fix: add retry middleware and per-service rate limit for ha-sofia

The global rate limit (10 req/s, 50 burst) was too aggressive for HA dashboards that load 30+ JS files on page load, causing 429s. VPN tunnel blips between London K8s and Sofia caused 502s with no retry fallback. - Add traefik-retry middleware to reverse-proxy factory (all services) - Add skip_global_rate_limit variable to both reverse-proxy factories - Create ha-sofia-rate-limit middleware (100 avg, 200 burst) - Apply to ha-sofia and music-assistant (both route to Sofia)
2026-04-05 20:47:58 +03:00 · 2026-04-05 20:47:58 +03:00 · 56583c3825
commit 56583c3825
parent ccc956ab9c
3 changed files with 56 additions and 10 deletions
--- a/stacks/reverse-proxy/modules/reverse_proxy/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
@ -274,15 +274,36 @@ module "mladost3" {
 # }

 # https://ha-sofia.viktorbarzin.me/
+resource "kubernetes_manifest" "ha_sofia_rate_limit" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "ha-sofia-rate-limit"
+      namespace = "reverse-proxy"
+    }
+    spec = {
+      rateLimit = {
+        average = 100
+        burst   = 200
+      }
+    }
+  }
+}
+
 module "ha-sofia" {
-  source          = "./factory"
-  name            = "ha-sofia"
-  external_name   = "ha-sofia.viktorbarzin.lan"
-  port            = 8123
-  tls_secret_name = var.tls_secret_name
-  depends_on      = [kubernetes_namespace.reverse-proxy]
-  protected       = false
-  rybbit_site_id  = "590fc392690a"
+  source                 = "./factory"
+  name                   = "ha-sofia"
+  external_name          = "ha-sofia.viktorbarzin.lan"
+  port                   = 8123
+  tls_secret_name        = var.tls_secret_name
+  depends_on             = [kubernetes_namespace.reverse-proxy]
+  protected              = false
+  rybbit_site_id         = "590fc392690a"
+  skip_global_rate_limit = true
+  extra_middlewares = [
+    "reverse-proxy-ha-sofia-rate-limit@kubernetescrd",
+  ]
  extra_annotations = {
    "gethomepage.dev/enabled"      = "true"
    "gethomepage.dev/name"         = "Home Assistant Sofia"
@ -293,6 +314,21 @@ module "ha-sofia" {
  }
 }

+# https://music-assistant.viktorbarzin.me/
+module "music-assistant" {
+  source                 = "./factory"
+  name                   = "music-assistant"
+  external_name          = "ha-sofia.viktorbarzin.lan"
+  port                   = 8095
+  tls_secret_name        = var.tls_secret_name
+  depends_on             = [kubernetes_namespace.reverse-proxy]
+  protected              = false
+  skip_global_rate_limit = true
+  extra_middlewares = [
+    "reverse-proxy-ha-sofia-rate-limit@kubernetescrd",
+  ]
+}
+
 # https://ha-london.viktorbarzin.me/
 module "ha-london" {
  source          = "./factory"