "gemini_api_key" { - type = string - default = null + type = string + default = null sensitive = true } -variable "cpu_limit" { - type = string - default = "250m" -} variable "memory_limit" { type = string default = "256Mi" @@ -112,7 +108,6 @@ resource "kubernetes_deployment" "freedify" { } resources { limits = { - cpu = var.cpu_limit memory = var.memory_limit } requests = { diff --git a/stacks/freedify/main.tf b/stacks/freedify/main.tf index 844b3b4c..5c0a1bc1 100644 --- a/stacks/freedify/main.tf +++ b/stacks/freedify/main.tf @@ -1,9 +1,9 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "freedify_credentials" { - type = map(any) + type = map(any) sensitive = true } diff --git a/stacks/freshrss/main.tf b/stacks/freshrss/main.tf index 54e0fc3e..31d82af0 100644 --- a/stacks/freshrss/main.tf +++ b/stacks/freshrss/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -104,7 +104,6 @@ resource "kubernetes_deployment" "freshrss" { memory = "64Mi" } limits = { - cpu = "250m" memory = "256Mi" } } diff --git a/stacks/frigate/main.tf b/stacks/frigate/main.tf index 8bb0743b..26a0a63d 100644 --- a/stacks/frigate/main.tf +++ b/stacks/frigate/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -89,7 +89,6 @@ resource "kubernetes_deployment" "frigate" { memory = "2Gi" } limits = { - cpu = "4" memory = "8Gi" "nvidia.com/gpu" = "1" } diff --git a/stacks/grampsweb/main.tf b/stacks/grampsweb/main.tf index b49a1045..acf026fa 100644 --- a/stacks/grampsweb/main.tf +++ b/stacks/grampsweb/main.tf @@ -192,7 +192,6 @@ resource "kubernetes_deployment" "grampsweb" { memory = "512Mi" } limits = { - cpu = "1" memory = "2Gi" } } @@ -258,7 +257,6 @@ resource "kubernetes_deployment" "grampsweb" { memory = "256Mi" } limits = { - cpu = "500m" memory = "1Gi" } } diff --git a/stacks/hackmd/main.tf b/stacks/hackmd/main.tf index 2e630068..9b028b9f 100644 --- a/stacks/hackmd/main.tf +++ b/stacks/hackmd/main.tf @@ -1,5 +1,5 @@ variable "hackmd_db_password" { - type = string + type = string sensitive = true } variable "tls_secret_name" { @@ -125,7 +125,6 @@ resource "kubernetes_deployment" "hackmd" { memory = "64Mi" } limits = { - cpu = "250m" memory = "512Mi" } } diff --git a/stacks/health/main.tf b/stacks/health/main.tf index 141c1312..35309038 100644 --- a/stacks/health/main.tf +++ b/stacks/health/main.tf @@ -1,13 +1,13 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "health_postgresql_password" { - type = string + type = string sensitive = true } variable "health_secret_key" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -105,7 +105,6 @@ resource "kubernetes_deployment" "health" { } limits = { memory = "256Mi" - cpu = "250m" } } } diff --git a/stacks/homepage/main.tf b/stacks/homepage/main.tf index 409e78da..33e8794c 100644 --- a/stacks/homepage/main.tf +++ b/stacks/homepage/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } diff --git a/stacks/immich/main.tf b/stacks/immich/main.tf index 30399988..b81181a4 100644 --- a/stacks/immich/main.tf +++ b/stacks/immich/main.tf @@ -1,17 +1,17 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "immich_postgresql_password" { - type = string + type = string sensitive = true } variable "immich_frame_api_key" { - type = string + type = string sensitive = true } variable "homepage_credentials" { - type = map(any) + type = map(any) sensitive = true } @@ -249,7 +249,6 @@ resource "kubernetes_deployment" "immich_server" { memory = "256Mi" } limits = { - cpu = "2" memory = "2Gi" } } @@ -382,7 +381,6 @@ resource "kubernetes_deployment" "immich-postgres" { memory = "256Mi" } limits = { - cpu = "1" memory = "1Gi" } } @@ -522,7 +520,6 @@ resource "kubernetes_deployment" "immich-machine-learning" { memory = "1Gi" } limits = { - cpu = "2" memory = "4Gi" "nvidia.com/gpu" = "1" } @@ -589,16 +586,16 @@ module "ingress-immich" { skip_default_rate_limit = true extra_middlewares = ["traefik-immich-rate-limit@kubernetescrd"] extra_annotations = { - "gethomepage.dev/enabled" = "true" - "gethomepage.dev/description" = "Photos library" - "gethomepage.dev/icon" = "immich.png" - "gethomepage.dev/name" = "Immich" - "gethomepage.dev/group" = "Media & Entertainment" - "gethomepage.dev/widget.type" = "immich" - "gethomepage.dev/widget.url" = "http://immich-server.immich.svc.cluster.local:2283" + "gethomepage.dev/enabled" = "true" + "gethomepage.dev/description" = "Photos library" + "gethomepage.dev/icon" = "immich.png" + "gethomepage.dev/name" = "Immich" + "gethomepage.dev/group" = "Media & Entertainment" + "gethomepage.dev/widget.type" = "immich" + "gethomepage.dev/widget.url" = "http://immich-server.immich.svc.cluster.local:2283" "gethomepage.dev/widget.version" = "2" - "gethomepage.dev/pod-selector" = "" - "gethomepage.dev/widget.key" = var.homepage_credentials["immich"]["token"] + "gethomepage.dev/pod-selector" = "" + "gethomepage.dev/widget.key" = var.homepage_credentials["immich"]["token"] } } diff --git a/stacks/infra/main.tf b/stacks/infra/main.tf index 43cc5133..5af826fd 100644 --- a/stacks/infra/main.tf +++ b/stacks/infra/main.tf @@ -10,8 +10,8 @@ variable "proxmox_host" { type = string } variable "ssh_private_key" { - type = string - default = "" + type = string + default = "" sensitive = true } @@ -21,7 +21,7 @@ variable "ssh_public_key" { } variable "vm_wizard_password" { - type = string + type = string sensitive = true } diff --git a/stacks/isponsorblocktv/main.tf b/stacks/isponsorblocktv/main.tf index d61ecb90..47724092 100644 --- a/stacks/isponsorblocktv/main.tf +++ b/stacks/isponsorblocktv/main.tf @@ -57,7 +57,6 @@ resource "kubernetes_deployment" "isponsorblocktv-vermont" { memory = "32Mi" } limits = { - cpu = "150m" memory = "256Mi" } } diff --git a/stacks/jsoncrack/main.tf b/stacks/jsoncrack/main.tf index 4f991c07..b1c8c031 100644 --- a/stacks/jsoncrack/main.tf +++ b/stacks/jsoncrack/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } diff --git a/stacks/k8s-dashboard/main.tf b/stacks/k8s-dashboard/main.tf index 52f1c38b..9b462641 100644 --- a/stacks/k8s-dashboard/main.tf +++ b/stacks/k8s-dashboard/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "client_certificate_secret_name" { diff --git a/stacks/kms/main.tf b/stacks/kms/main.tf index adbb909b..e817eed4 100644 --- a/stacks/kms/main.tf +++ b/stacks/kms/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } @@ -61,7 +61,6 @@ resource "kubernetes_deployment" "kms-web-page" { image_pull_policy = "IfNotPresent" resources { limits = { - cpu = "50m" memory = "64Mi" } requests = { @@ -158,7 +157,6 @@ resource "kubernetes_deployment" "windows_kms" { name = "windows-kms" resources { limits = { - cpu = "100m" memory = "128Mi" } requests = { diff --git a/stacks/linkwarden/main.tf b/stacks/linkwarden/main.tf index 1ac4cdaf..f53e0e56 100644 --- a/stacks/linkwarden/main.tf +++ b/stacks/linkwarden/main.tf @@ -1,14 +1,14 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "linkwarden_postgresql_password" { - type = string + type = string sensitive = true } variable "linkwarden_authentik_client_id" { type = string } variable "linkwarden_authentik_client_secret" { - type = string + type = string sensitive = true } variable "postgresql_host" { type = string } @@ -110,7 +110,6 @@ resource "kubernetes_deployment" "linkwarden" { memory = "256Mi" } limits = { - cpu = "500m" memory = "1536Mi" } } diff --git a/stacks/meshcentral/main.tf b/stacks/meshcentral/main.tf index 9d95bc02..3705631e 100644 --- a/stacks/meshcentral/main.tf +++ b/stacks/meshcentral/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -122,7 +122,6 @@ resource "kubernetes_deployment" "meshcentral" { memory = "64Mi" } limits = { - cpu = "250m" memory = "512Mi" } } diff --git a/stacks/n8n/main.tf b/stacks/n8n/main.tf index d2b7ec4e..1d2d55a7 100644 --- a/stacks/n8n/main.tf +++ b/stacks/n8n/main.tf @@ -1,9 +1,9 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "n8n_postgresql_password" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -166,7 +166,6 @@ resource "kubernetes_deployment" "n8n" { memory = "256Mi" } limits = { - cpu = "500m" memory = "1Gi" } } diff --git a/stacks/navidrome/main.tf b/stacks/navidrome/main.tf index 1782d009..595a5747 100644 --- a/stacks/navidrome/main.tf +++ b/stacks/navidrome/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -103,7 +103,6 @@ resource "kubernetes_deployment" "navidrome" { memory = "64Mi" } limits = { - cpu = "250m" memory = "384Mi" } } diff --git a/stacks/netbox/main.tf b/stacks/netbox/main.tf index b079d2f4..610b02e0 100644 --- a/stacks/netbox/main.tf +++ b/stacks/netbox/main.tf @@ -1,13 +1,13 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "netbox_db_password" { - type = string + type = string sensitive = true } variable "netbox_superuser_password" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -146,7 +146,6 @@ resource "kubernetes_deployment" "netbox" { memory = "256Mi" } limits = { - cpu = "500m" memory = "1Gi" } } diff --git a/stacks/networking-toolbox/main.tf b/stacks/networking-toolbox/main.tf index 7ce1f656..6575b41a 100644 --- a/stacks/networking-toolbox/main.tf +++ b/stacks/networking-toolbox/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } @@ -55,7 +55,6 @@ resource "kubernetes_deployment" "networking-toolbox" { memory = "32Mi" } limits = { - cpu = "100m" memory = "128Mi" } } diff --git a/stacks/nextcloud/chart_values.yaml b/stacks/nextcloud/chart_values.yaml index a8bc5eb3..6e9d3606 100644 --- a/stacks/nextcloud/chart_values.yaml +++ b/stacks/nextcloud/chart_values.yaml @@ -104,7 +104,6 @@ collabora: resources: limits: - cpu: "2" memory: 1Gi requests: cpu: 50m diff --git a/stacks/nextcloud/main.tf b/stacks/nextcloud/main.tf index e3a996eb..0d4444c3 100644 --- a/stacks/nextcloud/main.tf +++ b/stacks/nextcloud/main.tf @@ -42,7 +42,6 @@ resource "kubernetes_resource_quota" "nextcloud" { hard = { "requests.cpu" = "4" "requests.memory" = "8Gi" - "limits.cpu" = "32" "limits.memory" = "16Gi" pods = "10" } @@ -58,7 +57,6 @@ resource "kubernetes_limit_range" "nextcloud" { limit { type = "Container" default = { - cpu = "250m" memory = "256Mi" } default_request = { @@ -66,7 +64,6 @@ resource "kubernetes_limit_range" "nextcloud" { memory = "64Mi" } max = { - cpu = "16" memory = "8Gi" } } diff --git a/stacks/ntfy/main.tf b/stacks/ntfy/main.tf index 9975be2f..164d2e0e 100644 --- a/stacks/ntfy/main.tf +++ b/stacks/ntfy/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -96,11 +96,11 @@ resource "kubernetes_deployment" "ntfy" { } env { name = "NTFY_BEHIND_PROXY" - value = true + value = "true" } env { name = "NTFY_ENABLE_LOGIN" - value = true + value = "true" } env { name = "NTFY_AUTH_FILE" @@ -112,7 +112,7 @@ resource "kubernetes_deployment" "ntfy" { } env { name = "NTFY_ENABLE_METRICS" - value = true + value = "true" } volume_mount { name = "data" @@ -124,7 +124,6 @@ resource "kubernetes_deployment" "ntfy" { memory = "32Mi" } limits = { - cpu = "100m" memory = "128Mi" } } diff --git a/stacks/ollama/main.tf b/stacks/ollama/main.tf index b7f7f281..eda7c07b 100644 --- a/stacks/ollama/main.tf +++ b/stacks/ollama/main.tf @@ -1,9 +1,9 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "ollama_api_credentials" { - type = map(string) + type = map(string) sensitive = true } variable "nfs_server" { type = string } @@ -265,7 +265,6 @@ resource "kubernetes_deployment" "ollama-ui" { memory = "256Mi" } limits = { - cpu = "500m" memory = "1536Mi" } } diff --git a/stacks/onlyoffice/main.tf b/stacks/onlyoffice/main.tf index 7e2f40c6..8c1f754e 100644 --- a/stacks/onlyoffice/main.tf +++ b/stacks/onlyoffice/main.tf @@ -1,13 +1,13 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "onlyoffice_db_password" { - type = string + type = string sensitive = true } variable "onlyoffice_jwt_token" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -36,7 +36,6 @@ resource "kubernetes_limit_range" "onlyoffice" { limit { type = "Container" default = { - cpu = "250m" memory = "256Mi" } default_request = { @@ -44,7 +43,6 @@ resource "kubernetes_limit_range" "onlyoffice" { memory = "64Mi" } max = { - cpu = "8" memory = "8Gi" } } @@ -60,7 +58,6 @@ resource "kubernetes_resource_quota" "onlyoffice" { hard = { "requests.cpu" = "4" "requests.memory" = "4Gi" - "limits.cpu" = "16" "limits.memory" = "16Gi" pods = "10" } @@ -113,7 +110,6 @@ resource "kubernetes_deployment" "onlyoffice-document-server" { memory = "512Mi" } limits = { - cpu = "2" memory = "4Gi" } } diff --git a/stacks/openclaw/main.tf b/stacks/openclaw/main.tf index d1d6ed20..32619119 100644 --- a/stacks/openclaw/main.tf +++ b/stacks/openclaw/main.tf @@ -1,33 +1,37 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "openclaw_ssh_key" { - type = string + type = string sensitive = true } variable "openclaw_skill_secrets" { - type = map(string) + type = map(string) sensitive = true } variable "llama_api_key" { - type = string + type = string sensitive = true } variable "brave_api_key" { - type = string + type = string sensitive = true } variable "openrouter_api_key" { - type = string + type = string sensitive = true } variable "nvidia_api_key" { - type = string + type = string + sensitive = true +} +variable "anthropic_api_key" { + type = string sensitive = true } variable "openclaw_telegram_bot_token" { - type = string + type = string sensitive = true } variable "forgejo_api_token" { @@ -121,10 +125,13 @@ resource "kubernetes_config_map" "openclaw_config" { mode = "off" } model = { - primary = "nim/mistralai/mistral-large-3-675b-instruct-2512" - fallbacks = ["nim/nvidia/llama-3.1-nemotron-ultra-253b-v1", "modelrelay/auto-fastest"] + primary = "anthropic/claude-sonnet-4-20250514" + fallbacks = ["nim/mistralai/mistral-large-3-675b-instruct-2512", "nim/nvidia/llama-3.1-nemotron-ultra-253b-v1", "modelrelay/auto-fastest"] } models = { + "anthropic/claude-sonnet-4-20250514" = {} + "anthropic/claude-opus-4-20250514" = {} + "anthropic/claude-haiku-4-20250506" = {} "modelrelay/auto-fastest" = {} "nim/deepseek-ai/deepseek-v3.2" = {} "nim/qwen/qwen3.5-397b-a17b" = {} @@ -190,6 +197,16 @@ resource "kubernetes_config_map" "openclaw_config" { { id = "auto-fastest", name = "Auto (Fastest)", reasoning = false, input = ["text"], contextWindow = 200000, maxTokens = 16384, cost = { input = 0, output = 0, cacheRead = 0, cacheWrite = 0 } }, ] } + anthropic = { + baseUrl = "https://api.anthropic.com/v1" + api = "anthropic-messages" + apiKey = var.anthropic_api_key + models = [ + { id = "claude-sonnet-4-20250514", name = "Claude Sonnet 4", reasoning = true, input = ["text", "image"], contextWindow = 200000, maxTokens = 16384, cost = { input = 0.003, output = 0.015, cacheRead = 0.0003, cacheWrite = 0.00375 } }, + { id = "claude-opus-4-20250514", name = "Claude Opus 4", reasoning = true, input = ["text", "image"], contextWindow = 200000, maxTokens = 16384, cost = { input = 0.015, output = 0.075, cacheRead = 0.0015, cacheWrite = 0.01875 } }, + { id = "claude-haiku-4-20250506", name = "Claude Haiku 4", reasoning = false, input = ["text", "image"], contextWindow = 200000, maxTokens = 16384, cost = { input = 0.0008, output = 0.004, cacheRead = 0.00008, cacheWrite = 0.001 } }, + ] + } nim = { baseUrl = "https://integrate.api.nvidia.com/v1" api = "openai-completions" @@ -270,6 +287,14 @@ module "nfs_data" { nfs_path = "/mnt/main/openclaw/data" } +module "nfs_cc_config" { + source = "../../modules/kubernetes/nfs_volume" + name = "cc-config" + namespace = kubernetes_namespace.openclaw.metadata[0].name + nfs_server = var.nfs_server + nfs_path = "/mnt/main/openclaw/cc-config" +} + resource "kubernetes_deployment" "openclaw" { metadata { name = "openclaw" @@ -383,8 +408,42 @@ resource "kubernetes_deployment" "openclaw" { # Symlink Claude skills into OpenClaw skills directory ln -sfn /workspace/infra/.claude/skills /openclaw-home/skills + # Pull shared CC config from NFS bare repo + if [ ! -d /openclaw-home/cc-config/.git ]; then + git clone /cc-config/cc-config.git /openclaw-home/cc-config 2>/dev/null || true + else + (cd /openclaw-home/cc-config && git pull --ff-only) || true + fi + + # Apply shared config to OpenClaw + if [ -d /openclaw-home/cc-config ]; then + # Copy shared CLAUDE.md (global knowledge) + [ -f /openclaw-home/cc-config/CLAUDE.md ] && \ + cp /openclaw-home/cc-config/CLAUDE.md /openclaw-home/CLAUDE.md + + # Copy shared skills (separate dir from infra skills) + if [ -d /openclaw-home/cc-config/skills ]; then + mkdir -p /openclaw-home/cc-skills + cp -r /openclaw-home/cc-config/skills/* /openclaw-home/cc-skills/ 2>/dev/null || true + fi + + # Copy shared memory + if [ -d /openclaw-home/cc-config/memory ]; then + mkdir -p /openclaw-home/memory + cp -r /openclaw-home/cc-config/memory/* /openclaw-home/memory/ 2>/dev/null || true + fi + + # Copy commands, hooks, agents + for d in commands hooks agents; do + if [ -d /openclaw-home/cc-config/$d ]; then + mkdir -p /openclaw-home/$d + cp -r /openclaw-home/cc-config/$d/* /openclaw-home/$d/ 2>/dev/null || true + fi + done + fi + # Create required directories (owned by node user, UID 1000) - mkdir -p /openclaw-home/agents/main/sessions /openclaw-home/credentials /openclaw-home/canvas /openclaw-home/devices /openclaw-home/cron + mkdir -p /openclaw-home/agents/main/sessions /openclaw-home/credentials /openclaw-home/canvas /openclaw-home/devices /openclaw-home/cron /openclaw-home/cc-skills /openclaw-home/memory chown -R 1000:1000 /openclaw-home chmod 700 /openclaw-home @@ -443,6 +502,10 @@ resource "kubernetes_deployment" "openclaw" { name = "openclaw-config" mount_path = "/openclaw-config-src" } + volume_mount { + name = "cc-config" + mount_path = "/cc-config" + } } # Main container: OpenClaw @@ -534,7 +597,6 @@ resource "kubernetes_deployment" "openclaw" { } resources { limits = { - cpu = "2" memory = "2Gi" } requests = { @@ -576,7 +638,6 @@ resource "kubernetes_deployment" "openclaw" { } resources { limits = { - cpu = "500m" memory = "512Mi" } requests = { @@ -617,6 +678,12 @@ resource "kubernetes_deployment" "openclaw" { default_mode = "0600" } } + volume { + name = "cc-config" + persistent_volume_claim { + claim_name = module.nfs_cc_config.claim_name + } + } volume { name = "openclaw-config" config_map { @@ -797,8 +864,8 @@ resource "kubernetes_deployment" "task_webhook" { spec { service_account_name = kubernetes_service_account.task_webhook.metadata[0].name container { - name = "webhook" - image = "python:3-alpine" + name = "webhook" + image = "python:3-alpine" command = ["sh", "-c", "apk add --no-cache curl > /dev/null 2>&1 && curl -sfL https://dl.k8s.io/release/v1.34.2/bin/linux/amd64/kubectl -o /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl && exec python3 -u /app/server.py"] port { container_port = 8080 @@ -813,7 +880,6 @@ resource "kubernetes_deployment" "task_webhook" { memory = "32Mi" } limits = { - cpu = "100m" memory = "64Mi" } } diff --git a/stacks/osm_routing/main.tf b/stacks/osm_routing/main.tf index 4e334ce0..18da7ffc 100644 --- a/stacks/osm_routing/main.tf +++ b/stacks/osm_routing/main.tf @@ -10,7 +10,24 @@ resource "kubernetes_namespace" "osm-routing" { name = "osm-routing" labels = { "istio-injection" : "disabled" - tier = local.tiers.aux + tier = local.tiers.aux + "resource-governance/custom-quota" = "true" + } + } +} + +resource "kubernetes_resource_quota_v1" "osm_routing" { + metadata { + name = "tier-quota" + namespace = kubernetes_namespace.osm-routing.metadata[0].name + } + spec { + hard = { + "requests.cpu" = "4" + "requests.memory" = "6Gi" + "limits.cpu" = "16" + "limits.memory" = "16Gi" + pods = "20" } } } @@ -77,7 +94,6 @@ resource "kubernetes_deployment" "osrm-foot" { memory = "256Mi" } limits = { - cpu = "100m" memory = "1Gi" } } @@ -158,7 +174,6 @@ resource "kubernetes_deployment" "osrm-bicycle" { memory = "256Mi" } limits = { - cpu = "100m" memory = "1Gi" } } @@ -235,16 +250,15 @@ resource "kubernetes_deployment" "otp" { } env { name = "JAVA_TOOL_OPTIONS" - value = "-Xmx1536m" + value = "-Xmx3g" } resources { requests = { cpu = "100m" - memory = "1Gi" + memory = "2Gi" } limits = { - cpu = "2" - memory = "2Gi" + memory = "4Gi" } } } diff --git a/stacks/osm_routing/providers.tf b/stacks/osm_routing/providers.tf index 7b5cc7b8..516f9fed 100644 --- a/stacks/osm_routing/providers.tf +++ b/stacks/osm_routing/providers.tf @@ -2,7 +2,6 @@ variable "kube_config_path" { type = string default = "~/.kube/config" - sensitive = true } provider "kubernetes" { diff --git a/stacks/owntracks/main.tf b/stacks/owntracks/main.tf index f4e28707..3c767543 100644 --- a/stacks/owntracks/main.tf +++ b/stacks/owntracks/main.tf @@ -1,9 +1,9 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "owntracks_credentials" { - type = map(string) + type = map(string) sensitive = true } variable "nfs_server" { type = string } @@ -114,7 +114,6 @@ resource "kubernetes_deployment" "owntracks" { memory = "16Mi" } limits = { - cpu = "100m" memory = "64Mi" } } diff --git a/stacks/paperless-ngx/main.tf b/stacks/paperless-ngx/main.tf index 31ba9171..6eaa79da 100644 --- a/stacks/paperless-ngx/main.tf +++ b/stacks/paperless-ngx/main.tf @@ -1,13 +1,13 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "paperless_db_password" { - type = string + type = string sensitive = true } variable "homepage_credentials" { - type = map(any) + type = map(any) sensitive = true } variable "nfs_server" { type = string } @@ -133,7 +133,6 @@ resource "kubernetes_deployment" "paperless-ngx" { memory = "512Mi" } limits = { - cpu = "1" memory = "2Gi" } } diff --git a/stacks/platform/main.tf b/stacks/platform/main.tf index 3431851c..d2fb5018 100644 --- a/stacks/platform/main.tf +++ b/stacks/platform/main.tf @@ -38,21 +38,21 @@ variable "prod" { # --- dbaas --- variable "dbaas_root_password" { - type = string + type = string sensitive = true } variable "dbaas_postgresql_root_password" { - type = string + type = string sensitive = true } variable "dbaas_pgadmin_password" { - type = string + type = string sensitive = true } # --- traefik --- variable "ingress_crowdsec_api_key" { - type = string + type = string sensitive = true } variable "auth_fallback_htpasswd" { @@ -63,11 +63,11 @@ variable "auth_fallback_htpasswd" { # --- technitium --- variable "technitium_db_password" { - type = string + type = string sensitive = true } variable "homepage_credentials" { - type = map(any) + type = map(any) sensitive = true } @@ -81,11 +81,11 @@ variable "k8s_ca_cert" { # --- authentik / rbac / k8s-portal --- variable "authentik_secret_key" { - type = string + type = string sensitive = true } variable "authentik_postgres_password" { - type = string + type = string sensitive = true } variable "k8s_users" { @@ -101,23 +101,23 @@ variable "ssh_private_key" { # --- crowdsec --- variable "crowdsec_enroll_key" { type = string } variable "crowdsec_db_password" { - type = string + type = string sensitive = true } variable "crowdsec_dash_api_key" { - type = string + type = string sensitive = true } variable "crowdsec_dash_machine_id" { type = string } variable "crowdsec_dash_machine_password" { - type = string + type = string sensitive = true } variable "alertmanager_slack_api_url" { type = string } # --- cloudflared --- variable "cloudflare_api_key" { - type = string + type = string sensitive = true } variable "cloudflare_email" { type = string } @@ -128,44 +128,44 @@ variable "public_ip" { type = string } variable "cloudflare_proxied_names" {} variable "cloudflare_non_proxied_names" {} variable "cloudflare_tunnel_token" { - type = string + type = string sensitive = true } # --- monitoring --- variable "alertmanager_account_password" { - type = string + type = string sensitive = true } variable "monitoring_idrac_username" { type = string } variable "monitoring_idrac_password" { - type = string + type = string sensitive = true } variable "tiny_tuya_service_secret" { - type = string + type = string sensitive = true } variable "haos_api_token" { - type = string + type = string sensitive = true } variable "pve_password" { - type = string + type = string sensitive = true } variable "grafana_db_password" { - type = string + type = string sensitive = true } variable "grafana_admin_password" { - type = string + type = string sensitive = true } # --- vaultwarden --- variable "vaultwarden_smtp_password" { - type = string + type = string sensitive = true } @@ -177,7 +177,7 @@ variable "wireguard_firewall_sh" { type = string } # --- xray --- variable "xray_reality_clients" { type = list(map(string)) } variable "xray_reality_private_key" { - type = string + type = string sensitive = true } variable "xray_reality_short_ids" { type = list(string) } @@ -188,19 +188,19 @@ variable "mailserver_aliases" {} variable "mailserver_opendkim_key" {} variable "mailserver_sasl_passwd" {} variable "mailserver_roundcubemail_db_password" { - type = string + type = string sensitive = true } # --- infra-maintenance --- variable "webhook_handler_git_user" { type = string } variable "webhook_handler_git_token" { - type = string + type = string sensitive = true } variable "technitium_username" { type = string } variable "technitium_password" { - type = string + type = string sensitive = true } @@ -417,10 +417,10 @@ module "nfs-csi" { # iSCSI CSI — democratic-csi for TrueNAS iSCSI (database storage) # ----------------------------------------------------------------------------- module "iscsi-csi" { - source = "./modules/iscsi-csi" - tier = local.tiers.cluster - truenas_host = var.nfs_server # Same TrueNAS host - truenas_api_key = var.truenas_api_key + source = "./modules/iscsi-csi" + tier = local.tiers.cluster + truenas_host = var.nfs_server # Same TrueNAS host + truenas_api_key = var.truenas_api_key truenas_ssh_private_key = var.truenas_ssh_private_key } diff --git a/stacks/platform/modules/authentik/main.tf b/stacks/platform/modules/authentik/main.tf index e1bad018..3c5506a4 100644 --- a/stacks/platform/modules/authentik/main.tf +++ b/stacks/platform/modules/authentik/main.tf @@ -35,7 +35,6 @@ resource "kubernetes_resource_quota" "authentik" { hard = { "requests.cpu" = "16" "requests.memory" = "16Gi" - "limits.cpu" = "48" "limits.memory" = "96Gi" pods = "50" } diff --git a/stacks/platform/modules/authentik/values.yaml b/stacks/platform/modules/authentik/values.yaml index d07bf946..e542c8f7 100644 --- a/stacks/platform/modules/authentik/values.yaml +++ b/stacks/platform/modules/authentik/values.yaml @@ -22,7 +22,6 @@ server: cpu: 100m memory: 512Mi limits: - cpu: "2" memory: 1Gi topologySpreadConstraints: - maxSkew: 1 @@ -51,7 +50,6 @@ worker: cpu: 50m memory: 384Mi limits: - cpu: "1" memory: 1Gi topologySpreadConstraints: - maxSkew: 1 diff --git a/stacks/platform/modules/cloudflared/main.tf b/stacks/platform/modules/cloudflared/main.tf index f10ee9e6..b2e8ce45 100644 --- a/stacks/platform/modules/cloudflared/main.tf +++ b/stacks/platform/modules/cloudflared/main.tf @@ -76,7 +76,6 @@ resource "kubernetes_deployment" "cloudflared" { memory = "32Mi" } limits = { - cpu = "200m" memory = "256Mi" } } diff --git a/stacks/platform/modules/cnpg/main.tf b/stacks/platform/modules/cnpg/main.tf index 72e84aea..b2e675de 100644 --- a/stacks/platform/modules/cnpg/main.tf +++ b/stacks/platform/modules/cnpg/main.tf @@ -40,7 +40,6 @@ resource "helm_release" "cnpg" { memory = "128Mi" } limits = { - cpu = "500m" memory = "256Mi" } } diff --git a/stacks/platform/modules/crowdsec/main.tf b/stacks/platform/modules/crowdsec/main.tf index 2f6fb9ae..cec55b6e 100644 --- a/stacks/platform/modules/crowdsec/main.tf +++ b/stacks/platform/modules/crowdsec/main.tf @@ -4,12 +4,12 @@ variable "homepage_password" {} variable "db_password" {} variable "enroll_key" {} variable "crowdsec_dash_api_key" { - type = string + type = string sensitive = true } -variable "crowdsec_dash_machine_id" { type = string } # used for web dash +variable "crowdsec_dash_machine_id" { type = string } # used for web dash variable "crowdsec_dash_machine_password" { - type = string + type = string sensitive = true } variable "tier" { type = string } @@ -171,7 +171,6 @@ resource "kubernetes_deployment" "crowdsec-web" { memory = "32Mi" } limits = { - cpu = "250m" memory = "256Mi" } } @@ -368,7 +367,6 @@ resource "kubernetes_resource_quota" "crowdsec" { hard = { "requests.cpu" = "8" "requests.memory" = "8Gi" - "limits.cpu" = "16" "limits.memory" = "16Gi" pods = "30" } diff --git a/stacks/platform/modules/dbaas/main.tf b/stacks/platform/modules/dbaas/main.tf index 4de99ab7..8c01763b 100644 --- a/stacks/platform/modules/dbaas/main.tf +++ b/stacks/platform/modules/dbaas/main.tf @@ -36,7 +36,6 @@ resource "kubernetes_resource_quota" "dbaas" { hard = { "requests.cpu" = "8" "requests.memory" = "12Gi" - "limits.cpu" = "32" "limits.memory" = "64Gi" pods = "30" } @@ -82,7 +81,6 @@ resource "helm_release" "mysql_operator" { memory = "256Mi" } limits = { - cpu = "500m" memory = "512Mi" } } @@ -186,7 +184,6 @@ resource "helm_release" "mysql_cluster" { memory = "1Gi" } limits = { - cpu = "2" memory = "4Gi" } } @@ -224,7 +221,6 @@ resource "helm_release" "mysql_cluster" { } limits = { memory = "3Gi" - cpu = "2" } } }] @@ -233,21 +229,21 @@ resource "helm_release" "mysql_cluster" { name = "fixdatadir" resources = { requests = { memory = "64Mi", cpu = "25m" } - limits = { memory = "256Mi", cpu = "500m" } + limits = { memory = "256Mi" } } }, { name = "initconf" resources = { requests = { memory = "256Mi", cpu = "50m" } - limits = { memory = "1Gi", cpu = "1" } + limits = { memory = "1Gi" } } }, { name = "initmysql" resources = { requests = { memory = "512Mi", cpu = "250m" } - limits = { memory = "2Gi", cpu = "2" } + limits = { memory = "2Gi" } } } ] @@ -553,7 +549,6 @@ resource "kubernetes_deployment" "phpmyadmin" { memory = "32Mi" } limits = { - cpu = "250m" memory = "256Mi" } } @@ -848,7 +843,7 @@ resource "null_resource" "pg_cluster" { storage_size = "20Gi" storage_class = "iscsi-truenas" memory_limit = "4Gi" - cpu_limit = "2" + } provisioner "local-exec" { @@ -875,7 +870,6 @@ resource "null_resource" "pg_cluster" { cpu: "250m" memory: "512Mi" limits: - cpu: "2" memory: "4Gi" EOF EOT @@ -986,7 +980,6 @@ resource "kubernetes_deployment" "pgadmin" { memory = "128Mi" } limits = { - cpu = "500m" memory = "512Mi" } } diff --git a/stacks/platform/modules/headscale/main.tf b/stacks/platform/modules/headscale/main.tf index 9d85b4a9..32454c90 100644 --- a/stacks/platform/modules/headscale/main.tf +++ b/stacks/platform/modules/headscale/main.tf @@ -82,7 +82,6 @@ resource "kubernetes_deployment" "headscale" { memory = "64Mi" } limits = { - cpu = "200m" memory = "256Mi" } } @@ -167,7 +166,6 @@ resource "kubernetes_deployment" "headscale" { memory = "32Mi" } limits = { - cpu = "100m" memory = "128Mi" } } diff --git a/stacks/platform/modules/iscsi-csi/main.tf b/stacks/platform/modules/iscsi-csi/main.tf index 9c0a578e..c8e668c7 100644 --- a/stacks/platform/modules/iscsi-csi/main.tf +++ b/stacks/platform/modules/iscsi-csi/main.tf @@ -35,10 +35,11 @@ resource "helm_release" "democratic_csi" { }] controller = { + replicas = 2 driver = { resources = { requests = { cpu = "25m", memory = "64Mi" } - limits = { cpu = "250m", memory = "256Mi" } + limits = { memory = "256Mi" } } } } @@ -47,7 +48,7 @@ resource "helm_release" "democratic_csi" { driver = { resources = { requests = { cpu = "25m", memory = "64Mi" } - limits = { cpu = "250m", memory = "256Mi" } + limits = { memory = "256Mi" } } } diff --git a/stacks/platform/modules/k8s-portal/main.tf b/stacks/platform/modules/k8s-portal/main.tf index 6271c194..6088b5ab 100644 --- a/stacks/platform/modules/k8s-portal/main.tf +++ b/stacks/platform/modules/k8s-portal/main.tf @@ -75,7 +75,6 @@ resource "kubernetes_deployment" "k8s_portal" { memory = "32Mi" } limits = { - cpu = "100m" memory = "128Mi" } } @@ -131,14 +130,14 @@ module "ingress" { } } -# Unprotected ingress for the setup script (needs to be curl-able without auth) +# Unprotected ingress for the setup script and agent endpoint (needs to be curl-able without auth) module "ingress_setup_script" { source = "../../../../modules/kubernetes/ingress_factory" namespace = kubernetes_namespace.k8s_portal.metadata[0].name name = "k8s-portal-setup" host = "k8s-portal" service_name = "k8s-portal" - ingress_path = ["/setup/script"] + ingress_path = ["/setup/script", "/agent"] tls_secret_name = var.tls_secret_name protected = false } diff --git a/stacks/platform/modules/kyverno/resource-governance.tf b/stacks/platform/modules/kyverno/resource-governance.tf index 3ac9800e..539b057a 100644 --- a/stacks/platform/modules/kyverno/resource-governance.tf +++ b/stacks/platform/modules/kyverno/resource-governance.tf @@ -130,7 +130,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { { type = "Container" default = { - cpu = "500m" memory = "512Mi" } defaultRequest = { @@ -138,7 +137,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { memory = "256Mi" } max = { - cpu = "4" memory = "8Gi" } } @@ -189,7 +187,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { { type = "Container" default = { - cpu = "500m" memory = "512Mi" } defaultRequest = { @@ -197,7 +194,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { memory = "256Mi" } max = { - cpu = "2" memory = "4Gi" } } @@ -248,7 +244,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { { type = "Container" default = { - cpu = "1" memory = "2Gi" } defaultRequest = { @@ -256,7 +251,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { memory = "1Gi" } max = { - cpu = "8" memory = "16Gi" } } @@ -307,7 +301,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { { type = "Container" default = { - cpu = "250m" memory = "256Mi" } defaultRequest = { @@ -315,7 +308,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { memory = "128Mi" } max = { - cpu = "2" memory = "4Gi" } } @@ -366,7 +358,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { { type = "Container" default = { - cpu = "250m" memory = "256Mi" } defaultRequest = { @@ -374,7 +365,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { memory = "128Mi" } max = { - cpu = "2" memory = "4Gi" } } @@ -428,7 +418,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { { type = "Container" default = { - cpu = "250m" memory = "256Mi" } defaultRequest = { @@ -436,7 +425,6 @@ resource "kubernetes_manifest" "generate_limitrange_by_tier" { memory = "128Mi" } max = { - cpu = "1" memory = "2Gi" } } @@ -517,7 +505,6 @@ resource "kubernetes_manifest" "generate_resourcequota_by_tier" { hard = { "requests.cpu" = "8" "requests.memory" = "8Gi" - "limits.cpu" = "32" "limits.memory" = "64Gi" pods = "100" } @@ -566,7 +553,6 @@ resource "kubernetes_manifest" "generate_resourcequota_by_tier" { hard = { "requests.cpu" = "4" "requests.memory" = "4Gi" - "limits.cpu" = "16" "limits.memory" = "32Gi" pods = "30" } @@ -615,7 +601,6 @@ resource "kubernetes_manifest" "generate_resourcequota_by_tier" { hard = { "requests.cpu" = "8" "requests.memory" = "8Gi" - "limits.cpu" = "16" "limits.memory" = "32Gi" pods = "40" } @@ -664,7 +649,6 @@ resource "kubernetes_manifest" "generate_resourcequota_by_tier" { hard = { "requests.cpu" = "4" "requests.memory" = "4Gi" - "limits.cpu" = "16" "limits.memory" = "32Gi" pods = "30" } @@ -713,7 +697,6 @@ resource "kubernetes_manifest" "generate_resourcequota_by_tier" { hard = { "requests.cpu" = "2" "requests.memory" = "2Gi" - "limits.cpu" = "8" "limits.memory" = "16Gi" pods = "20" } @@ -920,3 +903,91 @@ resource "kubernetes_manifest" "mutate_ndots" { } } } + +# ----------------------------------------------------------------------------- +# Layer 5: GPU Node Toleration for Critical Services (Kyverno Mutate) +# ----------------------------------------------------------------------------- +# Adds nvidia.com/gpu toleration to pods in tier-0 and tier-1 namespaces. +# This allows critical infrastructure to overflow onto the GPU node (k8s-node1) +# during N-1 scenarios, giving the scheduler ~14 GiB extra capacity. +# GPU workloads won't be preempted — this just makes the node eligible. + +resource "kubernetes_manifest" "mutate_gpu_toleration_critical" { + manifest = { + apiVersion = "kyverno.io/v1" + kind = "ClusterPolicy" + metadata = { + name = "gpu-toleration-critical-tiers" + annotations = { + "policies.kyverno.io/title" = "GPU Toleration for Critical Tiers" + "policies.kyverno.io/description" = "Adds nvidia.com/gpu toleration to pods in tier-0-core and tier-1-cluster namespaces so they can overflow onto the GPU node during N-1 failures." + } + } + spec = { + rules = [ + { + name = "add-gpu-toleration-tier-0" + match = { + any = [ + { + resources = { + kinds = ["Pod"] + operations = ["CREATE"] + namespaceSelector = { + matchLabels = { + tier = "0-core" + } + } + } + } + ] + } + mutate = { + patchStrategicMerge = { + spec = { + tolerations = [ + { + key = "nvidia.com/gpu" + operator = "Exists" + effect = "NoSchedule" + } + ] + } + } + } + }, + { + name = "add-gpu-toleration-tier-1" + match = { + any = [ + { + resources = { + kinds = ["Pod"] + operations = ["CREATE"] + namespaceSelector = { + matchLabels = { + tier = "1-cluster" + } + } + } + } + ] + } + mutate = { + patchStrategicMerge = { + spec = { + tolerations = [ + { + key = "nvidia.com/gpu" + operator = "Exists" + effect = "NoSchedule" + } + ] + } + } + } + }, + ] + } + } +} diff --git a/stacks/platform/modules/mailserver/main.tf b/stacks/platform/modules/mailserver/main.tf index cfbb0b46..39782852 100644 --- a/stacks/platform/modules/mailserver/main.tf +++ b/stacks/platform/modules/mailserver/main.tf @@ -365,7 +365,6 @@ resource "kubernetes_deployment" "mailserver" { memory = "128Mi" } limits = { - cpu = "500m" memory = "512Mi" } } @@ -395,7 +394,6 @@ resource "kubernetes_deployment" "mailserver" { memory = "16Mi" } limits = { - cpu = "100m" memory = "64Mi" } } diff --git a/stacks/platform/modules/mailserver/roundcubemail.tf b/stacks/platform/modules/mailserver/roundcubemail.tf index 9cbe1a52..38957498 100644 --- a/stacks/platform/modules/mailserver/roundcubemail.tf +++ b/stacks/platform/modules/mailserver/roundcubemail.tf @@ -1,5 +1,5 @@ variable "roundcube_db_password" { - type = string + type = string sensitive = true } variable "mysql_host" { type = string } diff --git a/stacks/platform/modules/monitoring/alloy.yaml b/stacks/platform/modules/monitoring/alloy.yaml index ab80e38e..12bf4972 100644 --- a/stacks/platform/modules/monitoring/alloy.yaml +++ b/stacks/platform/modules/monitoring/alloy.yaml @@ -204,5 +204,4 @@ controller: cpu: 50m memory: 512Mi limits: - cpu: 200m memory: 1Gi diff --git a/stacks/platform/modules/monitoring/caretta.tf b/stacks/platform/modules/monitoring/caretta.tf index d98e07d0..31724c85 100644 --- a/stacks/platform/modules/monitoring/caretta.tf +++ b/stacks/platform/modules/monitoring/caretta.tf @@ -32,7 +32,6 @@ resource "helm_release" "caretta" { memory = "300Mi" } limits = { - cpu = "200m" memory = "512Mi" } } diff --git a/stacks/platform/modules/monitoring/goflow2.tf b/stacks/platform/modules/monitoring/goflow2.tf index c7cf398d..8f355df1 100644 --- a/stacks/platform/modules/monitoring/goflow2.tf +++ b/stacks/platform/modules/monitoring/goflow2.tf @@ -43,7 +43,6 @@ resource "kubernetes_deployment" "goflow2" { memory = "64Mi" } limits = { - cpu = "200m" memory = "256Mi" } } diff --git a/stacks/platform/modules/monitoring/grafana_chart_values.yaml b/stacks/platform/modules/monitoring/grafana_chart_values.yaml index 57b81053..a5e49353 100644 --- a/stacks/platform/modules/monitoring/grafana_chart_values.yaml +++ b/stacks/platform/modules/monitoring/grafana_chart_values.yaml @@ -7,7 +7,6 @@ resources: cpu: 50m memory: 128Mi limits: - cpu: 500m memory: 512Mi topologySpreadConstraints: - maxSkew: 1 diff --git a/stacks/platform/modules/monitoring/loki.yaml b/stacks/platform/modules/monitoring/loki.yaml index 685031c3..333efc6a 100644 --- a/stacks/platform/modules/monitoring/loki.yaml +++ b/stacks/platform/modules/monitoring/loki.yaml @@ -72,7 +72,6 @@ singleBinary: cpu: 250m memory: 2Gi limits: - cpu: "1" memory: 4Gi # Zero out replica counts of other deployment modes diff --git a/stacks/platform/modules/monitoring/main.tf b/stacks/platform/modules/monitoring/main.tf index 1c9ffe2f..9492be74 100644 --- a/stacks/platform/modules/monitoring/main.tf +++ b/stacks/platform/modules/monitoring/main.tf @@ -7,28 +7,28 @@ variable "idrac_username" { default = "root" } variable "idrac_password" { - default = "calvin" + default = "calvin" sensitive = true } variable "alertmanager_slack_api_url" {} variable "tiny_tuya_service_secret" { - type = string + type = string sensitive = true } variable "haos_api_token" { - type = string + type = string sensitive = true } variable "pve_password" { - type = string + type = string sensitive = true } variable "grafana_db_password" { - type = string + type = string sensitive = true } variable "grafana_admin_password" { - type = string + type = string sensitive = true } variable "tier" { type = string } @@ -211,7 +211,6 @@ resource "kubernetes_resource_quota" "monitoring" { hard = { "requests.cpu" = "16" "requests.memory" = "16Gi" - "limits.cpu" = "64" "limits.memory" = "64Gi" pods = "100" } diff --git a/stacks/platform/modules/nfs-csi/main.tf b/stacks/platform/modules/nfs-csi/main.tf index 2c1aa2f6..a7bbe544 100644 --- a/stacks/platform/modules/nfs-csi/main.tf +++ b/stacks/platform/modules/nfs-csi/main.tf @@ -22,16 +22,16 @@ resource "helm_release" "nfs_csi_driver" { values = [yamlencode({ controller = { - replicas = 1 + replicas = 2 resources = { requests = { cpu = "10m", memory = "32Mi" } - limits = { cpu = "100m", memory = "128Mi" } + limits = { memory = "128Mi" } } } node = { resources = { requests = { cpu = "10m", memory = "32Mi" } - limits = { cpu = "100m", memory = "128Mi" } + limits = { memory = "128Mi" } } } storageClass = { diff --git a/stacks/platform/modules/nvidia/main.tf b/stacks/platform/modules/nvidia/main.tf index eba209c3..7dc9ed42 100644 --- a/stacks/platform/modules/nvidia/main.tf +++ b/stacks/platform/modules/nvidia/main.tf @@ -25,7 +25,6 @@ resource "kubernetes_resource_quota" "nvidia_quota" { } spec { hard = { - "limits.cpu" = "32" "limits.memory" = "48Gi" "requests.cpu" = "8" "requests.memory" = "8Gi" @@ -618,7 +617,6 @@ resource "kubernetes_daemonset" "gpu_pod_exporter" { memory = "128Mi" } limits = { - cpu = "200m" memory = "256Mi" "nvidia.com/gpu" = "1" } diff --git a/stacks/platform/modules/rbac/main.tf b/stacks/platform/modules/rbac/main.tf index 9e6254d4..7611f3de 100644 --- a/stacks/platform/modules/rbac/main.tf +++ b/stacks/platform/modules/rbac/main.tf @@ -9,7 +9,6 @@ variable "k8s_users" { quota = optional(object({ cpu_requests = optional(string, "2") memory_requests = optional(string, "4Gi") - cpu_limits = optional(string, "4") memory_limits = optional(string, "8Gi") pods = optional(string, "20") }), {}) @@ -225,7 +224,6 @@ resource "kubernetes_resource_quota" "user_namespace_quota" { hard = { "requests.cpu" = each.value.quota.cpu_requests "requests.memory" = each.value.quota.memory_requests - "limits.cpu" = each.value.quota.cpu_limits "limits.memory" = each.value.quota.memory_limits "pods" = each.value.quota.pods } diff --git a/stacks/platform/modules/redis/main.tf b/stacks/platform/modules/redis/main.tf index 29eef716..8395c9eb 100644 --- a/stacks/platform/modules/redis/main.tf +++ b/stacks/platform/modules/redis/main.tf @@ -51,7 +51,6 @@ resource "helm_release" "redis" { memory = "64Mi" } limits = { - cpu = "200m" memory = "128Mi" } } @@ -70,7 +69,6 @@ resource "helm_release" "redis" { memory = "64Mi" } limits = { - cpu = "500m" memory = "256Mi" } } @@ -91,7 +89,6 @@ resource "helm_release" "redis" { memory = "64Mi" } limits = { - cpu = "500m" memory = "256Mi" } } @@ -205,7 +202,6 @@ resource "kubernetes_deployment" "haproxy" { memory = "16Mi" } limits = { - cpu = "100m" memory = "32Mi" } } diff --git a/stacks/platform/modules/reverse_proxy/main.tf b/stacks/platform/modules/reverse_proxy/main.tf index c78f92c7..e6dcc34b 100644 --- a/stacks/platform/modules/reverse_proxy/main.tf +++ b/stacks/platform/modules/reverse_proxy/main.tf @@ -73,16 +73,16 @@ module "nas" { # https://files.viktorbarzin.me/ module "nas-files" { - source = "./factory" - name = "files" - external_name = "nas.viktorbarzin.lan" - port = 5001 - tls_secret_name = var.tls_secret_name - backend_protocol = "HTTPS" - protected = false # allow anyone to download files - ingress_path = ["/sharing", "/scripts", "/webman", "/wfmlogindialog.js", "/fsdownload"] - max_body_size = "0m" - depends_on = [kubernetes_namespace.reverse-proxy] + source = "./factory" + name = "files" + external_name = "nas.viktorbarzin.lan" + port = 5001 + tls_secret_name = var.tls_secret_name + backend_protocol = "HTTPS" + protected = false # allow anyone to download files + ingress_path = ["/sharing", "/scripts", "/webman", "/wfmlogindialog.js", "/fsdownload"] + max_body_size = "0m" + depends_on = [kubernetes_namespace.reverse-proxy] extra_annotations = { "gethomepage.dev/enabled" = "false" } } @@ -103,7 +103,7 @@ module "idrac" { "gethomepage.dev/group" = "Infrastructure" "gethomepage.dev/pod-selector" = "" } - depends_on = [kubernetes_namespace.reverse-proxy] + depends_on = [kubernetes_namespace.reverse-proxy] } # Can either listen on https or http; can't do both :/ @@ -197,24 +197,24 @@ module "docker-registry-ui" { extra_annotations = { # Override middleware chain to remove rate-limit; the UI fires many API calls to list repos/tags "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd" - "gethomepage.dev/enabled" = "true" - "gethomepage.dev/name" = "Docker Registry" - "gethomepage.dev/description" = "Container registry" - "gethomepage.dev/icon" = "docker.png" - "gethomepage.dev/group" = "Infrastructure" - "gethomepage.dev/pod-selector" = "" + "gethomepage.dev/enabled" = "true" + "gethomepage.dev/name" = "Docker Registry" + "gethomepage.dev/description" = "Container registry" + "gethomepage.dev/icon" = "docker.png" + "gethomepage.dev/group" = "Infrastructure" + "gethomepage.dev/pod-selector" = "" } } # https://valchedrym.viktorbarzin.me/ module "valchedrym" { - source = "./factory" - name = "valchedrym" - external_name = "valchedrym.viktorbarzin.lan" - tls_secret_name = var.tls_secret_name - port = 80 - backend_protocol = "HTTP" - depends_on = [kubernetes_namespace.reverse-proxy] + source = "./factory" + name = "valchedrym" + external_name = "valchedrym.viktorbarzin.lan" + tls_secret_name = var.tls_secret_name + port = 80 + backend_protocol = "HTTP" + depends_on = [kubernetes_namespace.reverse-proxy] extra_annotations = { "gethomepage.dev/enabled" = "false" } } @@ -235,12 +235,12 @@ module "valchedrym" { # https://mladost3.viktorbarzin.me/ module "mladost3" { - source = "./factory" - name = "mladost3" - external_name = "mladost3.ddns.net" - port = 8080 - tls_secret_name = var.tls_secret_name - depends_on = [kubernetes_namespace.reverse-proxy] + source = "./factory" + name = "mladost3" + external_name = "mladost3.ddns.net" + port = 8080 + tls_secret_name = var.tls_secret_name + depends_on = [kubernetes_namespace.reverse-proxy] extra_annotations = { "gethomepage.dev/enabled" = "false" } } @@ -318,13 +318,13 @@ module "london" { } } module "pi-lights" { - source = "./factory" - name = "pi" - external_name = "ha-london.viktorbarzin.lan" - port = 5000 - tls_secret_name = var.tls_secret_name - protected = true - depends_on = [kubernetes_namespace.reverse-proxy] + source = "./factory" + name = "pi" + external_name = "ha-london.viktorbarzin.lan" + port = 5000 + tls_secret_name = var.tls_secret_name + protected = true + depends_on = [kubernetes_namespace.reverse-proxy] extra_annotations = { "gethomepage.dev/enabled" = "false" } } @@ -345,12 +345,12 @@ module "pi-lights" { # } module "mbp14" { - source = "./factory" - name = "mbp14" - external_name = "mbp14.viktorbarzin.lan" - port = 4020 - tls_secret_name = var.tls_secret_name - protected = true - depends_on = [kubernetes_namespace.reverse-proxy] + source = "./factory" + name = "mbp14" + external_name = "mbp14.viktorbarzin.lan" + port = 4020 + tls_secret_name = var.tls_secret_name + protected = true + depends_on = [kubernetes_namespace.reverse-proxy] extra_annotations = { "gethomepage.dev/enabled" = "false" } } diff --git a/stacks/platform/modules/sealed-secrets/main.tf b/stacks/platform/modules/sealed-secrets/main.tf index aa9965d9..876bb678 100644 --- a/stacks/platform/modules/sealed-secrets/main.tf +++ b/stacks/platform/modules/sealed-secrets/main.tf @@ -38,7 +38,6 @@ resource "helm_release" "sealed_secrets" { memory = "64Mi" } limits = { - cpu = "250m" memory = "256Mi" } } diff --git a/stacks/platform/modules/technitium/ha.tf b/stacks/platform/modules/technitium/ha.tf index 98cd06db..0bab6b15 100644 --- a/stacks/platform/modules/technitium/ha.tf +++ b/stacks/platform/modules/technitium/ha.tf @@ -109,7 +109,6 @@ resource "kubernetes_deployment" "technitium_secondary" { memory = "128Mi" } limits = { - cpu = "500m" memory = "512Mi" } } diff --git a/stacks/platform/modules/technitium/main.tf b/stacks/platform/modules/technitium/main.tf index 1501acc7..6fc0cb06 100644 --- a/stacks/platform/modules/technitium/main.tf +++ b/stacks/platform/modules/technitium/main.tf @@ -6,7 +6,7 @@ variable "nfs_server" { type = string } variable "mysql_host" { type = string } variable "technitium_username" { type = string } variable "technitium_password" { - type = string + type = string sensitive = true } @@ -169,7 +169,6 @@ resource "kubernetes_deployment" "technitium" { memory = "128Mi" } limits = { - cpu = "500m" memory = "512Mi" } } diff --git a/stacks/platform/modules/traefik/main.tf b/stacks/platform/modules/traefik/main.tf index bd4bd1dd..08a9c09b 100644 --- a/stacks/platform/modules/traefik/main.tf +++ b/stacks/platform/modules/traefik/main.tf @@ -1,6 +1,6 @@ variable "tier" { type = string } variable "crowdsec_api_key" { - type = string + type = string sensitive = true } variable "redis_host" { type = string } @@ -394,7 +394,6 @@ resource "kubernetes_deployment" "bot_block_proxy" { memory = "32Mi" } limits = { - cpu = "50m" memory = "128Mi" } } @@ -583,7 +582,6 @@ resource "kubernetes_deployment" "auth_proxy" { memory = "32Mi" } limits = { - cpu = "50m" memory = "128Mi" } } diff --git a/stacks/platform/modules/uptime-kuma/main.tf b/stacks/platform/modules/uptime-kuma/main.tf index 50e8ab00..7215015f 100644 --- a/stacks/platform/modules/uptime-kuma/main.tf +++ b/stacks/platform/modules/uptime-kuma/main.tf @@ -71,7 +71,6 @@ resource "kubernetes_deployment" "uptime-kuma" { memory = "64Mi" } limits = { - cpu = "500m" memory = "512Mi" } } diff --git a/stacks/platform/modules/vaultwarden/main.tf b/stacks/platform/modules/vaultwarden/main.tf index 21b14d5e..f1bb5ad8 100644 --- a/stacks/platform/modules/vaultwarden/main.tf +++ b/stacks/platform/modules/vaultwarden/main.tf @@ -68,7 +68,6 @@ resource "kubernetes_deployment" "vaultwarden" { memory = "32Mi" } limits = { - cpu = "100m" memory = "256Mi" } } diff --git a/stacks/platform/modules/vpa/main.tf b/stacks/platform/modules/vpa/main.tf index 5c6b551a..2cc50643 100644 --- a/stacks/platform/modules/vpa/main.tf +++ b/stacks/platform/modules/vpa/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "tier" { type = string } diff --git a/stacks/platform/modules/wireguard/main.tf b/stacks/platform/modules/wireguard/main.tf index 1df0a610..aa24793d 100644 --- a/stacks/platform/modules/wireguard/main.tf +++ b/stacks/platform/modules/wireguard/main.tf @@ -147,7 +147,6 @@ resource "kubernetes_deployment" "wireguard" { memory = "16Mi" } limits = { - cpu = "100m" memory = "128Mi" } } @@ -178,7 +177,6 @@ resource "kubernetes_deployment" "wireguard" { memory = "16Mi" } limits = { - cpu = "50m" memory = "64Mi" } } diff --git a/stacks/platform/modules/xray/main.tf b/stacks/platform/modules/xray/main.tf index 3097d110..23f2b5d4 100644 --- a/stacks/platform/modules/xray/main.tf +++ b/stacks/platform/modules/xray/main.tf @@ -2,7 +2,7 @@ variable "tls_secret_name" {} variable "tier" { type = string } variable "xray_reality_clients" { type = list(map(string)) } variable "xray_reality_private_key" { - type = string + type = string sensitive = true } variable "xray_reality_short_ids" { type = list(string) } @@ -123,7 +123,6 @@ resource "kubernetes_deployment" "xray" { memory = "32Mi" } limits = { - cpu = "100m" memory = "128Mi" } } diff --git a/stacks/plotting-book/main.tf b/stacks/plotting-book/main.tf index 9286e6e1..6110ea5f 100644 --- a/stacks/plotting-book/main.tf +++ b/stacks/plotting-book/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "plotting_book_session_secret" { @@ -124,7 +124,6 @@ resource "kubernetes_deployment" "plotting-book" { } limits = { memory = "256Mi" - cpu = "100m" } } } diff --git a/stacks/poison-fountain/main.tf b/stacks/poison-fountain/main.tf index 2693a5ba..03d0eab3 100644 --- a/stacks/poison-fountain/main.tf +++ b/stacks/poison-fountain/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -154,7 +154,6 @@ resource "kubernetes_deployment" "poison_fountain" { memory = "32Mi" } limits = { - cpu = "100m" memory = "128Mi" } } diff --git a/stacks/privatebin/main.tf b/stacks/privatebin/main.tf index 84dd5feb..4489e4d0 100644 --- a/stacks/privatebin/main.tf +++ b/stacks/privatebin/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -73,7 +73,6 @@ resource "kubernetes_deployment" "privatebin" { memory = "32Mi" } limits = { - cpu = "150m" memory = "256Mi" } } diff --git a/stacks/real-estate-crawler/main.tf b/stacks/real-estate-crawler/main.tf index 6d91da16..22ae4d9f 100644 --- a/stacks/real-estate-crawler/main.tf +++ b/stacks/real-estate-crawler/main.tf @@ -1,9 +1,9 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "realestate_crawler_db_password" { - type = string + type = string sensitive = true } variable "realestate_crawler_notification_settings" { type = map(string) } @@ -17,7 +17,7 @@ resource "kubernetes_namespace" "realestate-crawler" { name = "realestate-crawler" labels = { "istio-injection" : "disabled" - tier = local.tiers.aux + tier = local.tiers.aux } } } @@ -209,7 +209,6 @@ resource "kubernetes_deployment" "realestate-crawler-api" { memory = "64Mi" } limits = { - cpu = "250m" memory = "512Mi" } } @@ -326,7 +325,6 @@ resource "kubernetes_deployment" "realestate-crawler-celery" { memory = "512Mi" } limits = { - cpu = "1" memory = "3Gi" } } @@ -440,7 +438,6 @@ resource "kubernetes_deployment" "realestate-crawler-celery-beat" { memory = "64Mi" } limits = { - cpu = "100m" memory = "256Mi" } } diff --git a/stacks/resume/main.tf b/stacks/resume/main.tf index d4cc6e32..b9cc933a 100644 --- a/stacks/resume/main.tf +++ b/stacks/resume/main.tf @@ -1,10 +1,10 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "resume_database_url" { type = string } variable "resume_auth_secret" { - type = string + type = string sensitive = true } variable "mailserver_accounts" { type = map(any) } @@ -84,7 +84,6 @@ resource "kubernetes_deployment" "printer" { } limits = { memory = "1536Mi" - cpu = "500m" } } @@ -240,7 +239,6 @@ resource "kubernetes_deployment" "resume" { } limits = { memory = "384Mi" - cpu = "250m" } } diff --git a/stacks/rybbit/main.tf b/stacks/rybbit/main.tf index 9477f65f..587cf02c 100644 --- a/stacks/rybbit/main.tf +++ b/stacks/rybbit/main.tf @@ -1,13 +1,13 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "clickhouse_password" { - type = string + type = string sensitive = true } variable "clickhouse_postgres_password" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -119,7 +119,6 @@ resource "kubernetes_deployment" "clickhouse" { memory = "512Mi" } limits = { - cpu = "1" memory = "2Gi" } } @@ -271,7 +270,7 @@ resource "kubernetes_deployment" "rybbit" { } env { name = "DISABLE_SIGNUP" - value = true + value = "true" } env { name = "BETTER_AUTH_SECRET" @@ -279,7 +278,7 @@ resource "kubernetes_deployment" "rybbit" { } env { name = "AUTH_ENABLED" - value = true + value = "true" } port { container_port = 3001 @@ -310,7 +309,6 @@ resource "kubernetes_deployment" "rybbit" { memory = "128Mi" } limits = { - cpu = "250m" memory = "512Mi" } } @@ -373,7 +371,7 @@ resource "kubernetes_deployment" "rybbit-client" { } env { name = "DISABLE_SIGNUP" - value = true + value = "true" } port { name = "rybbit-client" @@ -406,7 +404,6 @@ resource "kubernetes_deployment" "rybbit-client" { memory = "64Mi" } limits = { - cpu = "150m" memory = "256Mi" } } diff --git a/stacks/send/main.tf b/stacks/send/main.tf index 79dd8d1e..9455a7fc 100644 --- a/stacks/send/main.tf +++ b/stacks/send/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -106,7 +106,6 @@ resource "kubernetes_deployment" "send" { memory = "32Mi" } limits = { - cpu = "150m" memory = "256Mi" } } diff --git a/stacks/servarr/aiostreams/main.tf b/stacks/servarr/aiostreams/main.tf index dc2574d3..e5dbac65 100644 --- a/stacks/servarr/aiostreams/main.tf +++ b/stacks/servarr/aiostreams/main.tf @@ -75,7 +75,6 @@ resource "kubernetes_deployment" "aiostreams" { memory = "256Mi" } limits = { - cpu = "500m" memory = "1Gi" } } diff --git a/stacks/servarr/flaresolverr/main.tf b/stacks/servarr/flaresolverr/main.tf index 07b2f717..f5fc9f94 100644 --- a/stacks/servarr/flaresolverr/main.tf +++ b/stacks/servarr/flaresolverr/main.tf @@ -37,7 +37,6 @@ resource "kubernetes_deployment" "flaresolverr" { memory = "150Mi" } limits = { - cpu = "500m" memory = "384Mi" } } diff --git a/stacks/servarr/listenarr/main.tf b/stacks/servarr/listenarr/main.tf index 5711efa2..a4e0c83f 100644 --- a/stacks/servarr/listenarr/main.tf +++ b/stacks/servarr/listenarr/main.tf @@ -62,7 +62,6 @@ resource "kubernetes_deployment" "listenarr" { memory = "256Mi" } limits = { - cpu = "1" memory = "1Gi" } } diff --git a/stacks/servarr/main.tf b/stacks/servarr/main.tf index 7d6008e9..615e43f3 100644 --- a/stacks/servarr/main.tf +++ b/stacks/servarr/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "aiostreams_database_connection_string" { type = string } diff --git a/stacks/servarr/prowlarr/main.tf b/stacks/servarr/prowlarr/main.tf index aa064366..0c4acc72 100644 --- a/stacks/servarr/prowlarr/main.tf +++ b/stacks/servarr/prowlarr/main.tf @@ -59,7 +59,6 @@ resource "kubernetes_deployment" "prowlarr" { memory = "192Mi" } limits = { - cpu = "500m" memory = "384Mi" } } diff --git a/stacks/servarr/qbittorrent/main.tf b/stacks/servarr/qbittorrent/main.tf index 254862db..7c63f2e2 100644 --- a/stacks/servarr/qbittorrent/main.tf +++ b/stacks/servarr/qbittorrent/main.tf @@ -160,15 +160,15 @@ module "ingress" { tls_secret_name = var.tls_secret_name protected = true extra_annotations = { - "gethomepage.dev/enabled" = "true" - "gethomepage.dev/name" = "qBittorrent" - "gethomepage.dev/description" = "BitTorrent client" - "gethomepage.dev/icon" = "qbittorrent.png" - "gethomepage.dev/group" = "Media & Entertainment" - "gethomepage.dev/pod-selector" = "" - "gethomepage.dev/widget.type" = "qbittorrent" - "gethomepage.dev/widget.url" = "http://qbittorrent.servarr.svc.cluster.local" - "gethomepage.dev/widget.username" = var.homepage_credentials["qbittorrent"]["username"] - "gethomepage.dev/widget.password" = var.homepage_credentials["qbittorrent"]["password"] + "gethomepage.dev/enabled" = "true" + "gethomepage.dev/name" = "qBittorrent" + "gethomepage.dev/description" = "BitTorrent client" + "gethomepage.dev/icon" = "qbittorrent.png" + "gethomepage.dev/group" = "Media & Entertainment" + "gethomepage.dev/pod-selector" = "" + "gethomepage.dev/widget.type" = "qbittorrent" + "gethomepage.dev/widget.url" = "http://qbittorrent.servarr.svc.cluster.local" + "gethomepage.dev/widget.username" = var.homepage_credentials["qbittorrent"]["username"] + "gethomepage.dev/widget.password" = var.homepage_credentials["qbittorrent"]["password"] } } diff --git a/stacks/shadowsocks/main.tf b/stacks/shadowsocks/main.tf index 01caa7eb..098cd727 100644 --- a/stacks/shadowsocks/main.tf +++ b/stacks/shadowsocks/main.tf @@ -1,5 +1,5 @@ variable "shadowsocks_password" { - type = string + type = string sensitive = true } @@ -73,7 +73,6 @@ resource "kubernetes_deployment" "shadowsocks" { memory = "16Mi" } limits = { - cpu = "100m" memory = "64Mi" } } diff --git a/stacks/speedtest/main.tf b/stacks/speedtest/main.tf index 0b5f909c..5a07a66c 100644 --- a/stacks/speedtest/main.tf +++ b/stacks/speedtest/main.tf @@ -1,9 +1,9 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "speedtest_db_password" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -121,7 +121,6 @@ resource "kubernetes_deployment" "speedtest" { memory = "128Mi" } limits = { - cpu = "1" memory = "512Mi" } } diff --git a/stacks/stirling-pdf/main.tf b/stacks/stirling-pdf/main.tf index ae3b8bab..47b9c2ca 100644 --- a/stacks/stirling-pdf/main.tf +++ b/stacks/stirling-pdf/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -61,7 +61,6 @@ resource "kubernetes_deployment" "stirling-pdf" { memory = "512Mi" } limits = { - cpu = "2" memory = "2Gi" } } diff --git a/stacks/tandoor/main.tf b/stacks/tandoor/main.tf index c7443031..73efe20d 100644 --- a/stacks/tandoor/main.tf +++ b/stacks/tandoor/main.tf @@ -1,14 +1,14 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "tandoor_database_password" { - type = string + type = string sensitive = true } variable "tandoor_email_password" { - type = string - default = "" + type = string + default = "" sensitive = true } variable "nfs_server" { type = string } @@ -157,7 +157,6 @@ resource "kubernetes_deployment" "tandoor" { memory = "256Mi" } limits = { - cpu = "250m" memory = "1536Mi" } } diff --git a/stacks/tor-proxy/main.tf b/stacks/tor-proxy/main.tf index 2ff91a0d..0a5541e6 100644 --- a/stacks/tor-proxy/main.tf +++ b/stacks/tor-proxy/main.tf @@ -1,7 +1,8 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } +variable "nfs_server" { type = string } resource "kubernetes_namespace" "tor-proxy" { @@ -82,7 +83,6 @@ resource "kubernetes_deployment" "tor-proxy" { memory = "64Mi" } limits = { - cpu = "150m" memory = "256Mi" } } @@ -126,3 +126,160 @@ resource "kubernetes_service" "tor-proxy" { } } } + +# --- TorrServer --- + +module "nfs_torrserver_data" { + source = "../../modules/kubernetes/nfs_volume" + name = "tor-proxy-torrserver-data" + namespace = kubernetes_namespace.tor-proxy.metadata[0].name + nfs_server = var.nfs_server + nfs_path = "/mnt/main/tor-proxy/torrserver" +} + +resource "kubernetes_deployment" "torrserver" { + metadata { + name = "torrserver" + namespace = kubernetes_namespace.tor-proxy.metadata[0].name + labels = { + app = "torrserver" + tier = local.tiers.aux + } + } + spec { + replicas = 1 + strategy { + type = "Recreate" + } + selector { + match_labels = { + app = "torrserver" + } + } + template { + metadata { + labels = { + app = "torrserver" + } + } + spec { + container { + name = "torrserver" + image = "ghcr.io/yourok/torrserver:MatriX.141" + port { + name = "http" + container_port = 8090 + protocol = "TCP" + } + resources { + requests = { + cpu = "100m" + memory = "256Mi" + } + limits = { + memory = "1Gi" + } + } + readiness_probe { + http_get { + path = "/echo" + port = 8090 + } + initial_delay_seconds = 5 + period_seconds = 10 + } + liveness_probe { + http_get { + path = "/echo" + port = 8090 + } + initial_delay_seconds = 15 + period_seconds = 30 + } + volume_mount { + name = "torrserver-data" + mount_path = "/opt/ts" + } + } + volume { + name = "torrserver-data" + persistent_volume_claim { + claim_name = module.nfs_torrserver_data.claim_name + } + } + } + } + } +} + +resource "kubernetes_service" "torrserver" { + metadata { + name = "torrserver" + namespace = kubernetes_namespace.tor-proxy.metadata[0].name + labels = { + "app" = "torrserver" + } + } + + spec { + selector = { + app = "torrserver" + } + port { + name = "http" + port = 8090 + target_port = 8090 + } + } +} + +# Expose BT peer port for better torrent connectivity +resource "kubernetes_service" "torrserver-bt" { + metadata { + name = "torrserver-bt" + namespace = kubernetes_namespace.tor-proxy.metadata[0].name + labels = { + app = "torrserver-bt" + } + annotations = { + "metallb.universe.tf/allow-shared-ip" = "shared" + } + } + + spec { + type = "LoadBalancer" + external_traffic_policy = "Cluster" + selector = { + app = "torrserver" + } + port { + name = "bt-tcp" + port = 5665 + target_port = 5665 + protocol = "TCP" + } + port { + name = "bt-udp" + port = 5665 + target_port = 5665 + protocol = "UDP" + } + } +} + +module "torrserver_ingress" { + source = "../../modules/kubernetes/ingress_factory" + namespace = kubernetes_namespace.tor-proxy.metadata[0].name + name = "torrserver" + tls_secret_name = var.tls_secret_name + port = "8090" + protected = true + extra_annotations = { + "gethomepage.dev/enabled" = "true" + "gethomepage.dev/name" = "TorrServer" + "gethomepage.dev/description" = "Torrent streaming server" + "gethomepage.dev/icon" = "torrserver.png" + "gethomepage.dev/group" = "Media & Entertainment" + "gethomepage.dev/pod-selector" = "" + } +} diff --git a/stacks/trading-bot/main.tf b/stacks/trading-bot/main.tf index af8cce28..c5dea873 100644 --- a/stacks/trading-bot/main.tf +++ b/stacks/trading-bot/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -7,36 +7,36 @@ variable "postgresql_host" { type = string } variable "redis_host" { type = string } variable "ollama_host" { type = string } variable "dbaas_postgresql_root_password" { - type = string + type = string sensitive = true } variable "trading_bot_db_password" { - type = string + type = string sensitive = true } variable "trading_bot_alpaca_api_key" { - type = string + type = string sensitive = true } variable "trading_bot_alpaca_secret_key" { - type = string + type = string sensitive = true } variable "trading_bot_jwt_secret" { - type = string + type = string sensitive = true } variable "trading_bot_reddit_client_id" { type = string } variable "trading_bot_reddit_client_secret" { - type = string + type = string sensitive = true } variable "trading_bot_alpha_vantage_api_key" { - type = string + type = string sensitive = true } variable "trading_bot_fmp_api_key" { - type = string + type = string sensitive = true } @@ -74,7 +74,7 @@ resource "kubernetes_namespace" "trading-bot" { metadata { name = "trading-bot" labels = { - tier = local.tiers.edge + tier = local.tiers.edge } } } @@ -208,7 +208,6 @@ resource "kubernetes_deployment" "trading-bot-frontend" { memory = "32Mi" } limits = { - cpu = "200m" memory = "128Mi" } } @@ -235,7 +234,6 @@ resource "kubernetes_deployment" "trading-bot-frontend" { memory = "128Mi" } limits = { - cpu = "1000m" memory = "512Mi" } } @@ -301,7 +299,6 @@ resource "kubernetes_deployment" "trading-bot-workers" { memory = "64Mi" } limits = { - cpu = "500m" memory = "256Mi" } } @@ -328,7 +325,6 @@ resource "kubernetes_deployment" "trading-bot-workers" { memory = "512Mi" } limits = { - cpu = "2000m" memory = "2Gi" } } @@ -355,7 +351,6 @@ resource "kubernetes_deployment" "trading-bot-workers" { memory = "64Mi" } limits = { - cpu = "500m" memory = "256Mi" } } @@ -382,7 +377,6 @@ resource "kubernetes_deployment" "trading-bot-workers" { memory = "64Mi" } limits = { - cpu = "500m" memory = "256Mi" } } @@ -409,7 +403,6 @@ resource "kubernetes_deployment" "trading-bot-workers" { memory = "64Mi" } limits = { - cpu = "500m" memory = "256Mi" } } @@ -436,7 +429,6 @@ resource "kubernetes_deployment" "trading-bot-workers" { memory = "64Mi" } limits = { - cpu = "500m" memory = "256Mi" } } diff --git a/stacks/travel_blog/main.tf b/stacks/travel_blog/main.tf index bb247382..67361b2b 100644 --- a/stacks/travel_blog/main.tf +++ b/stacks/travel_blog/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } @@ -48,7 +48,6 @@ resource "kubernetes_deployment" "blog" { name = "travel-blog" resources { limits = { - cpu = "100m" memory = "256Mi" } requests = { diff --git a/stacks/tuya-bridge/main.tf b/stacks/tuya-bridge/main.tf index c275559a..4a8c4114 100644 --- a/stacks/tuya-bridge/main.tf +++ b/stacks/tuya-bridge/main.tf @@ -1,17 +1,17 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "tiny_tuya_api_key" { - type = string + type = string sensitive = true } variable "tiny_tuya_api_secret" { - type = string + type = string sensitive = true } variable "tiny_tuya_service_secret" { - type = string + type = string sensitive = true } variable "tiny_tuya_slack_url" { type = string } @@ -84,7 +84,6 @@ resource "kubernetes_deployment" "tuya-bridge" { memory = "32Mi" } limits = { - cpu = "150m" memory = "256Mi" } } diff --git a/stacks/url/main.tf b/stacks/url/main.tf index 6d75380a..2416d41a 100644 --- a/stacks/url/main.tf +++ b/stacks/url/main.tf @@ -1,14 +1,14 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "url_shortener_geolite_license_key" { type = string } variable "url_shortener_api_key" { - type = string + type = string sensitive = true } variable "url_shortener_mysql_password" { - type = string + type = string sensitive = true } variable "mysql_host" { type = string } @@ -280,7 +280,6 @@ resource "kubernetes_deployment" "shlink-web" { } resources { limits = { - cpu = "0.5" memory = "512Mi" } requests = { diff --git a/stacks/wealthfolio/main.tf b/stacks/wealthfolio/main.tf index 244c3d81..72799c42 100644 --- a/stacks/wealthfolio/main.tf +++ b/stacks/wealthfolio/main.tf @@ -1,9 +1,9 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "wealthfolio_password_hash" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -108,7 +108,6 @@ resource "kubernetes_deployment" "wealthfolio" { memory = "32Mi" } limits = { - cpu = "100m" memory = "128Mi" } } diff --git a/stacks/webhook_handler/main.tf b/stacks/webhook_handler/main.tf index c8bb6656..83ec99ac 100644 --- a/stacks/webhook_handler/main.tf +++ b/stacks/webhook_handler/main.tf @@ -1,30 +1,30 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "webhook_handler_secret" { - type = string + type = string sensitive = true } variable "webhook_handler_fb_verify_token" { - type = string + type = string sensitive = true } variable "webhook_handler_fb_page_token" { - type = string + type = string sensitive = true } variable "webhook_handler_fb_app_secret" { - type = string + type = string sensitive = true } variable "webhook_handler_git_user" { type = string } variable "webhook_handler_git_token" { - type = string + type = string sensitive = true } variable "webhook_handler_ssh_key" { - type = string + type = string sensitive = true } @@ -131,7 +131,6 @@ resource "kubernetes_deployment" "webhook_handler" { name = "webhook-handler" resources { limits = { - cpu = "100m" memory = "256Mi" } requests = { diff --git a/stacks/whisper/main.tf b/stacks/whisper/main.tf index 551e3fc4..56f827ec 100644 --- a/stacks/whisper/main.tf +++ b/stacks/whisper/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } @@ -84,7 +84,6 @@ resource "kubernetes_deployment" "whisper" { memory = "256Mi" } limits = { - cpu = "500m" memory = "1536Mi" } } @@ -203,7 +202,6 @@ resource "kubernetes_deployment" "piper" { memory = "64Mi" } limits = { - cpu = "250m" memory = "512Mi" } } diff --git a/stacks/woodpecker/main.tf b/stacks/woodpecker/main.tf index 24db41b4..46aa6890 100644 --- a/stacks/woodpecker/main.tf +++ b/stacks/woodpecker/main.tf @@ -1,29 +1,29 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "woodpecker_github_client_id" { type = string } variable "woodpecker_github_client_secret" { - type = string + type = string sensitive = true } variable "woodpecker_agent_secret" { - type = string + type = string sensitive = true } variable "woodpecker_db_password" { - type = string + type = string sensitive = true } variable "dbaas_postgresql_root_password" { - type = string + type = string sensitive = true } variable "nfs_server" { type = string } variable "postgresql_host" { type = string } variable "woodpecker_forgejo_client_id" { type = string } variable "woodpecker_forgejo_client_secret" { - type = string + type = string sensitive = true } variable "woodpecker_forgejo_url" { type = string } @@ -48,7 +48,6 @@ resource "kubernetes_resource_quota" "woodpecker" { hard = { "requests.cpu" = "16" "requests.memory" = "16Gi" - "limits.cpu" = "16" "limits.memory" = "32Gi" pods = "60" } diff --git a/stacks/ytdlp/main.tf b/stacks/ytdlp/main.tf index a42b2210..325c960f 100644 --- a/stacks/ytdlp/main.tf +++ b/stacks/ytdlp/main.tf @@ -1,13 +1,13 @@ variable "tls_secret_name" { - type = string + type = string sensitive = true } variable "openrouter_api_key" { - type = string + type = string sensitive = true } variable "slack_bot_token" { - type = string + type = string sensitive = true } variable "slack_channel" { type = string } @@ -87,7 +87,6 @@ resource "kubernetes_deployment" "ytdlp" { memory = "128Mi" } limits = { - cpu = "500m" memory = "512Mi" } }