From 677a181d496085ccc0496079ef1c6e1b0a1d2100 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Wed, 17 Jun 2026 19:53:47 +0000
Subject: [PATCH] reverse-proxy: dedicated rate limit for ha-london; bump
 ha-sofia (cold-client 429s)

New, empty-cache clients (the repurposed Meta Portal running the HA companion
app) cold-load the whole HA frontend at once - dozens of frontend_latest/*.js +
MDI icon chunks. ha-london had no per-service rate limit, so it fell back to the
global 10/s burst 50 and 429'd those chunks, leaving every dashboard blank
(Settings, which loads less, worked). Give ha-london its own 200/500 middleware
(skip_global_rate_limit, mirroring ha-sofia, with depends_on to avoid the
dangling-middleware 404 window) and bump ha-sofia 100/200 -> 200/500 so a cold
Portal load of Sofia doesn't hit the same wall.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .../modules/reverse_proxy/main.tf             | 40 +++++++++++++++++--
 1 file changed, 36 insertions(+), 4 deletions(-)

diff --git a/stacks/reverse-proxy/modules/reverse_proxy/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
index 92a3cd34..deb5a83b 100644
--- a/stacks/reverse-proxy/modules/reverse_proxy/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
@@ -238,8 +238,10 @@ resource "kubernetes_manifest" "ha_sofia_rate_limit" {
     }
     spec = {
       rateLimit = {
-        average = 100
-        burst   = 200
+        # Bumped 100/200 -> 200/500 (2026-06-17): a cold HA-frontend load from a
+        # new, empty-cache client bursts dozens of JS/icon chunks and 429'd.
+        average = 200
+        burst   = 500
       }
     }
   }
@@ -342,6 +344,27 @@ module "music-assistant" {
   }
 }
 
+# Rate limit for ha-london — cold HA-frontend loads from a new, empty-cache
+# client (e.g. the repurposed Portal) burst dozens of JS/icon chunks at once;
+# the global 10/50 default 429'd them, blanking the dashboards. Generous own
+# limit, mirroring ha-sofia. (2026-06-17)
+resource "kubernetes_manifest" "ha_london_rate_limit" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "ha-london-rate-limit"
+      namespace = "reverse-proxy"
+    }
+    spec = {
+      rateLimit = {
+        average = 200
+        burst   = 500
+      }
+    }
+  }
+}
+
 # https://ha-london.viktorbarzin.me/
 module "ha-london" {
   source          = "./factory"
@@ -350,8 +373,17 @@ module "ha-london" {
   external_name   = "ha-london.viktorbarzin.lan"
   port            = 8123
   tls_secret_name = var.tls_secret_name
-  depends_on      = [kubernetes_namespace.reverse-proxy]
-  protected       = false
+  # depends_on on the rate-limit manifest avoids a dangling-reference window
+  # that would 404 ha-london traffic (see ha-sofia / memory 768).
+  depends_on = [
+    kubernetes_namespace.reverse-proxy,
+    kubernetes_manifest.ha_london_rate_limit,
+  ]
+  protected              = false
+  skip_global_rate_limit = true
+  extra_middlewares = [
+    "reverse-proxy-ha-london-rate-limit@kubernetescrd",
+  ]
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"
     "gethomepage.dev/name"         = "Home Assistant London"