[ci skip] right-size all pod resources based on VPA + live metrics audit

Full cluster resource audit: cross-referenced Goldilocks VPA recommendations,
live kubectl top metrics, and Terraform definitions for 100+ containers.

Critical fixes:
- dashy: CPU throttled at 98% (490m/500m) → 2 CPU limit
- stirling-pdf: CPU throttled at 99.7% (299m/300m) → 2 CPU limit
- traefik auth-proxy/bot-block-proxy: mem limit 32Mi → 128Mi

Added explicit resources to ~40 containers that had none:
- audiobookshelf, changedetection, cyberchef, dawarich, diun, echo,
  excalidraw, freshrss, hackmd, isponsorblocktv, linkwarden, n8n,
  navidrome, ntfy, owntracks, privatebin, send, shadowsocks, tandoor,
  tor-proxy, wealthfolio, networking-toolbox, rybbit, mailserver,
  cloudflared, pgadmin, phpmyadmin, crowdsec-web, xray, wireguard,
  k8s-portal, tuya-bridge, ollama-ui, whisper, piper, immich-server,
  immich-postgresql, osrm-foot

GPU containers: added CPU/mem alongside GPU limits:
- ollama: removed CPU/mem limits (models vary in size), keep GPU only
- frigate: req 500m/2Gi, lim 4/8Gi + GPU
- immich-ml: req 100m/1Gi, lim 2/4Gi + GPU

Right-sized ~25 over-provisioned containers:
- kms-web-page: 500m/512Mi → 50m/64Mi (was using 0m/10Mi)
- onlyoffice: CPU 8 → 2 (VPA upper 45m)
- realestate-crawler-api: CPU 2000m → 250m
- blog/travel-blog/webhook-handler: 500m → 100m
- coturn/health/plotting-book: reduced to match actual usage

Conservative methodology: limits = max(VPA upper * 2, live usage * 2)

stacks/platform/modules/traefik/main.tf

@@ -380,11 +380,11 @@ resource "kubernetes_deployment" "bot_block_proxy" {
           resources {
             requests = {
               cpu    = "5m"
-              memory = "16Mi"
+              memory = "32Mi"
             }
             limits = {
               cpu    = "50m"
-              memory = "32Mi"
+              memory = "128Mi"
             }
           }
         }
@@ -569,11 +569,11 @@ resource "kubernetes_deployment" "auth_proxy" {
           resources {
             requests = {
               cpu    = "5m"
-              memory = "16Mi"
+              memory = "32Mi"
             }
             limits = {
               cpu    = "50m"
-              memory = "32Mi"
+              memory = "128Mi"
             }
           }
         }

stacks/platform/modules/traefik/middleware.tf

@@ -150,14 +150,14 @@ resource "kubernetes_manifest" "middleware_crowdsec" {
     spec = {
       plugin = {
         crowdsec-bouncer = {
-          crowdsecLapiKey                = var.crowdsec_api_key
-          crowdsecLapiHost               = "crowdsec-service.crowdsec.svc.cluster.local:8080"
-          crowdsecMode                   = "stream"
-          updateMaxFailure               = -1   # fail-open: serve from cache when LAPI is unreachable
-          redisCacheEnabled              = true
-          redisCacheHost                 = var.redis_host
-          redisCacheUnreachableBlock     = false # don't block traffic if Redis is also unreachable
-          clientTrustedIPs               = ["10.0.20.0/24", "10.10.0.0/16"] # node + pod CIDRs bypass CrowdSec
+          crowdsecLapiKey            = var.crowdsec_api_key
+          crowdsecLapiHost           = "crowdsec-service.crowdsec.svc.cluster.local:8080"
+          crowdsecMode               = "stream"
+          updateMaxFailure           = -1 # fail-open: serve from cache when LAPI is unreachable
+          redisCacheEnabled          = true
+          redisCacheHost             = var.redis_host
+          redisCacheUnreachableBlock = false                            # don't block traffic if Redis is also unreachable
+          clientTrustedIPs           = ["10.0.20.0/24", "10.10.0.0/16"] # node + pod CIDRs bypass CrowdSec
         }
       }
     }